Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL AWB_NO_92847309329.exe

Overview

General Information

Sample name:DHL AWB_NO_92847309329.exe
Analysis ID:1538705
MD5:710651fb293df9922080f5b7a4d10916
SHA1:a38b66874d59a9e026b2c15e49501e8f4e1fd6b5
SHA256:173fa94e725abc88acf0d848bdee94d216a3c74b4492e006405c357824fab818
Tags:DHLexeRATRemcosRATuser-abuse_ch
Infos:

Detection

PureLog Stealer, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Remcos RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL AWB_NO_92847309329.exe (PID: 3120 cmdline: "C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe" MD5: 710651FB293DF9922080F5B7A4D10916)
    • powershell.exe (PID: 1196 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7352 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 416 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • DHL AWB_NO_92847309329.exe (PID: 7244 cmdline: "C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe" MD5: 710651FB293DF9922080F5B7A4D10916)
  • rjOyFV.exe (PID: 7280 cmdline: C:\Users\user\AppData\Roaming\rjOyFV.exe MD5: 710651FB293DF9922080F5B7A4D10916)
    • schtasks.exe (PID: 7464 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmp36E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rjOyFV.exe (PID: 7516 cmdline: "C:\Users\user\AppData\Roaming\rjOyFV.exe" MD5: 710651FB293DF9922080F5B7A4D10916)
    • rjOyFV.exe (PID: 7524 cmdline: "C:\Users\user\AppData\Roaming\rjOyFV.exe" MD5: 710651FB293DF9922080F5B7A4D10916)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["windowsocttehe.duckdns.org:52411:1"], "Assigned name": "76485", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "764-0XPV9J", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.1865601373.0000000000CBA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.1811153341.0000000007000000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x691e0:$a1: Remcos restarted by watchdog!
          • 0x69738:$a3: %02i:%02i:%02i:%03i
          • 0x69abd:$a4: * Remcos v
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.DHL AWB_NO_92847309329.exe.7000000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.DHL AWB_NO_92847309329.exe.7000000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                12.2.rjOyFV.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  12.2.rjOyFV.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x679e0:$a1: Remcos restarted by watchdog!
                  • 0x67f38:$a3: %02i:%02i:%02i:%03i
                  • 0x682bd:$a4: * Remcos v
                  Click to see the 24 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe", ParentImage: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe, ParentProcessId: 3120, ParentProcessName: DHL AWB_NO_92847309329.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe", ProcessId: 1196, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe", ParentImage: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe, ParentProcessId: 3120, ParentProcessName: DHL AWB_NO_92847309329.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe", ProcessId: 1196, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmp36E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmp36E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\rjOyFV.exe, ParentImage: C:\Users\user\AppData\Roaming\rjOyFV.exe, ParentProcessId: 7280, ParentProcessName: rjOyFV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmp36E.tmp", ProcessId: 7464, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe", ParentImage: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe, ParentProcessId: 3120, ParentProcessName: DHL AWB_NO_92847309329.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp", ProcessId: 416, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe", ParentImage: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe, ParentProcessId: 3120, ParentProcessName: DHL AWB_NO_92847309329.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe", ProcessId: 1196, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe", ParentImage: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe, ParentProcessId: 3120, ParentProcessName: DHL AWB_NO_92847309329.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp", ProcessId: 416, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-21T17:17:33.489439+020020365941Malware Command and Control Activity Detected192.168.2.44973696.9.210.7152411TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-21T17:17:35.116764+020028033043Unknown Traffic192.168.2.449741178.237.33.5080TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: DHL AWB_NO_92847309329.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeAvira: detection malicious, Label: TR/AD.Remcos.jplgn
                  Found malware configuration
                  Source: 0000000C.00000002.1865601373.0000000000CBA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["windowsocttehe.duckdns.org:52411:1"], "Assigned name": "76485", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "764-0XPV9J", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeReversingLabs: Detection: 39%
                  Multi AV Scanner detection for submitted file
                  Source: DHL AWB_NO_92847309329.exeReversingLabs: Detection: 39%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 12.2.rjOyFV.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.rjOyFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.1865601373.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1806575207.0000000004586000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_92847309329.exe PID: 3120, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_92847309329.exe PID: 7244, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rjOyFV.exe PID: 7524, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: DHL AWB_NO_92847309329.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_004315EC
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_428393a5-5
                  Source: DHL AWB_NO_92847309329.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: DHL AWB_NO_92847309329.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: slCn.pdbSHA256y! source: DHL AWB_NO_92847309329.exe, rjOyFV.exe.0.dr
                  Source: Binary string: slCn.pdb source: DHL AWB_NO_92847309329.exe, rjOyFV.exe.0.dr
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041A01B
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040B28E
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040838E
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004087A0
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00407848
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004068CD FindFirstFileW,FindNextFileW,12_2_004068CD
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00417AAB
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040AC78
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406D28

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49736 -> 96.9.210.71:52411
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: windowsocttehe.duckdns.org
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: windowsocttehe.duckdns.org
                  Source: global trafficTCP traffic: 192.168.2.4:49736 -> 96.9.210.71:52411
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: NEWMEDIAEXPRESS-AS-APNewMediaExpressPteLtdSG NEWMEDIAEXPRESS-AS-APNewMediaExpressPteLtdSG
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49741 -> 178.237.33.50:80
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,12_2_0041936B
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: windowsocttehe.duckdns.org
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmp, DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, rjOyFV.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp&
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, DHL AWB_NO_92847309329.exe, 00000000.00000002.1806575207.0000000004586000.00000004.00000800.00020000.00000000.sdmp, rjOyFV.exe, 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                  Source: DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmp, DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.00000000015CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                  Source: DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpm
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1805270956.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp, rjOyFV.exe, 00000007.00000002.1866548298.0000000002E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: DHL AWB_NO_92847309329.exe, rjOyFV.exe.0.drString found in binary or memory: http://tempuri.org/DatabaseWalletDataSet.xsd
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmp, DHL AWB_NO_92847309329.exe, 00000000.00000002.1810117079.0000000005A50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000012_2_00409340
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040A65A
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_00414EC1
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040A65A
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,12_2_00409468

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 12.2.rjOyFV.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.rjOyFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.1865601373.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1806575207.0000000004586000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_92847309329.exe PID: 3120, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_92847309329.exe PID: 7244, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rjOyFV.exe PID: 7524, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0041A76C SystemParametersInfoW,12_2_0041A76C

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 12.2.rjOyFV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 12.2.rjOyFV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 12.2.rjOyFV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 12.2.rjOyFV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 12.2.rjOyFV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 12.2.rjOyFV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 00000000.00000002.1806575207.0000000004586000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: DHL AWB_NO_92847309329.exe PID: 3120, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: rjOyFV.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_00414DB4
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_00C9D3240_2_00C9D324
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072A96E00_2_072A96E0
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072A00400_2_072A0040
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072AC7000_2_072AC700
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072AB7C80_2_072AB7C8
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072AE6180_2_072AE618
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072AC6F00_2_072AC6F0
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072A96D00_2_072A96D0
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072AC2A80_2_072AC2A8
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072AC2C80_2_072AC2C8
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072AE1E00_2_072AE1E0
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072A00060_2_072A0006
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072ACB280_2_072ACB28
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072ACB380_2_072ACB38
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072A4B480_2_072A4B48
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072A4B580_2_072A4B58
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072A396F0_2_072A396F
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072A39800_2_072A3980
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_0C34392A0_2_0C34392A
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_0144D3247_2_0144D324
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_053670207_2_05367020
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_053600067_2_05360006
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_053600407_2_05360040
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_05366FE77_2_05366FE7
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_073296E07_2_073296E0
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_073200407_2_07320040
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_0732C7007_2_0732C700
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_0732B7C87_2_0732B7C8
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_0732E6187_2_0732E618
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_0732C6F07_2_0732C6F0
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_073296D07_2_073296D0
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_0732C2A87_2_0732C2A8
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_0732C2C87_2_0732C2C8
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_0732E1E07_2_0732E1E0
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_073200067_2_07320006
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_07325C607_2_07325C60
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_0732CB387_2_0732CB38
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_07324B587_2_07324B58
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_07324B487_2_07324B48
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_0732396F7_2_0732396F
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_073239807_2_07323980
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_0A6F2ED87_2_0A6F2ED8
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0042515212_2_00425152
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0043528612_2_00435286
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004513D412_2_004513D4
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0045050B12_2_0045050B
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0043651012_2_00436510
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004316FB12_2_004316FB
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0043569E12_2_0043569E
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0044370012_2_00443700
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004257FB12_2_004257FB
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004128E312_2_004128E3
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0042596412_2_00425964
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0041B91712_2_0041B917
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0043D9CC12_2_0043D9CC
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00435AD312_2_00435AD3
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00424BC312_2_00424BC3
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0043DBFB12_2_0043DBFB
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0044ABA912_2_0044ABA9
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00433C0B12_2_00433C0B
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00434D8A12_2_00434D8A
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0043DE2A12_2_0043DE2A
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0041CEAF12_2_0041CEAF
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00435F0812_2_00435F08
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: String function: 00402073 appears 51 times
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: String function: 00432B90 appears 53 times
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: String function: 00432525 appears 41 times
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000000.1728391720.000000000067C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameslCn.exeF vs DHL AWB_NO_92847309329.exe
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs DHL AWB_NO_92847309329.exe
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1799386530.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL AWB_NO_92847309329.exe
                  Source: DHL AWB_NO_92847309329.exe, 00000000.00000002.1811890323.0000000009A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs DHL AWB_NO_92847309329.exe
                  Source: DHL AWB_NO_92847309329.exeBinary or memory string: OriginalFilenameslCn.exeF vs DHL AWB_NO_92847309329.exe
                  Source: DHL AWB_NO_92847309329.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 12.2.rjOyFV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 12.2.rjOyFV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 12.2.rjOyFV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 12.2.rjOyFV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 12.2.rjOyFV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 12.2.rjOyFV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 00000000.00000002.1806575207.0000000004586000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: DHL AWB_NO_92847309329.exe PID: 3120, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: rjOyFV.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: DHL AWB_NO_92847309329.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: rjOyFV.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.DHL AWB_NO_92847309329.exe.7000000.4.raw.unpack, at4ONG9F0NYCELN5Tj.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, at4ONG9F0NYCELN5Tj.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, ujnbt23axdywEjt9d5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, owon38FMyAnPm1ZsOx.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, owon38FMyAnPm1ZsOx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, owon38FMyAnPm1ZsOx.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, ujnbt23axdywEjt9d5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, owon38FMyAnPm1ZsOx.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, owon38FMyAnPm1ZsOx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, owon38FMyAnPm1ZsOx.csSecurity API names: _0020.AddAccessRule
                  Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@18/12@8/2
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_00415C90
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,12_2_0040E2E7
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,12_2_00419493
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00418A00
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeFile created: C:\Users\user\AppData\Roaming\rjOyFV.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeMutant created: \Sessions\1\BaseNamedObjects\764-0XPV9J
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE78A.tmpJump to behavior
                  Source: DHL AWB_NO_92847309329.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: DHL AWB_NO_92847309329.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: rjOyFV.exe.0.drBinary or memory string: INSERT INTO Games (user_id, wins, ties, losses) VALUES ((SELECT id FROM Users WHERE id = {0}), 0, 1, 0);tiesaUPDATE Games SET ties = {0} WHERE user_id = {1};
                  Source: rjOyFV.exe.0.drBinary or memory string: INSERT INTO Games (user_id, wins, ties, losses) VALUES ((SELECT id FROM Users WHERE id = {0}), 1, 0, 0);winsaUPDATE Games SET wins = {0} WHERE user_id = {1};
                  Source: rjOyFV.exe.0.drBinary or memory string: INSERT INTO Games (user_id, wins, ties, losses) VALUES ((SELECT id FROM Users WHERE id = {0}), 0, 0, 1);
                  Source: DHL AWB_NO_92847309329.exeReversingLabs: Detection: 39%
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeFile read: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe "C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe"
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe "C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\rjOyFV.exe C:\Users\user\AppData\Roaming\rjOyFV.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmp36E.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess created: C:\Users\user\AppData\Roaming\rjOyFV.exe "C:\Users\user\AppData\Roaming\rjOyFV.exe"
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess created: C:\Users\user\AppData\Roaming\rjOyFV.exe "C:\Users\user\AppData\Roaming\rjOyFV.exe"
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe "C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmp36E.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess created: C:\Users\user\AppData\Roaming\rjOyFV.exe "C:\Users\user\AppData\Roaming\rjOyFV.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess created: C:\Users\user\AppData\Roaming\rjOyFV.exe "C:\Users\user\AppData\Roaming\rjOyFV.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: DHL AWB_NO_92847309329.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: DHL AWB_NO_92847309329.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: DHL AWB_NO_92847309329.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: slCn.pdbSHA256y! source: DHL AWB_NO_92847309329.exe, rjOyFV.exe.0.dr
                  Source: Binary string: slCn.pdb source: DHL AWB_NO_92847309329.exe, rjOyFV.exe.0.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.DHL AWB_NO_92847309329.exe.7000000.4.raw.unpack, at4ONG9F0NYCELN5Tj.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, at4ONG9F0NYCELN5Tj.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})
                  .NET source code contains potential unpacker
                  Source: DHL AWB_NO_92847309329.exe, FormLogin.cs.Net Code: InitializeComponent
                  Source: rjOyFV.exe.0.dr, FormLogin.cs.Net Code: InitializeComponent
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, owon38FMyAnPm1ZsOx.cs.Net Code: U22irSVtQR System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, owon38FMyAnPm1ZsOx.cs.Net Code: U22irSVtQR System.Reflection.Assembly.Load(byte[])
                  Source: DHL AWB_NO_92847309329.exeStatic PE information: 0x9D2FE497 [Sat Jul 26 16:53:43 2053 UTC]
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041A8DA
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeCode function: 0_2_072A8F80 pushfd ; retf 0_2_072A8F81
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 7_2_07328F80 pushfd ; retf 7_2_07328F81
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004000D8 push es; iretd 12_2_004000D9
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040008C push es; iretd 12_2_0040008D
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004542E6 push ecx; ret 12_2_004542F9
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0045B4FD push esi; ret 12_2_0045B506
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00432BD6 push ecx; ret 12_2_00432BE9
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00454C08 push eax; ret 12_2_00454C26
                  Source: DHL AWB_NO_92847309329.exeStatic PE information: section name: .text entropy: 7.96145220092769
                  Source: rjOyFV.exe.0.drStatic PE information: section name: .text entropy: 7.96145220092769
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, FwUsfGsLcp9SV5JmiRr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EOyfSS0i0n', 'vbDftDYtbn', 'zVDfpTLgP9', 'hNofOs2IkJ', 'MJOf2qjgLq', 'fM4fxuhxHX', 'WpHfQh7wJp'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, w7fBJrZ8R5E16gwMrB.csHigh entropy of concatenated method names: 'xFSUKjivnb', 'rnoUu3gOtV', 'xiNUbUHtI5', 'YNeUvRMVCt', 'vjdUHKJPyq', 'oRNUCAy6M6', 'DbcUFuRfPU', 'jQJUjoWTyo', 'pJ7UcfsRQJ', 'fYiU7S93x9'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, OBuQL1b1bZCTxNc2AO.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WTshD6kHka', 'NvGhY4fbjQ', 'aRLhzqEcSb', 'FtVLw2iRw6', 'dtJLsmnCqf', 'wyoLhXqMkT', 'wvcLLnMuRx', 'i8bqYuK9EmLYVuNvKXj'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, OFFj3MxvZrR3IWDV4Q.csHigh entropy of concatenated method names: 'DcMBZO4Nrb', 'SZFBYdfdYT', 'BBeUw7ZNgW', 'PysUs8bE2g', 'CXsB0ohwpE', 'bHhBGroshw', 'uwCBdRiTAP', 'XOGBSiGL8X', 'A6VBtM9Bvs', 'WwQBpHborX'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, TUmCwnPmDMweLntJdj.csHigh entropy of concatenated method names: 'ir4v4aKFdM', 'sMpvasxOk1', 'xOSbgXwH6a', 'LfAbeby7wh', 'k0lb9mi6cl', 'UI8b59f51O', 'uQpbWOcuto', 'NRxbqbWim8', 'zRebXdqswy', 'rSabNH2BcJ'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, lmOwuLeCnoJX9fQ2RL.csHigh entropy of concatenated method names: 'CGaHyOpaQV', 'MXqH8pKaD1', 'T46HrwwrJm', 'LbDHIMDkEN', 'S1vHEPoFs6', 'U9EHaPRtIX', 'QB0HmcXpOt', 'B5fHPyf9eo', 'Gpuy3u4BQmtlVpTnSi2', 'KjC35741MhILkXSiiuZ'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, dCqRcmdw9F2EyofPbR.csHigh entropy of concatenated method names: 'n11M3Yq2AF', 'ghxMmqlqbE', 'oI6M6yOQtk', 'erkM1iueXP', 'DZWMe649Sp', 'hlJM9WL1Dn', 'THLMWOwLeA', 'eN3Mqj5yV4', 'TnKMNYw98j', 'TdXM0vjDxA'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, X8VgHhD0b6twgSkh0B.csHigh entropy of concatenated method names: 'c0MU6XaZh2', 'mX0U1yOgck', 'qrCUg5Vhcd', 'S38UedCnks', 'HCEUSofwu3', 'Tl3U9KGpSW', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, l3UePJshXGu7lflrnWF.csHigh entropy of concatenated method names: 'LI4f8AdT1J', 'vQlfnf0pK2', 'LgPfr5wsYf', 'bZj7jusOoGep39ViEW4', 'XXykSNsd8Zlq87Bi8gM', 'tbk86HsUt8rI8iL1YZM', 'g14ykesAEKj6KcSTyI6'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, AZxXtJhPeEscRauqTp.csHigh entropy of concatenated method names: 'Sshr0SmRH', 'l5oIDglu1', 'XcdEXoWOn', 'V1baKOBkO', 'PjXml2saj', 'dlTPTeZEq', 'vAdMGi3YsRnS1I2lQG', 'zsVUWFV8iX8k7vH8v7', 'I1kUrbhib', 'GX1fkAdVw'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, ujnbt23axdywEjt9d5.csHigh entropy of concatenated method names: 'RH1uS3YOGq', 'YZeuteKguV', 'w5Oup2mpT0', 'V5WuOaxm63', 'XNvu2xksrF', 'UQduxHmUma', 'HiAuQIsvUN', 'r7fuZ2tkPI', 'OPluDDSkav', 'svhuYYVUxL'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, AyLfqWSdg49u33fu78.csHigh entropy of concatenated method names: 'PVgJNPe2bG', 'feCJGD7mvM', 'qkFJShCUK1', 'ABAJtgVAfy', 'zDtJ12dSQl', 'edTJg2ml22', 'YuiJeIIyYo', 'dlIJ9eCND4', 'NMZJ5MHPSY', 'SSpJW5xKra'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, UEkifs6ZaAsx2fSjGX.csHigh entropy of concatenated method names: 'TFAHTEm4eA', 'kgjHuT0reb', 'kGEHvRjV4r', 'qc9HCJw7Xc', 'KLoHFOtvxL', 'grjv2oyFDY', 'KEFvxRRZhG', 'HW3vQ79sSc', 'SGkvZo0MRC', 'SddvDTlTIi'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, g3jT4JugK4ciYhi4t6.csHigh entropy of concatenated method names: 'Dispose', 'oX7sDea0pY', 'KI6h1rG4lc', 'h1y11FPkaM', 'eV7sYfBJr8', 'u5Esz16gwM', 'ProcessDialogKey', 'zBZhw8VgHh', 'Ob6hstwgSk', 'c0BhhyDNbn'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, bvfL6fmZhaIH14ikJV.csHigh entropy of concatenated method names: 'YohbIN56St', 'X9rbEGpQkL', 'NhFb3uybl4', 'gGebmvjnqO', 'RAQbJTwloI', 'kLtbA16I95', 'a1ebBtCtZE', 'UTxbUUBc3C', 'axrbo6tLb3', 'FnIbfmwymo'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, wDNbn3YOSvqCWu6qit.csHigh entropy of concatenated method names: 'liBoscUDhP', 'z9roL6Npf1', 'tZqoiLOoyk', 'U0roKKokIF', 'EEvouD1Bpk', 'wdbovGRtZN', 'lLaoHsKcoJ', 'BrOUQKNNuO', 'goRUZDJX8I', 'gssUDj0PgS'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, ob7GS2WUxTdes4RfPh.csHigh entropy of concatenated method names: 'VouCKHWf0d', 'c1nCb4up35', 'hVICHHdoFS', 'xu6HYkGwEv', 'pHmHzkW5fO', 'aq8Cw5HM4p', 'b3aCsc175c', 'fXWChcJkv5', 'AvUCLnmMTO', 'njTCiIEnQf'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, owon38FMyAnPm1ZsOx.csHigh entropy of concatenated method names: 'lMVLTxymBL', 'cF8LKFILki', 'EqsLulluoy', 'NuBLbVJ3Jh', 'bcULvSqehS', 'IGYLHONutH', 'XAyLCkriTn', 'iN1LF78R5w', 'yASLj9sOcP', 'Wi3LcglEjO'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, hmyUGRXdVcpbArMirs.csHigh entropy of concatenated method names: 'cdDC8MPXlv', 'GkVCnOO9hf', 'st7CrCu1lA', 'yQHCI8Znyt', 'oK6C41OWZL', 'whFCEYS8qq', 'wdECab5IEW', 'I0eC3Lf2KM', 'vuhCmxcrYo', 'p0tCPVqGjA'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, NY2la8sw3wYuYX3jq1v.csHigh entropy of concatenated method names: 'Vu4o8n8o4e', 'iybonTlRFT', 'Me2ordfdD7', 'yjdoIQJipX', 'baeo4adyfe', 'IE0oEiEFN3', 'tphoarklj2', 'oFKo3vqZAj', 'YD9omb7Vi7', 'iI7oPZvuDk'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, NY3q5EOhSKedXn4Rvg.csHigh entropy of concatenated method names: 'US3Bc814ko', 'NoNB71WYu0', 'ToString', 'hnbBKMQqVs', 'h8HBucQitA', 'YQbBbBVW84', 'oZdBvnRir3', 'HONBHu4vjn', 'DWMBCLwyb3', 'SaeBFihk6h'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.9a50000.5.raw.unpack, oYOuN0ie7Bxa0Vofoe.csHigh entropy of concatenated method names: 'kyRsCjnbt2', 'CxdsFywEjt', 'sZhscaIH14', 'dkJs7VpUmC', 'ytJsJdj2Ek', 'dfssAZaAsx', 'otcPmaU6GP4VsbBuIc', 'B652xrA4eShiDlgeAD', 'tRqssYvBMD', 'PIWsLkEqL8'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.7000000.4.raw.unpack, MainForm.csHigh entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.7000000.4.raw.unpack, at4ONG9F0NYCELN5Tj.csHigh entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, FwUsfGsLcp9SV5JmiRr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EOyfSS0i0n', 'vbDftDYtbn', 'zVDfpTLgP9', 'hNofOs2IkJ', 'MJOf2qjgLq', 'fM4fxuhxHX', 'WpHfQh7wJp'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, w7fBJrZ8R5E16gwMrB.csHigh entropy of concatenated method names: 'xFSUKjivnb', 'rnoUu3gOtV', 'xiNUbUHtI5', 'YNeUvRMVCt', 'vjdUHKJPyq', 'oRNUCAy6M6', 'DbcUFuRfPU', 'jQJUjoWTyo', 'pJ7UcfsRQJ', 'fYiU7S93x9'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, OBuQL1b1bZCTxNc2AO.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WTshD6kHka', 'NvGhY4fbjQ', 'aRLhzqEcSb', 'FtVLw2iRw6', 'dtJLsmnCqf', 'wyoLhXqMkT', 'wvcLLnMuRx', 'i8bqYuK9EmLYVuNvKXj'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, OFFj3MxvZrR3IWDV4Q.csHigh entropy of concatenated method names: 'DcMBZO4Nrb', 'SZFBYdfdYT', 'BBeUw7ZNgW', 'PysUs8bE2g', 'CXsB0ohwpE', 'bHhBGroshw', 'uwCBdRiTAP', 'XOGBSiGL8X', 'A6VBtM9Bvs', 'WwQBpHborX'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, TUmCwnPmDMweLntJdj.csHigh entropy of concatenated method names: 'ir4v4aKFdM', 'sMpvasxOk1', 'xOSbgXwH6a', 'LfAbeby7wh', 'k0lb9mi6cl', 'UI8b59f51O', 'uQpbWOcuto', 'NRxbqbWim8', 'zRebXdqswy', 'rSabNH2BcJ'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, lmOwuLeCnoJX9fQ2RL.csHigh entropy of concatenated method names: 'CGaHyOpaQV', 'MXqH8pKaD1', 'T46HrwwrJm', 'LbDHIMDkEN', 'S1vHEPoFs6', 'U9EHaPRtIX', 'QB0HmcXpOt', 'B5fHPyf9eo', 'Gpuy3u4BQmtlVpTnSi2', 'KjC35741MhILkXSiiuZ'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, dCqRcmdw9F2EyofPbR.csHigh entropy of concatenated method names: 'n11M3Yq2AF', 'ghxMmqlqbE', 'oI6M6yOQtk', 'erkM1iueXP', 'DZWMe649Sp', 'hlJM9WL1Dn', 'THLMWOwLeA', 'eN3Mqj5yV4', 'TnKMNYw98j', 'TdXM0vjDxA'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, X8VgHhD0b6twgSkh0B.csHigh entropy of concatenated method names: 'c0MU6XaZh2', 'mX0U1yOgck', 'qrCUg5Vhcd', 'S38UedCnks', 'HCEUSofwu3', 'Tl3U9KGpSW', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, l3UePJshXGu7lflrnWF.csHigh entropy of concatenated method names: 'LI4f8AdT1J', 'vQlfnf0pK2', 'LgPfr5wsYf', 'bZj7jusOoGep39ViEW4', 'XXykSNsd8Zlq87Bi8gM', 'tbk86HsUt8rI8iL1YZM', 'g14ykesAEKj6KcSTyI6'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, AZxXtJhPeEscRauqTp.csHigh entropy of concatenated method names: 'Sshr0SmRH', 'l5oIDglu1', 'XcdEXoWOn', 'V1baKOBkO', 'PjXml2saj', 'dlTPTeZEq', 'vAdMGi3YsRnS1I2lQG', 'zsVUWFV8iX8k7vH8v7', 'I1kUrbhib', 'GX1fkAdVw'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, ujnbt23axdywEjt9d5.csHigh entropy of concatenated method names: 'RH1uS3YOGq', 'YZeuteKguV', 'w5Oup2mpT0', 'V5WuOaxm63', 'XNvu2xksrF', 'UQduxHmUma', 'HiAuQIsvUN', 'r7fuZ2tkPI', 'OPluDDSkav', 'svhuYYVUxL'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, AyLfqWSdg49u33fu78.csHigh entropy of concatenated method names: 'PVgJNPe2bG', 'feCJGD7mvM', 'qkFJShCUK1', 'ABAJtgVAfy', 'zDtJ12dSQl', 'edTJg2ml22', 'YuiJeIIyYo', 'dlIJ9eCND4', 'NMZJ5MHPSY', 'SSpJW5xKra'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, UEkifs6ZaAsx2fSjGX.csHigh entropy of concatenated method names: 'TFAHTEm4eA', 'kgjHuT0reb', 'kGEHvRjV4r', 'qc9HCJw7Xc', 'KLoHFOtvxL', 'grjv2oyFDY', 'KEFvxRRZhG', 'HW3vQ79sSc', 'SGkvZo0MRC', 'SddvDTlTIi'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, g3jT4JugK4ciYhi4t6.csHigh entropy of concatenated method names: 'Dispose', 'oX7sDea0pY', 'KI6h1rG4lc', 'h1y11FPkaM', 'eV7sYfBJr8', 'u5Esz16gwM', 'ProcessDialogKey', 'zBZhw8VgHh', 'Ob6hstwgSk', 'c0BhhyDNbn'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, bvfL6fmZhaIH14ikJV.csHigh entropy of concatenated method names: 'YohbIN56St', 'X9rbEGpQkL', 'NhFb3uybl4', 'gGebmvjnqO', 'RAQbJTwloI', 'kLtbA16I95', 'a1ebBtCtZE', 'UTxbUUBc3C', 'axrbo6tLb3', 'FnIbfmwymo'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, wDNbn3YOSvqCWu6qit.csHigh entropy of concatenated method names: 'liBoscUDhP', 'z9roL6Npf1', 'tZqoiLOoyk', 'U0roKKokIF', 'EEvouD1Bpk', 'wdbovGRtZN', 'lLaoHsKcoJ', 'BrOUQKNNuO', 'goRUZDJX8I', 'gssUDj0PgS'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, ob7GS2WUxTdes4RfPh.csHigh entropy of concatenated method names: 'VouCKHWf0d', 'c1nCb4up35', 'hVICHHdoFS', 'xu6HYkGwEv', 'pHmHzkW5fO', 'aq8Cw5HM4p', 'b3aCsc175c', 'fXWChcJkv5', 'AvUCLnmMTO', 'njTCiIEnQf'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, owon38FMyAnPm1ZsOx.csHigh entropy of concatenated method names: 'lMVLTxymBL', 'cF8LKFILki', 'EqsLulluoy', 'NuBLbVJ3Jh', 'bcULvSqehS', 'IGYLHONutH', 'XAyLCkriTn', 'iN1LF78R5w', 'yASLj9sOcP', 'Wi3LcglEjO'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, hmyUGRXdVcpbArMirs.csHigh entropy of concatenated method names: 'cdDC8MPXlv', 'GkVCnOO9hf', 'st7CrCu1lA', 'yQHCI8Znyt', 'oK6C41OWZL', 'whFCEYS8qq', 'wdECab5IEW', 'I0eC3Lf2KM', 'vuhCmxcrYo', 'p0tCPVqGjA'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, NY2la8sw3wYuYX3jq1v.csHigh entropy of concatenated method names: 'Vu4o8n8o4e', 'iybonTlRFT', 'Me2ordfdD7', 'yjdoIQJipX', 'baeo4adyfe', 'IE0oEiEFN3', 'tphoarklj2', 'oFKo3vqZAj', 'YD9omb7Vi7', 'iI7oPZvuDk'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, NY3q5EOhSKedXn4Rvg.csHigh entropy of concatenated method names: 'US3Bc814ko', 'NoNB71WYu0', 'ToString', 'hnbBKMQqVs', 'h8HBucQitA', 'YQbBbBVW84', 'oZdBvnRir3', 'HONBHu4vjn', 'DWMBCLwyb3', 'SaeBFihk6h'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3c0c490.0.raw.unpack, oYOuN0ie7Bxa0Vofoe.csHigh entropy of concatenated method names: 'kyRsCjnbt2', 'CxdsFywEjt', 'sZhscaIH14', 'dkJs7VpUmC', 'ytJsJdj2Ek', 'dfssAZaAsx', 'otcPmaU6GP4VsbBuIc', 'B652xrA4eShiDlgeAD', 'tRqssYvBMD', 'PIWsLkEqL8'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, MainForm.csHigh entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
                  Source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, at4ONG9F0NYCELN5Tj.csHigh entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004063C6 ShellExecuteW,URLDownloadToFileW,12_2_004063C6
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeFile created: C:\Users\user\AppData\Roaming\rjOyFV.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp"
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00418A00

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041A8DA
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_92847309329.exe PID: 3120, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rjOyFV.exe PID: 7280, type: MEMORYSTR
                  Delayed program exit found
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040E18D Sleep,ExitProcess,12_2_0040E18D
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeMemory allocated: C90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeMemory allocated: 1000000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeMemory allocated: 9C50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeMemory allocated: AC50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeMemory allocated: AEA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeMemory allocated: BEA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeMemory allocated: 1440000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeMemory allocated: 2E50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeMemory allocated: 2D90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeMemory allocated: 7960000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeMemory allocated: 8960000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeMemory allocated: 8B00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeMemory allocated: 9B00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_004186FE
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6703Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3015Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeWindow / User API: threadDelayed 2785Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeWindow / User API: threadDelayed 7206Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeAPI coverage: 5.2 %
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe TID: 2708Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe TID: 7268Thread sleep count: 2785 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe TID: 7268Thread sleep time: -8355000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe TID: 7268Thread sleep count: 7206 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe TID: 7268Thread sleep time: -21618000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exe TID: 7300Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041A01B
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040B28E
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040838E
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004087A0
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00407848
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004068CD FindFirstFileW,FindNextFileW,12_2_004068CD
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00417AAB
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040AC78
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406D28
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.000000000161E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWv
                  Source: DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.0000000001617000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004327AE
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041A8DA
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004407B5 mov eax, dword ptr fs:[00000030h]12_2_004407B5
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,12_2_00410763
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004327AE
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004328FC SetUnhandledExceptionFilter,12_2_004328FC
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004398AC
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00432D5C
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe"
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeMemory written: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeMemory written: C:\Users\user\AppData\Roaming\rjOyFV.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00410B5C
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004175E1 mouse_event,12_2_004175E1
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeProcess created: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe "C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmp36E.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess created: C:\Users\user\AppData\Roaming\rjOyFV.exe "C:\Users\user\AppData\Roaming\rjOyFV.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeProcess created: C:\Users\user\AppData\Roaming\rjOyFV.exe "C:\Users\user\AppData\Roaming\rjOyFV.exe"Jump to behavior
                  Source: DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.00000000015E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.00000000015E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004329DA cpuid 12_2_004329DA
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: EnumSystemLocalesW,12_2_0044F17B
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: EnumSystemLocalesW,12_2_0044F130
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: EnumSystemLocalesW,12_2_0044F216
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_0044F2A3
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: GetLocaleInfoA,12_2_0040E2BB
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: GetLocaleInfoW,12_2_0044F4F3
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_0044F61C
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: GetLocaleInfoW,12_2_0044F723
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_0044F7F0
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: EnumSystemLocalesW,12_2_00445914
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: GetLocaleInfoW,12_2_00445E1C
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_0044EEB8
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeQueries volume information: C:\Users\user\AppData\Roaming\rjOyFV.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_0040A0B0 GetLocalTime,wsprintfW,12_2_0040A0B0
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004195F8 GetUserNameW,12_2_004195F8
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: 12_2_004468DC _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,12_2_004468DC
                  Source: C:\Users\user\Desktop\DHL AWB_NO_92847309329.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.7000000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.7000000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1811153341.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 12.2.rjOyFV.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.rjOyFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.1865601373.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1806575207.0000000004586000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_92847309329.exe PID: 3120, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_92847309329.exe PID: 7244, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rjOyFV.exe PID: 7524, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040A953
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: \key3.db12_2_0040AA71

                  Remote Access Functionality

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.7000000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.7000000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1811153341.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 12.2.rjOyFV.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.rjOyFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.45864a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3b55670.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_92847309329.exe.3a7e790.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.1865601373.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1806575207.0000000004586000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_92847309329.exe PID: 3120, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_92847309329.exe PID: 7244, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rjOyFV.exe PID: 7524, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Roaming\rjOyFV.exeCode function: cmd.exe12_2_0040567A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services12
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		11
                  Deobfuscate/Decode Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		1
                  Windows Service                  		3
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook122
                  Process Injection                  		22
                  Software Packing                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Scheduled Task/Job                  		1
                  Timestomp                  		LSA Secrets33
                  System Information Discovery                  		SSHKeylogging22
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials121
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync31
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                  Virtualization/Sandbox Evasion                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron122
                  Process Injection                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538705 Sample: DHL AWB_NO_92847309329.exe Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 44 windowsocttehe.duckdns.org 2->44 46 geoplugin.net 2->46 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 60 14 other signatures 2->60 8 rjOyFV.exe 5 2->8         started        11 DHL AWB_NO_92847309329.exe 7 2->11         started        signatures3 58 Uses dynamic DNS services 44->58 process4 file5 64 Antivirus detection for dropped file 8->64 66 Multi AV Scanner detection for dropped file 8->66 68 Contains functionalty to change the wallpaper 8->68 74 5 other signatures 8->74 14 schtasks.exe 1 8->14         started        16 rjOyFV.exe 8->16         started        18 rjOyFV.exe 8->18         started        36 C:\Users\user\AppData\Roaming\rjOyFV.exe, PE32 11->36 dropped 38 C:\Users\user\...\rjOyFV.exe:Zone.Identifier, ASCII 11->38 dropped 40 C:\Users\user\AppData\Local\...\tmpE78A.tmp, XML 11->40 dropped 42 C:\Users\...\DHL AWB_NO_92847309329.exe.log, ASCII 11->42 dropped 70 Adds a directory exclusion to Windows Defender 11->70 72 Injects a PE file into a foreign processes 11->72 20 powershell.exe 23 11->20         started        23 DHL AWB_NO_92847309329.exe 2 13 11->23         started        26 schtasks.exe 1 11->26         started        signatures6 process7 dnsIp8 28 conhost.exe 14->28         started        62 Loading BitLocker PowerShell Module 20->62 30 WmiPrvSE.exe 20->30         started        32 conhost.exe 20->32         started        48 windowsocttehe.duckdns.org 96.9.210.71, 49736, 52411 NEWMEDIAEXPRESS-AS-APNewMediaExpressPteLtdSG United States 23->48 50 geoplugin.net 178.237.33.50, 49741, 80 ATOM86-ASATOM86NL Netherlands 23->50 34 conhost.exe 26->34         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  DHL AWB_NO_92847309329.exe39%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  DHL AWB_NO_92847309329.exe100%AviraTR/AD.Remcos.jplgn
                  DHL AWB_NO_92847309329.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\rjOyFV.exe100%AviraTR/AD.Remcos.jplgn
                  C:\Users\user\AppData\Roaming\rjOyFV.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\rjOyFV.exe39%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.fontbureau.com0%URL Reputationsafe
                  http://www.fontbureau.com/designersG0%URL Reputationsafe
                  http://www.fontbureau.com/designers/?0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.fontbureau.com/designers?0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.fontbureau.com/designers0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.fontbureau.com/designers80%URL Reputationsafe
                  http://www.fonts.com0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		unknown
                    windowsocttehe.duckdns.org
                    		96.9.210.71
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      windowsocttehe.duckdns.orgtrue
                        		unknown
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.apache.org/licenses/LICENSE-2.0DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.fontbureau.comDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersGDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/?DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://geoplugin.net/json.gp&DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.founder.com.cn/cn/bTheDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://geoplugin.net/json.gplDHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmp, DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.00000000015CF000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.fontbureau.com/designers?DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://geoplugin.net/json.gpmDHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.tiro.comDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.goodfont.co.krDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://geoplugin.net/json.gpSystem32DHL AWB_NO_92847309329.exe, 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.carterandcone.comlDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-user.htmlDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://geoplugin.net/json.gp/CDHL AWB_NO_92847309329.exe, 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, DHL AWB_NO_92847309329.exe, 00000000.00000002.1806575207.0000000004586000.00000004.00000800.00020000.00000000.sdmp, rjOyFV.exe, 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8DHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sandoll.co.krDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/DatabaseWalletDataSet.xsdDHL AWB_NO_92847309329.exe, rjOyFV.exe.0.drfalse
                                    		unknown
                                    http://www.zhongyicts.com.cnDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL AWB_NO_92847309329.exe, 00000000.00000002.1805270956.0000000002AA8000.00000004.00000800.00020000.00000000.sdmp, rjOyFV.exe, 00000007.00000002.1866548298.0000000002E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.comDHL AWB_NO_92847309329.exe, 00000000.00000002.1810225359.0000000006B22000.00000004.00000800.00020000.00000000.sdmp, DHL AWB_NO_92847309329.exe, 00000000.00000002.1810117079.0000000005A50000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    178.237.33.50
                                    		geoplugin.netNetherlands
                                    		8455ATOM86-ASATOM86NLfalse
                                    96.9.210.71
                                    		windowsocttehe.duckdns.orgUnited States
                                    		38001NEWMEDIAEXPRESS-AS-APNewMediaExpressPteLtdSGtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1538705
                                    Start date and time:2024-10-21 17:16:19 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 8m 51s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:17
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:DHL AWB_NO_92847309329.exe
                                    Detection:MAL
                                    Classification:mal100.rans.troj.spyw.evad.winEXE@18/12@8/2
                                    EGA Information:
                                    • Successful, ratio: 75%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 76
                                    • Number of non-executed functions: 196
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: DHL AWB_NO_92847309329.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    11:17:21API Interceptor4608548x Sleep call for process: DHL AWB_NO_92847309329.exe modified
                                    11:17:22API Interceptor32x Sleep call for process: powershell.exe modified
                                    11:17:28API Interceptor1x Sleep call for process: rjOyFV.exe modified
                                    16:17:23Task SchedulerRun new task: rjOyFV path: C:\Users\user\AppData\Roaming\rjOyFV.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    178.237.33.50Order_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    Salary Revision_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    Order.vbsGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    duEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                    • www.geoplugin.net/xml.gp?ip=SEU_IP
                                    lA0Z0vjXfA.exeGet hashmaliciousUnknownBrowse
                                    • www.geoplugin.net/xml.gp?ip=SEU_IP
                                    172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    geoplugin.netOrder_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    Salary Revision_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    Order.vbsGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    NEWMEDIAEXPRESS-AS-APNewMediaExpressPteLtdSGyakuza.ppc.elfGet hashmaliciousUnknownBrowse
                                    • 104.250.106.179
                                    na.elfGet hashmaliciousMiraiBrowse
                                    • 104.250.106.170
                                    bexq6dM6iT.exeGet hashmaliciousUnknownBrowse
                                    • 103.214.8.186
                                    Ares.x86.elfGet hashmaliciousUnknownBrowse
                                    • 104.250.106.159
                                    7HddY6rYkf.elfGet hashmaliciousMiraiBrowse
                                    • 104.250.106.171
                                    v2z756r9LQ.elfGet hashmaliciousUnknownBrowse
                                    • 104.250.106.161
                                    M2Vf6ASl3g.elfGet hashmaliciousUnknownBrowse
                                    • 104.250.106.169
                                    la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                    • 104.250.106.159
                                    VKkfiTAZXP.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 43.245.61.2
                                    sh.elfGet hashmaliciousGafgytBrowse
                                    • 43.245.61.3
                                    ATOM86-ASATOM86NLOrder_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    Salary Revision_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    Order.vbsGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    duEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                    • 178.237.33.50
                                    lA0Z0vjXfA.exeGet hashmaliciousUnknownBrowse
                                    • 178.237.33.50
                                    172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL AWB_NO_92847309329.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rjOyFV.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\rjOyFV.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                    Download File
                                    Process:C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):960
                                    Entropy (8bit):5.007342357625525
                                    Encrypted:false
                                    SSDEEP:12:tkhEVBnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwc:qhEV1dVauKyGX85jvXhNlT3/73clHWro
                                    MD5:2384C8ED5D39845A7043C8E4AF84F3F2
                                    SHA1:1A4A72CFF979CDD293034EFDFB35F0C6FA3ABD75
                                    SHA-256:AFB89F4CFEB681642FBADDAFE06E6BFAA298850FDA6771E80BA97B8A79527465
                                    SHA-512:387793D3C3700EFA89D4197DFB11FC667C63C6416068DCC2751953FE6C6EEAA4F2534D32F2F8E9EBB2F5119229BDADB173985E6EF106EFFF71180441197F7291
                                    Malicious:false
                                    Preview:{. "geoplugin_request":"216.52.183.150",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7157",. "geoplugin_longitude":"-74",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2232
                                    Entropy (8bit):5.3797706053345555
                                    Encrypted:false
                                    SSDEEP:48:fWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//ZmUyus:fLHxv2IfLZ2KRH6Ouggs
                                    MD5:A84FF30A01D8A35BCDF6976220CB7312
                                    SHA1:B52FED4434308742EBEAA5BD20A65733B0B638CB
                                    SHA-256:5B927BEFBE59EAFB9AEAAB84192FCA416546FCC0F2555123C9ECE73454EE798A
                                    SHA-512:246E86346B9EEF24D703A205F74B3AA5351B6861444C66657E23249A3CA1EDFC82FCB1CA60D9F9365BFD3C2F9B32AA9A41551655A58D6364AF67A4AFD34BA249
                                    Malicious:false
                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0f21muy.tc2.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etv3k0mc.fpf.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r235kwox.5ca.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzkkmrym.dk2.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\tmp36E.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\rjOyFV.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1572
                                    Entropy (8bit):5.11096846018534
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta9xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTqv
                                    MD5:79C915156007E998C133F61E17D1FBA1
                                    SHA1:D0FB5442B68EA7B3B77CEA70C81CF6287D424910
                                    SHA-256:9DA5B7C9F0518036E5EBD0B5821BF41532B1C3A4AD8CDD84534F07CDBE1CA023
                                    SHA-512:081669557C8DD331BF757758E3B264BAD23B704D25BC96DC5C557D1D41AF0F75F28843C55379E99821FDCDCFFB1BE93B8A0012AFC5153790E446DBC04370DB84
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                    C:\Users\user\AppData\Local\Temp\tmpE78A.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1572
                                    Entropy (8bit):5.11096846018534
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta9xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTqv
                                    MD5:79C915156007E998C133F61E17D1FBA1
                                    SHA1:D0FB5442B68EA7B3B77CEA70C81CF6287D424910
                                    SHA-256:9DA5B7C9F0518036E5EBD0B5821BF41532B1C3A4AD8CDD84534F07CDBE1CA023
                                    SHA-512:081669557C8DD331BF757758E3B264BAD23B704D25BC96DC5C557D1D41AF0F75F28843C55379E99821FDCDCFFB1BE93B8A0012AFC5153790E446DBC04370DB84
                                    Malicious:true
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                    C:\Users\user\AppData\Roaming\rjOyFV.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):955904
                                    Entropy (8bit):7.95607384096614
                                    Encrypted:false
                                    SSDEEP:24576:nUkh5oDiJ31erRs6PXmm7V9R7SoAZA0C8/UYn2xlcX6:nn5oDiZgOCV9RWrtCAU3xi
                                    MD5:710651FB293DF9922080F5B7A4D10916
                                    SHA1:A38B66874D59A9E026B2C15E49501E8F4E1FD6B5
                                    SHA-256:173FA94E725ABC88ACF0D848BDEE94D216A3C74B4492E006405C357824FAB818
                                    SHA-512:BDC25B6F70BAB4352E7C03AE7FBCD6A9718FE98804D9B24F27DC33B0BBA114F0BAB2D37AF1DE53D4DBE0E2794F3E706DBD3EF3765DE2820BBD48F4B347F132D9
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 39%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...../...............0.................. ........@.. ....................................@....................................O.......<...............................p............................................ ............... ..H............text...4.... ...................... ..`.rsrc...<...........................@..@.reloc..............................@..B........................H...........XY......y....................................................0............}......}......}......}......}......}.....r...p}.....r...p}.....(....}.....( ...}............}............}......}.....(!......(+....*..0..)........{.........("...t......|......(...+...3.*....0..)........{.........($...t......|......(...+...3.*....0..)........{.........("...t......|......(...+...3.*....0..)........{.........($...t......|......(...+...3.*&...}....*..0............{.....+..*.0..

                                    C:\Users\user\AppData\Roaming\rjOyFV.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.95607384096614
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:DHL AWB_NO_92847309329.exe
                                    File size:955'904 bytes
                                    MD5:710651fb293df9922080f5b7a4d10916
                                    SHA1:a38b66874d59a9e026b2c15e49501e8f4e1fd6b5
                                    SHA256:173fa94e725abc88acf0d848bdee94d216a3c74b4492e006405c357824fab818
                                    SHA512:bdc25b6f70bab4352e7c03ae7fbcd6a9718fe98804d9b24f27dc33b0bba114f0bab2d37af1de53d4dbe0e2794f3e706dbd3ef3765de2820bbd48f4b347f132d9
                                    SSDEEP:24576:nUkh5oDiJ31erRs6PXmm7V9R7SoAZA0C8/UYn2xlcX6:nn5oDiZgOCV9RWrtCAU3xi
                                    TLSH:EE15230033DC9F2BC33E9FF6A8B1816053F2621A65A6F50A6CC211EB56B17475E26F17
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...../...............0.................. ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0x4ea92e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x9D2FE497 [Sat Jul 26 16:53:43 2053 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xea8da0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xec0000x63c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xee0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xe81b40x70.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xe89340xe8a00e2e29f4671963c2e5f03f8d624afd979False0.9573849324959699data7.96145220092769IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xec0000x63c0x8007f5435f561b1e0f5e9b69d526c680cf5False0.34228515625data3.5120107667934826IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xee0000xc0x200623dd3204b12e1881e47463482eb493fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0xec0900x3acdata0.4223404255319149
                                    RT_MANIFEST0xec44c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-21T17:17:33.489439+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44973696.9.210.7152411TCP
                                    2024-10-21T17:17:35.116764+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449741178.237.33.5080TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 21, 2024 17:17:32.485284090 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:17:32.491245985 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:17:32.492176056 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:17:32.497709036 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:17:32.503623009 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:17:33.446351051 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:17:33.489439011 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:17:33.713114977 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:17:33.719414949 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:17:33.725070953 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:17:33.725132942 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:17:33.730868101 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:17:34.153009892 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:17:34.158487082 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:17:34.163947105 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:17:34.420795918 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:17:34.473735094 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:17:34.520651102 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:17:34.526042938 CEST8049741178.237.33.50192.168.2.4
                                    Oct 21, 2024 17:17:34.526103020 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:17:34.526492119 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:17:34.532131910 CEST8049741178.237.33.50192.168.2.4
                                    Oct 21, 2024 17:17:35.116600990 CEST8049741178.237.33.50192.168.2.4
                                    Oct 21, 2024 17:17:35.116764069 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:17:35.148372889 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:17:35.154268026 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:17:36.382879972 CEST8049741178.237.33.50192.168.2.4
                                    Oct 21, 2024 17:17:36.383276939 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:18:04.411089897 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:18:04.412617922 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:18:04.418090105 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:18:34.749438047 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:18:34.750659943 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:18:34.756130934 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:19:05.034440994 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:19:05.035708904 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:19:05.041188002 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:19:24.514451981 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:19:24.895915031 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:19:25.599049091 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:19:26.895979881 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:19:29.395097971 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:19:34.208409071 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:19:35.350420952 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:19:35.351845980 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:19:35.357444048 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:19:43.817795038 CEST4974180192.168.2.4178.237.33.50
                                    Oct 21, 2024 17:20:05.659041882 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:20:05.664477110 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:20:05.669790030 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:20:35.920463085 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:20:35.922667980 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:20:35.928248882 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:21:06.236222982 CEST524114973696.9.210.71192.168.2.4
                                    Oct 21, 2024 17:21:06.238810062 CEST4973652411192.168.2.496.9.210.71
                                    Oct 21, 2024 17:21:06.244215965 CEST524114973696.9.210.71192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 21, 2024 17:17:23.471100092 CEST6219153192.168.2.41.1.1.1
                                    Oct 21, 2024 17:17:24.473927021 CEST6219153192.168.2.41.1.1.1
                                    Oct 21, 2024 17:17:25.473973989 CEST6219153192.168.2.41.1.1.1
                                    Oct 21, 2024 17:17:27.474239111 CEST6219153192.168.2.41.1.1.1
                                    Oct 21, 2024 17:17:27.481520891 CEST53621911.1.1.1192.168.2.4
                                    Oct 21, 2024 17:17:27.481551886 CEST53621911.1.1.1192.168.2.4
                                    Oct 21, 2024 17:17:27.481614113 CEST53621911.1.1.1192.168.2.4
                                    Oct 21, 2024 17:17:27.483479023 CEST53621911.1.1.1192.168.2.4
                                    Oct 21, 2024 17:17:28.490473032 CEST6505953192.168.2.41.1.1.1
                                    Oct 21, 2024 17:17:29.505269051 CEST6505953192.168.2.41.1.1.1
                                    Oct 21, 2024 17:17:30.505526066 CEST6505953192.168.2.41.1.1.1
                                    Oct 21, 2024 17:17:32.476305962 CEST53650591.1.1.1192.168.2.4
                                    Oct 21, 2024 17:17:32.476738930 CEST53650591.1.1.1192.168.2.4
                                    Oct 21, 2024 17:17:32.476748943 CEST53650591.1.1.1192.168.2.4
                                    Oct 21, 2024 17:17:34.506676912 CEST5224553192.168.2.41.1.1.1
                                    Oct 21, 2024 17:17:34.515574932 CEST53522451.1.1.1192.168.2.4
                                    Oct 21, 2024 17:18:00.592078924 CEST5354996162.159.36.2192.168.2.4
                                    Oct 21, 2024 17:18:01.084362030 CEST53596491.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Oct 21, 2024 17:17:23.471100092 CEST192.168.2.41.1.1.10xf087Standard query (0)windowsocttehe.duckdns.orgA (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:24.473927021 CEST192.168.2.41.1.1.10xf087Standard query (0)windowsocttehe.duckdns.orgA (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:25.473973989 CEST192.168.2.41.1.1.10xf087Standard query (0)windowsocttehe.duckdns.orgA (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:27.474239111 CEST192.168.2.41.1.1.10xf087Standard query (0)windowsocttehe.duckdns.orgA (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:28.490473032 CEST192.168.2.41.1.1.10xe1e2Standard query (0)windowsocttehe.duckdns.orgA (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:29.505269051 CEST192.168.2.41.1.1.10xe1e2Standard query (0)windowsocttehe.duckdns.orgA (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:30.505526066 CEST192.168.2.41.1.1.10xe1e2Standard query (0)windowsocttehe.duckdns.orgA (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:34.506676912 CEST192.168.2.41.1.1.10x273cStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Oct 21, 2024 17:17:27.481520891 CEST1.1.1.1192.168.2.40xf087Server failure (2)windowsocttehe.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:27.481551886 CEST1.1.1.1192.168.2.40xf087Server failure (2)windowsocttehe.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:27.481614113 CEST1.1.1.1192.168.2.40xf087Server failure (2)windowsocttehe.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:27.483479023 CEST1.1.1.1192.168.2.40xf087Server failure (2)windowsocttehe.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:32.476305962 CEST1.1.1.1192.168.2.40xe1e2No error (0)windowsocttehe.duckdns.org96.9.210.71A (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:32.476738930 CEST1.1.1.1192.168.2.40xe1e2No error (0)windowsocttehe.duckdns.org96.9.210.71A (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:32.476748943 CEST1.1.1.1192.168.2.40xe1e2No error (0)windowsocttehe.duckdns.org96.9.210.71A (IP address)IN (0x0001)false
                                    Oct 21, 2024 17:17:34.515574932 CEST1.1.1.1192.168.2.40x273cNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • geoplugin.net

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449741178.237.33.50807244C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 21, 2024 17:17:34.526492119 CEST71OUTGET /json.gp HTTP/1.1
                                    Host: geoplugin.net
                                    Cache-Control: no-cache
                                    Oct 21, 2024 17:17:35.116600990 CEST1168INHTTP/1.1 200 OK
                                    date: Mon, 21 Oct 2024 15:17:35 GMT
                                    server: Apache
                                    content-length: 960
                                    content-type: application/json; charset=utf-8
                                    cache-control: public, max-age=300
                                    access-control-allow-origin: *
                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 32 31 36 2e 35 32 2e 31 38 33 2e 31 35 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED]
                                    Data Ascii: { "geoplugin_request":"216.52.183.150", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7157", "geoplugin_longitude":"-74", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:11:17:16
                                    Start date:21/10/2024
                                    Path:C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe"
                                    Imagebase:0x590000
                                    File size:955'904 bytes
                                    MD5 hash:710651FB293DF9922080F5B7A4D10916
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1811153341.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1806575207.0000000004586000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1806575207.0000000004586000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1806575207.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:11:17:22
                                    Start date:21/10/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rjOyFV.exe"
                                    Imagebase:0xa60000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:11:17:22
                                    Start date:21/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:11:17:22
                                    Start date:21/10/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmpE78A.tmp"
                                    Imagebase:0x890000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:11:17:22
                                    Start date:21/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:11:17:22
                                    Start date:21/10/2024
                                    Path:C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\DHL AWB_NO_92847309329.exe"
                                    Imagebase:0xf80000
                                    File size:955'904 bytes
                                    MD5 hash:710651FB293DF9922080F5B7A4D10916
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4182257195.0000000001587000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:7
                                    Start time:11:17:23
                                    Start date:21/10/2024
                                    Path:C:\Users\user\AppData\Roaming\rjOyFV.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Roaming\rjOyFV.exe
                                    Imagebase:0x9f0000
                                    File size:955'904 bytes
                                    MD5 hash:710651FB293DF9922080F5B7A4D10916
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 39%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:11:17:26
                                    Start date:21/10/2024
                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                    Imagebase:0x7ff693ab0000
                                    File size:496'640 bytes
                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                    Has elevated privileges:true
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:11:17:29
                                    Start date:21/10/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjOyFV" /XML "C:\Users\user\AppData\Local\Temp\tmp36E.tmp"
                                    Imagebase:0x890000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:11:17:29
                                    Start date:21/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:11:17:29
                                    Start date:21/10/2024
                                    Path:C:\Users\user\AppData\Roaming\rjOyFV.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Roaming\rjOyFV.exe"
                                    Imagebase:0x140000
                                    File size:955'904 bytes
                                    MD5 hash:710651FB293DF9922080F5B7A4D10916
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:11:17:29
                                    Start date:21/10/2024
                                    Path:C:\Users\user\AppData\Roaming\rjOyFV.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Roaming\rjOyFV.exe"
                                    Imagebase:0x5f0000
                                    File size:955'904 bytes
                                    MD5 hash:710651FB293DF9922080F5B7A4D10916
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1865601373.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:11.2%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:224
                                      Total number of Limit Nodes:10
                                      execution_graph 29444 c94668 29445 c9467a 29444->29445 29446 c94686 29445->29446 29450 c94779 29445->29450 29455 c94218 29446->29455 29448 c946a5 29451 c9479d 29450->29451 29459 c94888 29451->29459 29463 c94878 29451->29463 29456 c94223 29455->29456 29471 c95c6c 29456->29471 29458 c96ffd 29458->29448 29461 c948af 29459->29461 29460 c9498c 29460->29460 29461->29460 29467 c944e0 29461->29467 29464 c948af 29463->29464 29465 c9498c 29464->29465 29466 c944e0 CreateActCtxA 29464->29466 29466->29465 29468 c95918 CreateActCtxA 29467->29468 29470 c959db 29468->29470 29470->29470 29472 c95c77 29471->29472 29475 c95c8c 29472->29475 29474 c970a5 29474->29458 29476 c95c97 29475->29476 29479 c95cbc 29476->29479 29478 c97182 29478->29474 29480 c95cc7 29479->29480 29483 c95cec 29480->29483 29482 c97285 29482->29478 29484 c95cf7 29483->29484 29486 c98330 29484->29486 29491 c985d8 29484->29491 29485 c985c9 29485->29482 29487 c9858b 29486->29487 29498 c9ac38 29486->29498 29487->29485 29502 c9cd20 29487->29502 29492 c9857f 29491->29492 29495 c985e7 29491->29495 29493 c9858b 29492->29493 29496 c9ac38 3 API calls 29492->29496 29494 c985c9 29493->29494 29497 c9cd20 3 API calls 29493->29497 29494->29486 29495->29486 29496->29493 29497->29494 29507 c9ac60 29498->29507 29512 c9ac70 29498->29512 29499 c9ac4e 29499->29487 29503 c9cd51 29502->29503 29504 c9cd75 29503->29504 29541 c9ced0 29503->29541 29545 c9cee0 29503->29545 29504->29485 29508 c9ac70 29507->29508 29516 c9ad68 29508->29516 29525 c9ad57 29508->29525 29509 c9ac7f 29509->29499 29514 c9ad68 2 API calls 29512->29514 29515 c9ad57 2 API calls 29512->29515 29513 c9ac7f 29513->29499 29514->29513 29515->29513 29517 c9ad79 29516->29517 29520 c9ad9c 29516->29520 29534 c9a0c0 29517->29534 29520->29509 29521 c9ad94 29521->29520 29522 c9afa0 GetModuleHandleW 29521->29522 29523 c9afcd 29522->29523 29523->29509 29526 c9ad68 29525->29526 29527 c9a0c0 GetModuleHandleW 29526->29527 29529 c9ad9c 29526->29529 29528 c9ad84 29527->29528 29528->29529 29533 c9aff0 GetModuleHandleW 29528->29533 29529->29509 29530 c9ad94 29530->29529 29531 c9afa0 GetModuleHandleW 29530->29531 29532 c9afcd 29531->29532 29532->29509 29533->29530 29535 c9af58 GetModuleHandleW 29534->29535 29537 c9ad84 29535->29537 29537->29520 29538 c9aff0 29537->29538 29539 c9a0c0 GetModuleHandleW 29538->29539 29540 c9b014 29539->29540 29540->29521 29543 c9ceed 29541->29543 29542 c9cf27 29542->29504 29543->29542 29549 c9b740 29543->29549 29547 c9ceed 29545->29547 29546 c9cf27 29546->29504 29547->29546 29548 c9b740 3 API calls 29547->29548 29548->29546 29550 c9b74b 29549->29550 29552 c9dc38 29550->29552 29553 c9d044 29550->29553 29552->29552 29554 c9d04f 29553->29554 29555 c95cec 3 API calls 29554->29555 29556 c9dca7 29555->29556 29556->29552 29557 c9d3f8 29558 c9d43e GetCurrentProcess 29557->29558 29560 c9d489 29558->29560 29561 c9d490 GetCurrentThread 29558->29561 29560->29561 29562 c9d4cd GetCurrentProcess 29561->29562 29563 c9d4c6 29561->29563 29564 c9d503 29562->29564 29563->29562 29565 c9d52b GetCurrentThreadId 29564->29565 29566 c9d55c 29565->29566 29567 c341f80 29568 c34210b 29567->29568 29569 c341fa6 29567->29569 29569->29568 29572 c342200 PostMessageW 29569->29572 29574 c3421f8 29569->29574 29573 c34226c 29572->29573 29573->29569 29575 c342200 PostMessageW 29574->29575 29576 c34226c 29575->29576 29576->29569 29440 c9d701 29441 c9d6c4 DuplicateHandle 29440->29441 29443 c9d70a 29440->29443 29442 c9d6d6 29441->29442 29577 72af796 29582 c340e56 29577->29582 29597 c340de8 29577->29597 29611 c340df8 29577->29611 29578 72af7a5 29583 c340de4 29582->29583 29584 c340e59 29582->29584 29585 c340e36 29583->29585 29625 c341804 29583->29625 29630 c34199a 29583->29630 29635 c341a5a 29583->29635 29642 c3417a8 29583->29642 29651 c3414ce 29583->29651 29655 c341353 29583->29655 29659 c3415e3 29583->29659 29664 c341593 29583->29664 29669 c341a12 29583->29669 29674 c341227 29583->29674 29678 c3413c5 29583->29678 29584->29578 29585->29578 29598 c340e12 29597->29598 29599 c340e36 29598->29599 29600 c341804 2 API calls 29598->29600 29601 c3413c5 2 API calls 29598->29601 29602 c341227 2 API calls 29598->29602 29603 c341a12 2 API calls 29598->29603 29604 c341593 2 API calls 29598->29604 29605 c3415e3 2 API calls 29598->29605 29606 c341353 2 API calls 29598->29606 29607 c3414ce 2 API calls 29598->29607 29608 c3417a8 4 API calls 29598->29608 29609 c341a5a 4 API calls 29598->29609 29610 c34199a 2 API calls 29598->29610 29599->29578 29600->29599 29601->29599 29602->29599 29603->29599 29604->29599 29605->29599 29606->29599 29607->29599 29608->29599 29609->29599 29610->29599 29612 c340e12 29611->29612 29613 c340e36 29612->29613 29614 c341804 2 API calls 29612->29614 29615 c3413c5 2 API calls 29612->29615 29616 c341227 2 API calls 29612->29616 29617 c341a12 2 API calls 29612->29617 29618 c341593 2 API calls 29612->29618 29619 c3415e3 2 API calls 29612->29619 29620 c341353 2 API calls 29612->29620 29621 c3414ce 2 API calls 29612->29621 29622 c3417a8 4 API calls 29612->29622 29623 c341a5a 4 API calls 29612->29623 29624 c34199a 2 API calls 29612->29624 29613->29578 29614->29613 29615->29613 29616->29613 29617->29613 29618->29613 29619->29613 29620->29613 29621->29613 29622->29613 29623->29613 29624->29613 29626 c34180a 29625->29626 29683 72af0d8 29626->29683 29687 72af0d1 29626->29687 29627 c34183f 29631 c3419a0 29630->29631 29691 72aee89 29631->29691 29695 72aee90 29631->29695 29632 c341908 29632->29585 29699 72aef39 29635->29699 29703 72aef40 29635->29703 29636 c3419b2 29637 c341908 29636->29637 29638 72aee89 ResumeThread 29636->29638 29639 72aee90 ResumeThread 29636->29639 29637->29585 29637->29637 29638->29637 29639->29637 29643 c3417b0 29642->29643 29707 72af010 29643->29707 29711 72af018 29643->29711 29644 c3417d1 29646 c341bd5 29644->29646 29649 72af0d8 WriteProcessMemory 29644->29649 29650 72af0d1 WriteProcessMemory 29644->29650 29645 c34183f 29646->29585 29649->29645 29650->29645 29653 72aef39 Wow64SetThreadContext 29651->29653 29654 72aef40 Wow64SetThreadContext 29651->29654 29652 c3414eb 29652->29585 29653->29652 29654->29652 29656 c341360 29655->29656 29715 72af1c8 29656->29715 29719 72af1c0 29656->29719 29660 c3415ec 29659->29660 29662 72af0d8 WriteProcessMemory 29660->29662 29663 72af0d1 WriteProcessMemory 29660->29663 29661 c34127f 29662->29661 29663->29661 29667 72af0d8 WriteProcessMemory 29664->29667 29668 72af0d1 WriteProcessMemory 29664->29668 29665 c34150a 29665->29664 29666 c34127f 29665->29666 29667->29665 29668->29665 29670 c3419b2 29669->29670 29671 c341908 29670->29671 29672 72aee89 ResumeThread 29670->29672 29673 72aee90 ResumeThread 29670->29673 29671->29585 29672->29671 29673->29671 29723 72af360 29674->29723 29727 72af354 29674->29727 29679 c3413d7 29678->29679 29680 c341908 29679->29680 29681 72aee89 ResumeThread 29679->29681 29682 72aee90 ResumeThread 29679->29682 29680->29585 29680->29680 29681->29680 29682->29680 29684 72af120 WriteProcessMemory 29683->29684 29686 72af177 29684->29686 29686->29627 29688 72af0d8 WriteProcessMemory 29687->29688 29690 72af177 29688->29690 29690->29627 29692 72aee90 ResumeThread 29691->29692 29694 72aef01 29692->29694 29694->29632 29696 72aeed0 ResumeThread 29695->29696 29698 72aef01 29696->29698 29698->29632 29700 72aef40 Wow64SetThreadContext 29699->29700 29702 72aefcd 29700->29702 29702->29636 29704 72aef85 Wow64SetThreadContext 29703->29704 29706 72aefcd 29704->29706 29706->29636 29708 72af018 VirtualAllocEx 29707->29708 29710 72af095 29708->29710 29710->29644 29712 72af058 VirtualAllocEx 29711->29712 29714 72af095 29712->29714 29714->29644 29716 72af213 ReadProcessMemory 29715->29716 29718 72af257 29716->29718 29718->29656 29720 72af1c8 ReadProcessMemory 29719->29720 29722 72af257 29720->29722 29722->29656 29724 72af361 CreateProcessA 29723->29724 29726 72af5ab 29724->29726 29726->29726 29728 72af35a 29727->29728 29728->29728 29729 72af54e CreateProcessA 29728->29729 29730 72af5ab 29729->29730 29730->29730

                                      Executed Functions

                                      Function 072A0040 Relevance: 7.3, Strings: 5, Instructions: 1001COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 304 72a0040-72a0061 305 72a0068-72a0154 304->305 306 72a0063 304->306 308 72a015a-72a02a5 305->308 309 72a0979-72a09a1 305->309 306->305 353 72a02ab-72a0306 308->353 354 72a0946-72a0977 308->354 312 72a1070-72a1079 309->312 313 72a09af-72a09b8 312->313 314 72a107f-72a1096 312->314 316 72a09ba 313->316 317 72a09bf-72a0a96 313->317 316->317 476 72a0a9c call 72a1438 317->476 477 72a0a9c call 72a1448 317->477 334 72a0aa2-72a0aaf 335 72a0ad9 334->335 336 72a0ab1-72a0abd 334->336 340 72a0adf-72a0aff 335->340 338 72a0abf-72a0ac5 336->338 339 72a0ac7-72a0acd 336->339 341 72a0ad7 338->341 339->341 345 72a0b5d-72a0bd5 340->345 346 72a0b01-72a0b58 340->346 341->340 365 72a0c2a-72a0c6d 345->365 366 72a0bd7-72a0c28 345->366 359 72a106d 346->359 360 72a030b-72a0316 353->360 361 72a0308 353->361 354->309 359->312 364 72a085a-72a0860 360->364 361->360 367 72a031b-72a0339 364->367 368 72a0866-72a08e3 364->368 395 72a0c78-72a0c7e 365->395 366->395 371 72a033b-72a033f 367->371 372 72a0390-72a03a5 367->372 409 72a0930-72a0936 368->409 371->372 376 72a0341-72a034c 371->376 374 72a03ac-72a03c2 372->374 375 72a03a7 372->375 380 72a03c9-72a03e0 374->380 381 72a03c4 374->381 375->374 382 72a0382-72a0388 376->382 386 72a03e2 380->386 387 72a03e7-72a03fd 380->387 381->380 384 72a038a-72a038b 382->384 385 72a034e-72a0352 382->385 389 72a040e-72a047f 384->389 391 72a0358-72a0370 385->391 392 72a0354 385->392 386->387 393 72a03ff 387->393 394 72a0404-72a040b 387->394 396 72a0481 389->396 397 72a0495-72a060d 389->397 398 72a0372 391->398 399 72a0377-72a037f 391->399 392->391 393->394 394->389 401 72a0cd3-72a0cdf 395->401 396->397 402 72a0483-72a048f 396->402 410 72a060f 397->410 411 72a0623-72a075e 397->411 398->399 399->382 403 72a0c80-72a0ca2 401->403 404 72a0ce1-72a0d67 401->404 402->397 406 72a0ca9-72a0cd0 403->406 407 72a0ca4 403->407 434 72a0ee6-72a0eef 404->434 406->401 407->406 413 72a0938-72a093e 409->413 414 72a08e5-72a092d 409->414 410->411 416 72a0611-72a061d 410->416 424 72a07c2-72a07d7 411->424 425 72a0760-72a0764 411->425 413->354 414->409 416->411 426 72a07d9 424->426 427 72a07de-72a07ff 424->427 425->424 428 72a0766-72a0775 425->428 426->427 431 72a0801 427->431 432 72a0806-72a0825 427->432 433 72a07b4-72a07ba 428->433 431->432 439 72a082c-72a084c 432->439 440 72a0827 432->440 435 72a07bc-72a07bd 433->435 436 72a0777-72a077b 433->436 437 72a0d6c-72a0d81 434->437 438 72a0ef5-72a0f50 434->438 445 72a0857 435->445 446 72a077d-72a0781 436->446 447 72a0785-72a07a6 436->447 441 72a0d8a-72a0ed4 437->441 442 72a0d83 437->442 462 72a0f52-72a0f85 438->462 463 72a0f87-72a0fb1 438->463 443 72a084e 439->443 444 72a0853 439->444 440->439 467 72a0ee0 441->467 442->441 448 72a0e5b-72a0e9b 442->448 449 72a0e18-72a0e56 442->449 450 72a0dd3-72a0e13 442->450 451 72a0d90-72a0dce 442->451 443->444 444->445 445->364 446->447 452 72a07a8 447->452 453 72a07ad-72a07b1 447->453 448->467 449->467 450->467 451->467 452->453 453->433 471 72a0fba-72a1061 462->471 463->471 467->434 471->359 476->334 477->334
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'fq$TJkq$Tefq$pjq$xbiq
                                      • API String ID: 0-2688501482
                                      • Opcode ID: c40c953a8ade674a12995c8cc029bf0b39293f567d94ca86e332b420defb1d1b
                                      • Instruction ID: 327e738c914517ce570e6d3d569d0ba076082b020981f2041c5c99e72af6b847
                                      • Opcode Fuzzy Hash: c40c953a8ade674a12995c8cc029bf0b39293f567d94ca86e332b420defb1d1b
                                      • Instruction Fuzzy Hash: B8B2C475E10228DFDB64CF69C984AD9BBB2FF89304F1481E5E509AB265DB319E81CF40
                                      Function 072A96E0 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cf062016f2dac47ff412f13d9806f9227083990295e6384d80a2823cb187574f
                                      • Instruction ID: a08d80d6a403edd7030e5c696865fbd5ba41f816c12c219136552e90e466bee4
                                      • Opcode Fuzzy Hash: cf062016f2dac47ff412f13d9806f9227083990295e6384d80a2823cb187574f
                                      • Instruction Fuzzy Hash: 9031D6B0D25618DBDB18CF9BC8447EEBBF6AF89300F14C06AD419A6254DB7519868F90
                                      Function 072A96D0 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 70bd34dbcce62f1f48d41e298f0d6bfcefdc35a08b9fd16b15ed357aea9595b9
                                      • Instruction ID: b391e44890f902d11b2dcba52ecebc21ff834e0ddf4e3b51f80fc0e51f666a37
                                      • Opcode Fuzzy Hash: 70bd34dbcce62f1f48d41e298f0d6bfcefdc35a08b9fd16b15ed357aea9595b9
                                      • Instruction Fuzzy Hash: 3A21C6B0D156589BEB18CFABC9447DEBBF2AFC9300F14C46A9408BA254DB7409868F50
                                      Function 00C9D3E8 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 478 c9d3e8-c9d487 GetCurrentProcess 482 c9d489-c9d48f 478->482 483 c9d490-c9d4c4 GetCurrentThread 478->483 482->483 484 c9d4cd-c9d501 GetCurrentProcess 483->484 485 c9d4c6-c9d4cc 483->485 486 c9d50a-c9d525 call c9d5c9 484->486 487 c9d503-c9d509 484->487 485->484 491 c9d52b-c9d55a GetCurrentThreadId 486->491 487->486 492 c9d55c-c9d562 491->492 493 c9d563-c9d5c5 491->493 492->493
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00C9D476
                                      • GetCurrentThread.KERNEL32 ref: 00C9D4B3
                                      • GetCurrentProcess.KERNEL32 ref: 00C9D4F0
                                      • GetCurrentThreadId.KERNEL32 ref: 00C9D549
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799319713.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c90000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: fe07b33595269056215586579cd6c53b35ae6462a14aaa2383e34b8fb653d0d6
                                      • Instruction ID: 544e21a5aa7e1bc5d8b8e7ccdcd5d523cf01bd6581301e7973928911b8a008e3
                                      • Opcode Fuzzy Hash: fe07b33595269056215586579cd6c53b35ae6462a14aaa2383e34b8fb653d0d6
                                      • Instruction Fuzzy Hash: 1B5176B09003498FDB14DFA9D988BAEBBF1FF88314F24845AE019B7361D7346944CB65
                                      Function 00C9D3F8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 500 c9d3f8-c9d487 GetCurrentProcess 504 c9d489-c9d48f 500->504 505 c9d490-c9d4c4 GetCurrentThread 500->505 504->505 506 c9d4cd-c9d501 GetCurrentProcess 505->506 507 c9d4c6-c9d4cc 505->507 508 c9d50a-c9d525 call c9d5c9 506->508 509 c9d503-c9d509 506->509 507->506 513 c9d52b-c9d55a GetCurrentThreadId 508->513 509->508 514 c9d55c-c9d562 513->514 515 c9d563-c9d5c5 513->515 514->515
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00C9D476
                                      • GetCurrentThread.KERNEL32 ref: 00C9D4B3
                                      • GetCurrentProcess.KERNEL32 ref: 00C9D4F0
                                      • GetCurrentThreadId.KERNEL32 ref: 00C9D549
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799319713.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c90000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 1ab4b9f33cf98ef3d46c38c79552a3fb56e39ab98fffa1733c9d000c1df9f2aa
                                      • Instruction ID: ade48b640c64c69b681371190f2fc0712c3c868b44de3e6b8f55d889d91907be
                                      • Opcode Fuzzy Hash: 1ab4b9f33cf98ef3d46c38c79552a3fb56e39ab98fffa1733c9d000c1df9f2aa
                                      • Instruction Fuzzy Hash: 435146B09003498FDB14DFA9D988BAEBBF5BF88314F248459E019B7350D7746944CB65
                                      Function 072AF354 Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 544 72af354-72af358 545 72af35a-72af360 544->545 546 72af361-72af3f5 544->546 545->546 549 72af42e-72af44e 546->549 550 72af3f7-72af401 546->550 555 72af450-72af45a 549->555 556 72af487-72af4b6 549->556 550->549 551 72af403-72af405 550->551 553 72af428-72af42b 551->553 554 72af407-72af411 551->554 553->549 557 72af413 554->557 558 72af415-72af424 554->558 555->556 560 72af45c-72af45e 555->560 566 72af4b8-72af4c2 556->566 567 72af4ef-72af5a9 CreateProcessA 556->567 557->558 558->558 559 72af426 558->559 559->553 561 72af460-72af46a 560->561 562 72af481-72af484 560->562 564 72af46e-72af47d 561->564 565 72af46c 561->565 562->556 564->564 569 72af47f 564->569 565->564 566->567 568 72af4c4-72af4c6 566->568 578 72af5ab-72af5b1 567->578 579 72af5b2-72af638 567->579 570 72af4c8-72af4d2 568->570 571 72af4e9-72af4ec 568->571 569->562 573 72af4d6-72af4e5 570->573 574 72af4d4 570->574 571->567 573->573 575 72af4e7 573->575 574->573 575->571 578->579 589 72af63a-72af63e 579->589 590 72af648-72af64c 579->590 589->590 591 72af640 589->591 592 72af64e-72af652 590->592 593 72af65c-72af660 590->593 591->590 592->593 596 72af654 592->596 594 72af662-72af666 593->594 595 72af670-72af674 593->595 594->595 597 72af668 594->597 598 72af686-72af68d 595->598 599 72af676-72af67c 595->599 596->593 597->595 600 72af68f-72af69e 598->600 601 72af6a4 598->601 599->598 600->601 603 72af6a5 601->603 603->603
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072AF596
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 14b11b36717cebb4df69a5ff821d95e7edf1769daf17bcdb795d11bf880cc8c5
                                      • Instruction ID: 66f14105e09ad5a013752e86860d1cecdbe0328d0caff2c74e144939b575754c
                                      • Opcode Fuzzy Hash: 14b11b36717cebb4df69a5ff821d95e7edf1769daf17bcdb795d11bf880cc8c5
                                      • Instruction Fuzzy Hash: CBA16CB1D1061ADFDF24CF68C941BDEBBB2BF48310F14816AE818A7250DB789985CF91
                                      Function 072AF360 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 604 72af360-72af3f5 607 72af42e-72af44e 604->607 608 72af3f7-72af401 604->608 613 72af450-72af45a 607->613 614 72af487-72af4b6 607->614 608->607 609 72af403-72af405 608->609 611 72af428-72af42b 609->611 612 72af407-72af411 609->612 611->607 615 72af413 612->615 616 72af415-72af424 612->616 613->614 618 72af45c-72af45e 613->618 624 72af4b8-72af4c2 614->624 625 72af4ef-72af5a9 CreateProcessA 614->625 615->616 616->616 617 72af426 616->617 617->611 619 72af460-72af46a 618->619 620 72af481-72af484 618->620 622 72af46e-72af47d 619->622 623 72af46c 619->623 620->614 622->622 627 72af47f 622->627 623->622 624->625 626 72af4c4-72af4c6 624->626 636 72af5ab-72af5b1 625->636 637 72af5b2-72af638 625->637 628 72af4c8-72af4d2 626->628 629 72af4e9-72af4ec 626->629 627->620 631 72af4d6-72af4e5 628->631 632 72af4d4 628->632 629->625 631->631 633 72af4e7 631->633 632->631 633->629 636->637 647 72af63a-72af63e 637->647 648 72af648-72af64c 637->648 647->648 649 72af640 647->649 650 72af64e-72af652 648->650 651 72af65c-72af660 648->651 649->648 650->651 654 72af654 650->654 652 72af662-72af666 651->652 653 72af670-72af674 651->653 652->653 655 72af668 652->655 656 72af686-72af68d 653->656 657 72af676-72af67c 653->657 654->651 655->653 658 72af68f-72af69e 656->658 659 72af6a4 656->659 657->656 658->659 661 72af6a5 659->661 661->661
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072AF596
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: c7b2f9020dc35cb2d4e309685fb4cb92b1ba81b9b8bdd3cda5eeac89fbcfb875
                                      • Instruction ID: 034e7f8e076b97c9695e5d3f37d92df3c4147aef194ed9aebdcc9cc2c92631dd
                                      • Opcode Fuzzy Hash: c7b2f9020dc35cb2d4e309685fb4cb92b1ba81b9b8bdd3cda5eeac89fbcfb875
                                      • Instruction Fuzzy Hash: F5915EB1D1061ADFDF24CF68C941BDEBBB6BF48310F148169E818A7250DB789985CF91
                                      Function 00C9AD68 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 662 c9ad68-c9ad77 663 c9ad79-c9ad86 call c9a0c0 662->663 664 c9ada3-c9ada7 662->664 671 c9ad88-c9ad96 call c9aff0 663->671 672 c9ad9c 663->672 665 c9ada9-c9adb3 664->665 666 c9adbb-c9adfc 664->666 665->666 673 c9ae09-c9ae17 666->673 674 c9adfe-c9ae06 666->674 671->672 678 c9aed8-c9af98 671->678 672->664 676 c9ae19-c9ae1e 673->676 677 c9ae3b-c9ae3d 673->677 674->673 679 c9ae29 676->679 680 c9ae20-c9ae27 call c9a0cc 676->680 681 c9ae40-c9ae47 677->681 712 c9af9a-c9af9d 678->712 713 c9afa0-c9afcb GetModuleHandleW 678->713 684 c9ae2b-c9ae39 679->684 680->684 682 c9ae49-c9ae51 681->682 683 c9ae54-c9ae5b 681->683 682->683 687 c9ae68-c9ae6a call c9a0dc 683->687 688 c9ae5d-c9ae65 683->688 684->681 692 c9ae6f-c9ae71 687->692 688->687 693 c9ae7e-c9ae83 692->693 694 c9ae73-c9ae7b 692->694 696 c9aea1-c9aeae 693->696 697 c9ae85-c9ae8c 693->697 694->693 702 c9aed1-c9aed7 696->702 703 c9aeb0-c9aece 696->703 697->696 698 c9ae8e-c9ae9e call c9a0ec call c9a0fc 697->698 698->696 703->702 712->713 714 c9afcd-c9afd3 713->714 715 c9afd4-c9afe8 713->715 714->715
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799319713.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c90000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: b04565bf7d34110ea4b5d00c6c519d9ff0a5b7d27d387156ebaaf67379253714
                                      • Instruction ID: ea971b4778d3cf527abdcc80cc36f5ae46ce72e82aa0ec8de4fc5704548c2525
                                      • Opcode Fuzzy Hash: b04565bf7d34110ea4b5d00c6c519d9ff0a5b7d27d387156ebaaf67379253714
                                      • Instruction Fuzzy Hash: 3A8167B0A00B048FDB24DF29D44879ABBF1FF88300F10892DD49AD7A50DB35E956CB91
                                      Function 00C9590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 718 c9590c-c959d9 CreateActCtxA 720 c959db-c959e1 718->720 721 c959e2-c95a3c 718->721 720->721 728 c95a4b-c95a4f 721->728 729 c95a3e-c95a41 721->729 730 c95a51-c95a5d 728->730 731 c95a60 728->731 729->728 730->731 733 c95a61 731->733 733->733
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00C959C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799319713.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c90000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 273d65fccb8d7ee7a021644d62a4819a900c6730750cb4f785a6d869b5302bab
                                      • Instruction ID: 505bae80b369827a5374c45fe7a8e50cc12ad80a0a1e122d3401f5af095b7339
                                      • Opcode Fuzzy Hash: 273d65fccb8d7ee7a021644d62a4819a900c6730750cb4f785a6d869b5302bab
                                      • Instruction Fuzzy Hash: 0141E1B0D00719CADF25CFA9C988BDEBBB6BF48304F24815AD409AB251DB756946CF90
                                      Function 00C944E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 734 c944e0-c959d9 CreateActCtxA 737 c959db-c959e1 734->737 738 c959e2-c95a3c 734->738 737->738 745 c95a4b-c95a4f 738->745 746 c95a3e-c95a41 738->746 747 c95a51-c95a5d 745->747 748 c95a60 745->748 746->745 747->748 750 c95a61 748->750 750->750
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00C959C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799319713.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c90000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 81a98ee84149ddde5e6627b0cd5241bdc58e778a4396f9da7081e3f58cd46ef5
                                      • Instruction ID: f4ee4d2556a058bdbc9f00efe6f4f4844646a1e22b2a24b8e60343472bae4970
                                      • Opcode Fuzzy Hash: 81a98ee84149ddde5e6627b0cd5241bdc58e778a4396f9da7081e3f58cd46ef5
                                      • Instruction Fuzzy Hash: F341D2B0C00719CADF25DFA9C988B9EBBB5BF48304F24815AD409AB251DB756946CF90
                                      Function 00C9D701 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 751 c9d701-c9d708 752 c9d70a-c9d82e 751->752 753 c9d6c4-c9d6d4 DuplicateHandle 751->753 754 c9d6dd-c9d6fa 753->754 755 c9d6d6-c9d6dc 753->755 755->754
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C9D6C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799319713.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c90000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: d42c540a187886923c554dbd11b0d52342e83167d0f42a7a86a242fe71e91559
                                      • Instruction ID: 3b3dba6dbc4c5f57188bcece1920843775d5ba66d82e74516e6813493e3d10a7
                                      • Opcode Fuzzy Hash: d42c540a187886923c554dbd11b0d52342e83167d0f42a7a86a242fe71e91559
                                      • Instruction Fuzzy Hash: 2E314178A807808FE714DF60E4587697BB2E7C8310F558929E9518B7D8CFBA9857CF10
                                      Function 072AF0D1 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 769 72af0d1-72af126 772 72af128-72af134 769->772 773 72af136-72af175 WriteProcessMemory 769->773 772->773 775 72af17e-72af1ae 773->775 776 72af177-72af17d 773->776 776->775
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072AF168
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 923dd8d65dc83bc70b3a7801c99cd7b4b1919775a53f7e3803fbe899fab0852e
                                      • Instruction ID: 13c221d0d9f6a4e1dc5579e6cace50d5b12f999669eb7925e419a20585bccc13
                                      • Opcode Fuzzy Hash: 923dd8d65dc83bc70b3a7801c99cd7b4b1919775a53f7e3803fbe899fab0852e
                                      • Instruction Fuzzy Hash: 82215CB5900349DFCB10CFA9C985BDEBBF5FF48320F10842AE518A7640C7789545DBA1
                                      Function 072AF0D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 780 72af0d8-72af126 782 72af128-72af134 780->782 783 72af136-72af175 WriteProcessMemory 780->783 782->783 785 72af17e-72af1ae 783->785 786 72af177-72af17d 783->786 786->785
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072AF168
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: a3543d0a491fc87017b2acaa2f739c4cff2e1acad1277451ae49db3834f70454
                                      • Instruction ID: 5a0dbd885157810670788209ec7813de50da489d7fbb25a28d46b7896be121a2
                                      • Opcode Fuzzy Hash: a3543d0a491fc87017b2acaa2f739c4cff2e1acad1277451ae49db3834f70454
                                      • Instruction Fuzzy Hash: 652127B190030A9FCB10CFA9C985BDEBBF5FF48320F10842AE919A7240C7789941DBA0
                                      Function 072AF1C0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 801 72af1c0-72af255 ReadProcessMemory 805 72af25e-72af28e 801->805 806 72af257-72af25d 801->806 806->805
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072AF248
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: 944b24bc2eb1780a54383f614eb625d4a8035ef50c118fee28f1209f8bfd13de
                                      • Instruction ID: 6bddb71622c3cedf855bb9a82da61017acb8dd9f7fe3044de410f3ff4d8ba50d
                                      • Opcode Fuzzy Hash: 944b24bc2eb1780a54383f614eb625d4a8035ef50c118fee28f1209f8bfd13de
                                      • Instruction Fuzzy Hash: 80214CB19003599FDB10CFAAC981ADEFBF5FF88320F14842AE519A7240C7789541DBA1
                                      Function 072AEF39 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 790 72aef39-72aef8b 793 72aef9b-72aefcb Wow64SetThreadContext 790->793 794 72aef8d-72aef99 790->794 796 72aefcd-72aefd3 793->796 797 72aefd4-72af004 793->797 794->793 796->797
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072AEFBE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: be179f59d9a4ffc81f1f4bf477fee082e70ebca88391a421657382e1e71a118a
                                      • Instruction ID: 8cd0b9ae1caa928fc6215945bf58eabc7aa61e4bc592f6e654afc6a0ae95d9ea
                                      • Opcode Fuzzy Hash: be179f59d9a4ffc81f1f4bf477fee082e70ebca88391a421657382e1e71a118a
                                      • Instruction Fuzzy Hash: D7212AB1D0030A9FDB10CFAAC4857EEBBF4EF88324F14842AD559A7241C7789945DBA5
                                      Function 00C9D638 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C9D6C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799319713.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c90000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: b2df8560f0e664ddd935aef0eaf6c9e675aac0f55818e7067322b6f3f8b7bdf4
                                      • Instruction ID: cf799f46b24bf68eae31be3da4ed9fea19a058d0c94733e2e591405186bba08e
                                      • Opcode Fuzzy Hash: b2df8560f0e664ddd935aef0eaf6c9e675aac0f55818e7067322b6f3f8b7bdf4
                                      • Instruction Fuzzy Hash: E62103B59002489FDB10CFAAD985AEEBFF5EB48320F24841AE959A3310C374A945DF60
                                      Function 072AF1C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072AF248
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: 3b60ba7015741d7696daba6b82b418b06793982aa80a6fe87f71dfa383db2c8c
                                      • Instruction ID: a6ab3e43042fa5d13aeb55862b717d415f24fa67b148a585737baae1ccffecd5
                                      • Opcode Fuzzy Hash: 3b60ba7015741d7696daba6b82b418b06793982aa80a6fe87f71dfa383db2c8c
                                      • Instruction Fuzzy Hash: 842139B1D003499FDB10CFAAC981ADEFBF5FF48320F10842AE519A7240C7799541DBA1
                                      Function 072AEF40 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072AEFBE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 67daadcab33b8013b66e30ce7f347397902c204c0147a894cca3724e06150148
                                      • Instruction ID: fb3efab981ad857da0f06322a19cd66ed88c2c8330f20cd0b5aa19c4c254d702
                                      • Opcode Fuzzy Hash: 67daadcab33b8013b66e30ce7f347397902c204c0147a894cca3724e06150148
                                      • Instruction Fuzzy Hash: A82149B1D0030A9FDB10CFAAC4857EEBBF4EF88324F14842AD459A7240CB789945CFA5
                                      Function 00C9D640 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C9D6C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799319713.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c90000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: c4ac62e91c1af1039e77ff26de5c6d0cd4684f3f8985e2d14fb33e9064c7aa49
                                      • Instruction ID: 7db29f125ab7b35ca0ee8d27ac71ca6a50dfb6e7aef36b905b0290728ab7c7bc
                                      • Opcode Fuzzy Hash: c4ac62e91c1af1039e77ff26de5c6d0cd4684f3f8985e2d14fb33e9064c7aa49
                                      • Instruction Fuzzy Hash: A921E4B59002089FDB10CFAAD984ADEBBF8EB48320F14841AE918A3350C374A940DF64
                                      Function 072AF010 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072AF086
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: cf44db3b900dde9fd3a20a4201a86ea0a31c95e634ff19210c10fc87acec505e
                                      • Instruction ID: cc1daca4b2272481809a36f8504a93cc13ba38e235e3701cb8b0f7264aea850b
                                      • Opcode Fuzzy Hash: cf44db3b900dde9fd3a20a4201a86ea0a31c95e634ff19210c10fc87acec505e
                                      • Instruction Fuzzy Hash: A7118EB19003099FCB10CFA9C845ADFBFF5EF88320F108419D515A7250C7759544DFA0
                                      Function 072AEE89 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 75cc7d9289266948490e3ea0f906a1aa2bdaa7243c376eb629c14cb6a835c002
                                      • Instruction ID: 1b0d62be558f3d2088d74035c6499eafb98c3c771739da1abc0955894bee393d
                                      • Opcode Fuzzy Hash: 75cc7d9289266948490e3ea0f906a1aa2bdaa7243c376eb629c14cb6a835c002
                                      • Instruction Fuzzy Hash: EB1179B1D003498BCB20DFAAC4457DEBFF4EB88320F24841AD419A7240CA756845CBA1
                                      Function 072AF018 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072AF086
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: be40fd5b2c2b47957139f988f09a77eb5852ced3e42adcb125a7e000c6444f64
                                      • Instruction ID: 4af0ce8b6da00e21a3d9b77cc69906376b881317263018faab576053b957953e
                                      • Opcode Fuzzy Hash: be40fd5b2c2b47957139f988f09a77eb5852ced3e42adcb125a7e000c6444f64
                                      • Instruction Fuzzy Hash: E6113AB19003499FCB20DFAAC945ADFBFF5EF88320F148419E559A7250C775A540DFA1
                                      Function 00C9A0C0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00C9AD84), ref: 00C9AFBE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799319713.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c90000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 84620324bad578934adec37851504fe18db5a7f76a87bac94d4d085aedb33c7d
                                      • Instruction ID: 7336182adf0794fc2473f2f82932c7cfc81d7c2a388c361ab4e1dc2a266acc7b
                                      • Opcode Fuzzy Hash: 84620324bad578934adec37851504fe18db5a7f76a87bac94d4d085aedb33c7d
                                      • Instruction Fuzzy Hash: F61102B6C047498FCB20CF9AC448BDEFBF4EB88324F14841AD429A7600D379A545CFA1
                                      Function 072AEE90 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 71a2c973e22d736180103a98d637226f474bc3e87bbd3ff24becff39e7c8afc9
                                      • Instruction ID: 6ed1c65f23b14e938028bb4d777a93d3849ec492b6764e3b451d103ae8cf6341
                                      • Opcode Fuzzy Hash: 71a2c973e22d736180103a98d637226f474bc3e87bbd3ff24becff39e7c8afc9
                                      • Instruction Fuzzy Hash: 561166B1D003498FDB20DFAAC44579EFBF8EF88320F20841AD419A7240CB79A901CBA5
                                      Function 0C3421F8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 0C34225D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1812842936.000000000C340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c340000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 1fa7ead7e38e42aae5c58babac8a7d5bf2af4ebe72a37bfebe154e621622eafa
                                      • Instruction ID: 7937dc9418b43f0976f2a86fedeaa937b0fcced15b91294bee11d3e015088463
                                      • Opcode Fuzzy Hash: 1fa7ead7e38e42aae5c58babac8a7d5bf2af4ebe72a37bfebe154e621622eafa
                                      • Instruction Fuzzy Hash: FA11F5B58003499FDB10DF9AC985BDFFBF8EB58320F20841AE558A7200C375A544CFA5
                                      Function 0C342200 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 0C34225D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1812842936.000000000C340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c340000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: f3955a8f9a2df47089e55afc59fbccf6aee35768ad83c55cb964d49f7e5237a3
                                      • Instruction ID: 446ddd17257cee83f6a96c92a96d27886e5c280ae5c41b6224d755c58d0db918
                                      • Opcode Fuzzy Hash: f3955a8f9a2df47089e55afc59fbccf6aee35768ad83c55cb964d49f7e5237a3
                                      • Instruction Fuzzy Hash: 0411D3B58007499FDB10DF9AD985BDFFBF8EB48320F20841AE558A7250C375A544CFA5
                                      Function 00C3D4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1798989440.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c3d000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c4b98876f11da7d37854e206e36765e6aba304971412d315c2a3aa57125ec863
                                      • Instruction ID: 834c7a0e9d867ee3470cfeec6459c2f9ba1e200b06d33c280778b843de6a1415
                                      • Opcode Fuzzy Hash: c4b98876f11da7d37854e206e36765e6aba304971412d315c2a3aa57125ec863
                                      • Instruction Fuzzy Hash: 782167B2514200DFCB05DF14E9C0F26BF65FB88318F20C569E80A0B256C336D956DBA2
                                      Function 00C3D3D8 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1798989440.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c3d000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ba1f2955dafb255a5ca34a576198b7b4749b42f9d8c789b47e8dfa0457c13401
                                      • Instruction ID: b61ad113e6497bc156572fe7aead35c2740c6329a11d5333c8e3cba63fa18044
                                      • Opcode Fuzzy Hash: ba1f2955dafb255a5ca34a576198b7b4749b42f9d8c789b47e8dfa0457c13401
                                      • Instruction Fuzzy Hash: 172137B1514204DFDB05DF14E9C0B26BF65FB98324F24C56DE90B0B256C336E856DBA2
                                      Function 00C4D1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799063237.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c4d000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f3f02410d27a2767b5793b8065b2e14227d0ffd166aeed2d7032452a2f9f93c2
                                      • Instruction ID: e2c332c4dba25f09f7690622a03955cfa611559f066fc91e021e1caba1725bed
                                      • Opcode Fuzzy Hash: f3f02410d27a2767b5793b8065b2e14227d0ffd166aeed2d7032452a2f9f93c2
                                      • Instruction Fuzzy Hash: 022107B1604200EFDB25EF14D5C0B26BBA5FB84314F24C6ADE90A4B252C376DC46CA61
                                      Function 00C4D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799063237.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c4d000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0dea06553b7079b62459258cd8e3e8a3ce08e7b84db5297a13c29c10ba4b2e6e
                                      • Instruction ID: de975ab17739413764fcf40ae403660d840aa02d48803bdb244f05e9b93b5e48
                                      • Opcode Fuzzy Hash: 0dea06553b7079b62459258cd8e3e8a3ce08e7b84db5297a13c29c10ba4b2e6e
                                      • Instruction Fuzzy Hash: C921F2B5604200DFCB14EF14D9C4B26BB65FB84314F24C9ADE90A4B296C33AD847CA61
                                      Function 00C4D005 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799063237.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c4d000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f18077f2f8dfdadcb73c30a43003a42a89846942ecf2c00c50819418313fcc83
                                      • Instruction ID: 10ea888a76fec9479aaed0b180019529a8c320ed3d5c9a79e3062a63311eaadd
                                      • Opcode Fuzzy Hash: f18077f2f8dfdadcb73c30a43003a42a89846942ecf2c00c50819418313fcc83
                                      • Instruction Fuzzy Hash: BB218E755093808FCB12DF24D994B15BF71FB46314F28C5EAD8498B6A7C33AD80ACB62
                                      Function 00C3D3D3 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1798989440.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c3d000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                      • Instruction ID: 3ee35a54ff50cde6189b41ab02019f1071b8f11332d45b367af8b8569e605862
                                      • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                      • Instruction Fuzzy Hash: E7110372404240CFCB12CF10E5C0B16BF72FB94324F24C2A9D80A0B656C33AE95ACBA1
                                      Function 00C3D4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1798989440.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c3d000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                      • Instruction ID: 6f5d1022ec384ab9c4dbe3325987ac02c7e19813f7656a78e0d33d73a66a4989
                                      • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                      • Instruction Fuzzy Hash: 1011E6B6504280CFCB16CF14D5C4B16BF72FB94318F24C6A9D84A4B656C33AD95ACBA1
                                      Function 00C4D1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799063237.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c4d000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                      • Instruction ID: 668a52dea8a425edffd47773b248f2cffadffa3dc8d0e05834fd71ef818161a7
                                      • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                      • Instruction Fuzzy Hash: F611BB75904280DFCB22DF10C5C4B15BBA2FB84314F24C6AAD84A4B696C37AD84ACB61
                                      Function 00C3D759 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1798989440.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c3d000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 18d23918a97009bbfda9b059a1d50f1a583c26661fadbda3de700d0cd4e6d467
                                      • Instruction ID: 38a261626ad316f06afba6b2f9d2394a5672ae7d895f6698c1aa111398f046c5
                                      • Opcode Fuzzy Hash: 18d23918a97009bbfda9b059a1d50f1a583c26661fadbda3de700d0cd4e6d467
                                      • Instruction Fuzzy Hash: 37014EB10083409AE7104B26ECC4B67FFE8DF52320F18C45BED1A4B28AC7389C40D671
                                      Function 00C3D758 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1798989440.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c3d000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e6f375a4282fe4144c214ea23571c0150306ebcf13876b069ce28f3913d5ef2d
                                      • Instruction ID: 27f1b194ca038b0bfa965eb365ca4760c111c69c12b7660590ce444059539429
                                      • Opcode Fuzzy Hash: e6f375a4282fe4144c214ea23571c0150306ebcf13876b069ce28f3913d5ef2d
                                      • Instruction Fuzzy Hash: 38F06271404344AEE7248A16EDC4B62FFA8EF51724F18C45AED194B286C379A944CAB1

                                      Non-executed Functions

                                      Function 072A0006 Relevance: 4.0, Strings: 3, Instructions: 252COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: TJkq$Tefq$xbiq
                                      • API String ID: 0-2501753584
                                      • Opcode ID: 2489b1ce022a5f32b92358b36d23f1504a695b0060edf345bb4aa8f9b4729bd5
                                      • Instruction ID: 0665f53e2ababae8cad1c82cf205a8058e32a0869e1d3aeba714c430abd03680
                                      • Opcode Fuzzy Hash: 2489b1ce022a5f32b92358b36d23f1504a695b0060edf345bb4aa8f9b4729bd5
                                      • Instruction Fuzzy Hash: 90C1B3B5E056588FDB29CF6AC9446DDBBF2AF89300F14C0EAD408AB265DB305A85CF50
                                      Function 0C34392A Relevance: .4, Instructions: 415COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1812842936.000000000C340000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c340000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fbe24500f192392b44fd83d4c1ab32265e5af348e8b894e3d2bcf5fca88248fc
                                      • Instruction ID: cd169106e83110132905883d73a6ee10c0f0ebc55bc75e02bdb0137eb62e5d81
                                      • Opcode Fuzzy Hash: fbe24500f192392b44fd83d4c1ab32265e5af348e8b894e3d2bcf5fca88248fc
                                      • Instruction Fuzzy Hash: 6FE1EC717117009FDB69EB79C450BAEBBF6AF89300F24846DD146CB2A1DB35E801CB92
                                      Function 072AC700 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1220920158e90eab42aaead9663f6a156c70b6998543b972b8a77da524e40614
                                      • Instruction ID: c875a1079b46542b03791c80191e599da30aecb6ffdfb305077cb577229be54b
                                      • Opcode Fuzzy Hash: 1220920158e90eab42aaead9663f6a156c70b6998543b972b8a77da524e40614
                                      • Instruction Fuzzy Hash: A6E1FCB4E142199FCB14DFA9C9809AEFBF6FF89304F248169D414AB355D731A982CF60
                                      Function 072AE618 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ef787693d9fa7dfb2738f5c4df79b247122c71d27444151abe17a7ca10248b22
                                      • Instruction ID: fd5674cf0b9ebf24322ec79a7b1d6ab13b7bcf3926b793f5ca865d3d1a36badc
                                      • Opcode Fuzzy Hash: ef787693d9fa7dfb2738f5c4df79b247122c71d27444151abe17a7ca10248b22
                                      • Instruction Fuzzy Hash: 75E11CB4E201199FCB14DFA9C9819AEFBB2FF89304F248169D414AB355D731AD82CF61
                                      Function 072AC2C8 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d384de08d31060926ee81320cd4bab196fd8545824ba38bdb97a8e43203be05c
                                      • Instruction ID: 5ff3d05fb34f01c93900077e3195c85823851c740bc1478a99f5dfad9cf43c63
                                      • Opcode Fuzzy Hash: d384de08d31060926ee81320cd4bab196fd8545824ba38bdb97a8e43203be05c
                                      • Instruction Fuzzy Hash: 7FE1EDB4E141199FCB14DFA9C9809AEFBB2FF89304F248169D414AB355D731AD82CF60
                                      Function 072AE1E0 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b6e9cceb4dbb75230fdfccf5c3100d82ce27c5dff627f84e7ef9d11bf61d8705
                                      • Instruction ID: 1207cec3da4e3620976c7c552740327553eb68dbbc79c77568d13968e8dd1545
                                      • Opcode Fuzzy Hash: b6e9cceb4dbb75230fdfccf5c3100d82ce27c5dff627f84e7ef9d11bf61d8705
                                      • Instruction Fuzzy Hash: E9E11AB4E101199FCB14DFA9C9819AEFBF2FF89304F248169D814AB355D731A982CF61
                                      Function 072ACB38 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fffa3034810804a9d3d137f4e6e095a2c4afb99184284134112b302846390af5
                                      • Instruction ID: 19440190b89c1faff40388bfb41d436648a8b6e5773bd68bbb9f9fd4ee035b6a
                                      • Opcode Fuzzy Hash: fffa3034810804a9d3d137f4e6e095a2c4afb99184284134112b302846390af5
                                      • Instruction Fuzzy Hash: 77E10CB4E141199FCB14DFA9C9909AEFBF2FF89304F248159D814AB355D731A982CF60
                                      Function 072A4B48 Relevance: .3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e879c816262ebc8db7cd861428fc3dbfc5a005e48b3440d75505893c99840a95
                                      • Instruction ID: c06ac6f2f72bf861c92fd5fa3e96eb701eb47016249671c4651c977f88e7162d
                                      • Opcode Fuzzy Hash: e879c816262ebc8db7cd861428fc3dbfc5a005e48b3440d75505893c99840a95
                                      • Instruction Fuzzy Hash: FCD1E5B4D29268DFDB14DFA9C84579EBBF2FF89304F1081A9D409A7241DBB44A86CF41
                                      Function 072A4B58 Relevance: .3, Instructions: 298COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1d6f3e516fd1103d16cede91b681772018e5fc3b3a3b4b0f79c4908bacee85ae
                                      • Instruction ID: baee7db7b9ad6e0df3fe76582904f2db30c96d31e5b50d41e715104b3883d940
                                      • Opcode Fuzzy Hash: 1d6f3e516fd1103d16cede91b681772018e5fc3b3a3b4b0f79c4908bacee85ae
                                      • Instruction Fuzzy Hash: 72D1F5B4D28268DFDB14DFA9C845B9EBBF2FF89304F109169D409A7240DBB45A86CF01
                                      Function 072A396F Relevance: .3, Instructions: 271COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 301c0613c88cd5ad0d47932e9c93ea7cce12a4da9540781e1df0955ebff2359b
                                      • Instruction ID: 3f18c2e425f458eebb2249d96c3e6c93cd993d67d8a018bded4a3199a312fc3e
                                      • Opcode Fuzzy Hash: 301c0613c88cd5ad0d47932e9c93ea7cce12a4da9540781e1df0955ebff2359b
                                      • Instruction Fuzzy Hash: 9AD1FA35D2075A8ACB15EBA4D9906D9B7B1FFD5300F60879AE0093B225EF706AC5CF41
                                      Function 072A3980 Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 47e50f9b052cb23d049440ce672c4c658a75ecfcaeadaa52d1323f49d0aefa8d
                                      • Instruction ID: 4bc4198e533386d7952f3bbe5d759508993e9a2e02a24253b87a8780635abfee
                                      • Opcode Fuzzy Hash: 47e50f9b052cb23d049440ce672c4c658a75ecfcaeadaa52d1323f49d0aefa8d
                                      • Instruction Fuzzy Hash: 5FD1E93592075A8ADB15EBA4D990AD9B7B1FFD5300F50879AE0093B224EF706AC5CF81
                                      Function 00C9D324 Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1799319713.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_c90000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d617c104ecedb94018d8b64a80fa1a3a6e76961e2eb8953fa73148e1a111f90
                                      • Instruction ID: 5ef511d5d9cdf970282a5d9c8bf47cc6f58b11e1186a4cee23b43d00103d568f
                                      • Opcode Fuzzy Hash: 3d617c104ecedb94018d8b64a80fa1a3a6e76961e2eb8953fa73148e1a111f90
                                      • Instruction Fuzzy Hash: 80A16C36A00205CFCF15DFA5C84459EBBB6FF85300B2585BEE815EB266DB72DA16CB40
                                      Function 072AC2A8 Relevance: .1, Instructions: 141COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 44540b95e2b82c35a5bdd51e2e8a2a7dce502e12072dc454de90549c98219dab
                                      • Instruction ID: 6cdee0326abac4822b07dd66bceb561ae3c8ae190d4b7c6dffd6418acc5008a0
                                      • Opcode Fuzzy Hash: 44540b95e2b82c35a5bdd51e2e8a2a7dce502e12072dc454de90549c98219dab
                                      • Instruction Fuzzy Hash: F45151B4D142598FCB14DFA9C9805AEFBF2FF89304F24816AD418A7316D7319982CFA1
                                      Function 072AC6F0 Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57aa678d079653ac7d18d0ee2e11333db8f248d589e27fa6ef08ba6b99db29fb
                                      • Instruction ID: 59979a5a222b03bed249e9dca2a5bfa003e956568f7df288da4cb5360fab68ee
                                      • Opcode Fuzzy Hash: 57aa678d079653ac7d18d0ee2e11333db8f248d589e27fa6ef08ba6b99db29fb
                                      • Instruction Fuzzy Hash: 7D512BB4E142198FCB14DFA9C9805AEFBF6FF89304F248169D418AB315D7319982CFA1
                                      Function 072ACB28 Relevance: .1, Instructions: 132COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 66cb753abc26824cc2b557d129c63f7d08064706ea7bc492cd42bdc16941472b
                                      • Instruction ID: 6c56f3b6d207b2c8583c52ba1a922dff244100f1e16b0df22c99d88add2e8d1e
                                      • Opcode Fuzzy Hash: 66cb753abc26824cc2b557d129c63f7d08064706ea7bc492cd42bdc16941472b
                                      • Instruction Fuzzy Hash: 12510CB5E142198FCB14DFA9C9805AEFBB2FF89304F24C169D418A7355D7319A82CFA1
                                      Function 072AB7C8 Relevance: .1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1811761561.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_72a0000_DHL AWB_NO_92847309329.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5cc96bfdebc53da47e35b52040c70f0eed6affff1ff1549d8d335719839dbe81
                                      • Instruction ID: d2019d409e88aebcdfb18a573488ecc863133c35de5a3fca748601db841197aa
                                      • Opcode Fuzzy Hash: 5cc96bfdebc53da47e35b52040c70f0eed6affff1ff1549d8d335719839dbe81
                                      • Instruction Fuzzy Hash: 2141C3B4D29219EFCF08CFAAD9445EDBBFAAF8A300F14906AE419A7211D7748941CF50

                                      Execution Graph

                                      Execution Coverage:11.7%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:200
                                      Total number of Limit Nodes:8
                                      execution_graph 40716 732f796 40721 a6f00b0 40716->40721 40735 a6f00c0 40716->40735 40749 a6f011e 40716->40749 40717 732f7a5 40722 a6f00da 40721->40722 40723 a6f00fe 40722->40723 40764 a6f04ef 40722->40764 40768 a6f0a70 40722->40768 40776 a6f0641 40722->40776 40785 a6f0c62 40722->40785 40790 a6f0d22 40722->40790 40797 a6f0796 40722->40797 40801 a6f0cda 40722->40801 40806 a6f08ab 40722->40806 40811 a6f061b 40722->40811 40816 a6f085b 40722->40816 40821 a6f0acc 40722->40821 40723->40717 40736 a6f00da 40735->40736 40737 a6f00fe 40736->40737 40738 a6f04ef 2 API calls 40736->40738 40739 a6f0acc 2 API calls 40736->40739 40740 a6f085b 2 API calls 40736->40740 40741 a6f061b 2 API calls 40736->40741 40742 a6f08ab 2 API calls 40736->40742 40743 a6f0cda 2 API calls 40736->40743 40744 a6f0796 2 API calls 40736->40744 40745 a6f0d22 4 API calls 40736->40745 40746 a6f0c62 2 API calls 40736->40746 40747 a6f0641 4 API calls 40736->40747 40748 a6f0a70 4 API calls 40736->40748 40737->40717 40738->40737 40739->40737 40740->40737 40741->40737 40742->40737 40743->40737 40744->40737 40745->40737 40746->40737 40747->40737 40748->40737 40750 a6f00ac 40749->40750 40751 a6f0121 40749->40751 40752 a6f00fe 40750->40752 40753 a6f04ef 2 API calls 40750->40753 40754 a6f0acc 2 API calls 40750->40754 40755 a6f085b 2 API calls 40750->40755 40756 a6f061b 2 API calls 40750->40756 40757 a6f08ab 2 API calls 40750->40757 40758 a6f0cda 2 API calls 40750->40758 40759 a6f0796 2 API calls 40750->40759 40760 a6f0d22 4 API calls 40750->40760 40761 a6f0c62 2 API calls 40750->40761 40762 a6f0641 4 API calls 40750->40762 40763 a6f0a70 4 API calls 40750->40763 40751->40717 40752->40717 40753->40752 40754->40752 40755->40752 40756->40752 40757->40752 40758->40752 40759->40752 40760->40752 40761->40752 40762->40752 40763->40752 40826 732f360 40764->40826 40830 732f354 40764->40830 40769 a6f0a78 40768->40769 40834 732f010 40769->40834 40838 732f018 40769->40838 40770 a6f0e9d 40770->40723 40771 a6f0a99 40771->40770 40842 732f0d1 40771->40842 40846 732f0d8 40771->40846 40777 a6f0644 40776->40777 40778 a6f070c 40777->40778 40779 a6f06a4 40777->40779 40850 732f1c0 40778->40850 40854 732f1c8 40778->40854 40780 a6f0711 40779->40780 40858 732ee90 40779->40858 40862 732ee89 40779->40862 40780->40723 40780->40780 40786 a6f0c68 40785->40786 40788 732ee90 ResumeThread 40786->40788 40789 732ee89 ResumeThread 40786->40789 40787 a6f0bd0 40787->40723 40787->40787 40788->40787 40789->40787 40866 732ef40 40790->40866 40870 732ef39 40790->40870 40791 a6f0c7a 40792 a6f0bd0 40791->40792 40795 732ee90 ResumeThread 40791->40795 40796 732ee89 ResumeThread 40791->40796 40792->40723 40792->40792 40795->40792 40796->40792 40799 732ef40 Wow64SetThreadContext 40797->40799 40800 732ef39 Wow64SetThreadContext 40797->40800 40798 a6f07b3 40798->40723 40799->40798 40800->40798 40802 a6f0c7a 40801->40802 40803 a6f0bd0 40802->40803 40804 732ee90 ResumeThread 40802->40804 40805 732ee89 ResumeThread 40802->40805 40803->40723 40804->40803 40805->40803 40807 a6f08b4 40806->40807 40809 732f0d1 WriteProcessMemory 40807->40809 40810 732f0d8 WriteProcessMemory 40807->40810 40808 a6f0547 40809->40808 40810->40808 40812 a6f0628 40811->40812 40814 732f1c0 ReadProcessMemory 40812->40814 40815 732f1c8 ReadProcessMemory 40812->40815 40813 a6f0711 40813->40723 40814->40813 40815->40813 40819 732f0d1 WriteProcessMemory 40816->40819 40820 732f0d8 WriteProcessMemory 40816->40820 40817 a6f07d2 40817->40816 40818 a6f0547 40817->40818 40819->40817 40820->40817 40822 a6f0ad2 40821->40822 40823 a6f0e9d 40822->40823 40824 732f0d1 WriteProcessMemory 40822->40824 40825 732f0d8 WriteProcessMemory 40822->40825 40823->40723 40824->40822 40825->40822 40827 732f361 CreateProcessA 40826->40827 40829 732f5ab 40827->40829 40831 732f35a CreateProcessA 40830->40831 40833 732f5ab 40831->40833 40835 732f018 VirtualAllocEx 40834->40835 40837 732f095 40835->40837 40837->40771 40839 732f058 VirtualAllocEx 40838->40839 40841 732f095 40839->40841 40841->40771 40843 732f0d8 WriteProcessMemory 40842->40843 40845 732f177 40843->40845 40845->40771 40847 732f120 WriteProcessMemory 40846->40847 40849 732f177 40847->40849 40849->40771 40851 732f1c8 ReadProcessMemory 40850->40851 40853 732f257 40851->40853 40853->40780 40855 732f213 ReadProcessMemory 40854->40855 40857 732f257 40855->40857 40857->40780 40859 732eed0 ResumeThread 40858->40859 40861 732ef01 40859->40861 40861->40780 40863 732ee90 ResumeThread 40862->40863 40865 732ef01 40863->40865 40865->40780 40867 732ef85 Wow64SetThreadContext 40866->40867 40869 732efcd 40867->40869 40869->40791 40871 732ef40 Wow64SetThreadContext 40870->40871 40873 732efcd 40871->40873 40873->40791 40905 144ac70 40906 144ac7f 40905->40906 40909 144ad57 40905->40909 40914 144ad68 40905->40914 40910 144ad9c 40909->40910 40912 144ad79 40909->40912 40910->40906 40911 144afa0 GetModuleHandleW 40913 144afcd 40911->40913 40912->40910 40912->40911 40913->40906 40915 144ad9c 40914->40915 40916 144ad79 40914->40916 40915->40906 40916->40915 40917 144afa0 GetModuleHandleW 40916->40917 40918 144afcd 40917->40918 40918->40906 40672 10bd01c 40673 10bd034 40672->40673 40674 10bd08e 40673->40674 40677 5362818 40673->40677 40683 5362809 40673->40683 40678 5362845 40677->40678 40679 5362877 40678->40679 40689 5362d7d 40678->40689 40693 5362d98 40678->40693 40697 5362da8 40678->40697 40684 5362845 40683->40684 40685 5362877 40684->40685 40686 5362d7d 2 API calls 40684->40686 40687 5362da8 2 API calls 40684->40687 40688 5362d98 2 API calls 40684->40688 40686->40685 40687->40685 40688->40685 40690 5362d87 40689->40690 40701 5362e60 40690->40701 40691 5362e48 40691->40679 40694 5362dbc 40693->40694 40696 5362e60 2 API calls 40694->40696 40695 5362e48 40695->40679 40696->40695 40699 5362dbc 40697->40699 40698 5362e48 40698->40679 40700 5362e60 2 API calls 40699->40700 40700->40698 40702 5362e71 40701->40702 40704 5364022 40701->40704 40702->40691 40708 5364050 40704->40708 40712 5364040 40704->40712 40705 536403a 40705->40702 40709 5364092 40708->40709 40711 5364099 40708->40711 40710 53640ea CallWindowProcW 40709->40710 40709->40711 40710->40711 40711->40705 40713 5364050 40712->40713 40714 53640ea CallWindowProcW 40713->40714 40715 5364099 40713->40715 40714->40715 40715->40705 40874 a6f1348 40875 a6f14d3 40874->40875 40876 a6f136e 40874->40876 40876->40875 40879 a6f15c8 PostMessageW 40876->40879 40881 a6f15c0 40876->40881 40880 a6f1634 40879->40880 40880->40876 40882 a6f15c8 PostMessageW 40881->40882 40883 a6f1634 40882->40883 40883->40876 40884 1444668 40885 144467a 40884->40885 40886 1444686 40885->40886 40888 1444779 40885->40888 40889 144479d 40888->40889 40893 1444878 40889->40893 40897 1444888 40889->40897 40895 14448af 40893->40895 40894 144498c 40894->40894 40895->40894 40901 14444e0 40895->40901 40898 14448af 40897->40898 40899 14444e0 CreateActCtxA 40898->40899 40900 144498c 40898->40900 40899->40900 40902 1445918 CreateActCtxA 40901->40902 40904 14459db 40902->40904 40919 144d3f8 40920 144d43e 40919->40920 40924 144d5d8 40920->40924 40927 144d5c9 40920->40927 40921 144d52b 40925 144d606 40924->40925 40930 144b750 40924->40930 40925->40921 40928 144b750 DuplicateHandle 40927->40928 40929 144d606 40928->40929 40929->40921 40931 144d640 DuplicateHandle 40930->40931 40932 144d6d6 40931->40932 40932->40925

                                      Executed Functions

                                      Function 0732F354 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1511 732f354-732f358 1512 732f361-732f3f5 1511->1512 1513 732f35a-732f360 1511->1513 1516 732f3f7-732f401 1512->1516 1517 732f42e-732f44e 1512->1517 1513->1512 1516->1517 1518 732f403-732f405 1516->1518 1522 732f450-732f45a 1517->1522 1523 732f487-732f4b6 1517->1523 1520 732f407-732f411 1518->1520 1521 732f428-732f42b 1518->1521 1524 732f413 1520->1524 1525 732f415-732f424 1520->1525 1521->1517 1522->1523 1526 732f45c-732f45e 1522->1526 1533 732f4b8-732f4c2 1523->1533 1534 732f4ef-732f5a9 CreateProcessA 1523->1534 1524->1525 1525->1525 1527 732f426 1525->1527 1528 732f460-732f46a 1526->1528 1529 732f481-732f484 1526->1529 1527->1521 1531 732f46e-732f47d 1528->1531 1532 732f46c 1528->1532 1529->1523 1531->1531 1535 732f47f 1531->1535 1532->1531 1533->1534 1536 732f4c4-732f4c6 1533->1536 1545 732f5b2-732f638 1534->1545 1546 732f5ab-732f5b1 1534->1546 1535->1529 1537 732f4c8-732f4d2 1536->1537 1538 732f4e9-732f4ec 1536->1538 1540 732f4d6-732f4e5 1537->1540 1541 732f4d4 1537->1541 1538->1534 1540->1540 1542 732f4e7 1540->1542 1541->1540 1542->1538 1556 732f63a-732f63e 1545->1556 1557 732f648-732f64c 1545->1557 1546->1545 1556->1557 1558 732f640 1556->1558 1559 732f64e-732f652 1557->1559 1560 732f65c-732f660 1557->1560 1558->1557 1559->1560 1563 732f654 1559->1563 1561 732f662-732f666 1560->1561 1562 732f670-732f674 1560->1562 1561->1562 1564 732f668 1561->1564 1565 732f686-732f68d 1562->1565 1566 732f676-732f67c 1562->1566 1563->1560 1564->1562 1567 732f6a4 1565->1567 1568 732f68f-732f69e 1565->1568 1566->1565 1570 732f6a5 1567->1570 1568->1567 1570->1570
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0732F596
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 79edc3b24360d934762a69116e85409a2307d01e2fa8052af06d5156d20e3d86
                                      • Instruction ID: 12179604f9e7c00dfce893bb1e55277ef1f5f9f8973563e90962a917bcbd105f
                                      • Opcode Fuzzy Hash: 79edc3b24360d934762a69116e85409a2307d01e2fa8052af06d5156d20e3d86
                                      • Instruction Fuzzy Hash: 73A15DB1D0066ADFEB20CF68C941BEDBBB2FF48310F148169D808A7250D7759986DF91
                                      Function 0732F360 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1571 732f360-732f3f5 1574 732f3f7-732f401 1571->1574 1575 732f42e-732f44e 1571->1575 1574->1575 1576 732f403-732f405 1574->1576 1580 732f450-732f45a 1575->1580 1581 732f487-732f4b6 1575->1581 1578 732f407-732f411 1576->1578 1579 732f428-732f42b 1576->1579 1582 732f413 1578->1582 1583 732f415-732f424 1578->1583 1579->1575 1580->1581 1584 732f45c-732f45e 1580->1584 1591 732f4b8-732f4c2 1581->1591 1592 732f4ef-732f5a9 CreateProcessA 1581->1592 1582->1583 1583->1583 1585 732f426 1583->1585 1586 732f460-732f46a 1584->1586 1587 732f481-732f484 1584->1587 1585->1579 1589 732f46e-732f47d 1586->1589 1590 732f46c 1586->1590 1587->1581 1589->1589 1593 732f47f 1589->1593 1590->1589 1591->1592 1594 732f4c4-732f4c6 1591->1594 1603 732f5b2-732f638 1592->1603 1604 732f5ab-732f5b1 1592->1604 1593->1587 1595 732f4c8-732f4d2 1594->1595 1596 732f4e9-732f4ec 1594->1596 1598 732f4d6-732f4e5 1595->1598 1599 732f4d4 1595->1599 1596->1592 1598->1598 1600 732f4e7 1598->1600 1599->1598 1600->1596 1614 732f63a-732f63e 1603->1614 1615 732f648-732f64c 1603->1615 1604->1603 1614->1615 1616 732f640 1614->1616 1617 732f64e-732f652 1615->1617 1618 732f65c-732f660 1615->1618 1616->1615 1617->1618 1621 732f654 1617->1621 1619 732f662-732f666 1618->1619 1620 732f670-732f674 1618->1620 1619->1620 1622 732f668 1619->1622 1623 732f686-732f68d 1620->1623 1624 732f676-732f67c 1620->1624 1621->1618 1622->1620 1625 732f6a4 1623->1625 1626 732f68f-732f69e 1623->1626 1624->1623 1628 732f6a5 1625->1628 1626->1625 1628->1628
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0732F596
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 8a8b565c581cb6e44112d0082f00812f3342396f878f4d8048ee171f4bf93e7a
                                      • Instruction ID: 9ffb9083150fda84afd873e193c2eeb3238140a0fea245d552cdabb62539bcab
                                      • Opcode Fuzzy Hash: 8a8b565c581cb6e44112d0082f00812f3342396f878f4d8048ee171f4bf93e7a
                                      • Instruction Fuzzy Hash: CC915DB1D0026ADFEB20CFA8C941BDDBBB2FF48310F148169D808A7250D7749986DF91
                                      Function 0144AD68 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1629 144ad68-144ad77 1630 144ada3-144ada7 1629->1630 1631 144ad79-144ad86 call 144a0c0 1629->1631 1633 144ada9-144adb3 1630->1633 1634 144adbb-144adfc 1630->1634 1636 144ad9c 1631->1636 1637 144ad88 1631->1637 1633->1634 1640 144adfe-144ae06 1634->1640 1641 144ae09-144ae17 1634->1641 1636->1630 1684 144ad8e call 144aff0 1637->1684 1685 144ad8e call 144b000 1637->1685 1640->1641 1642 144ae19-144ae1e 1641->1642 1643 144ae3b-144ae3d 1641->1643 1645 144ae20-144ae27 call 144a0cc 1642->1645 1646 144ae29 1642->1646 1647 144ae40-144ae47 1643->1647 1644 144ad94-144ad96 1644->1636 1648 144aed8-144af98 1644->1648 1649 144ae2b-144ae39 1645->1649 1646->1649 1651 144ae54-144ae5b 1647->1651 1652 144ae49-144ae51 1647->1652 1679 144afa0-144afcb GetModuleHandleW 1648->1679 1680 144af9a-144af9d 1648->1680 1649->1647 1655 144ae5d-144ae65 1651->1655 1656 144ae68-144ae6a call 144a0dc 1651->1656 1652->1651 1655->1656 1659 144ae6f-144ae71 1656->1659 1660 144ae73-144ae7b 1659->1660 1661 144ae7e-144ae83 1659->1661 1660->1661 1663 144ae85-144ae8c 1661->1663 1664 144aea1-144aeae 1661->1664 1663->1664 1665 144ae8e-144ae9e call 144a0ec call 144a0fc 1663->1665 1670 144aeb0-144aece 1664->1670 1671 144aed1-144aed7 1664->1671 1665->1664 1670->1671 1681 144afd4-144afe8 1679->1681 1682 144afcd-144afd3 1679->1682 1680->1679 1682->1681 1684->1644 1685->1644
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0144AFBE
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1866229392.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1440000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: a8782443e9f05e68e5b0b91d8fc7edffedb8078f5b203a6f35b27de960ad77bd
                                      • Instruction ID: 71c43dc151c22ba27f807460def2e8ebf27278b1390347a3934ba157255f8132
                                      • Opcode Fuzzy Hash: a8782443e9f05e68e5b0b91d8fc7edffedb8078f5b203a6f35b27de960ad77bd
                                      • Instruction Fuzzy Hash: C47135B0A40B058FE724DF69D44479BBBF1BF88210F208A2ED596D7B50DB75E845CB90
                                      Function 014444E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1686 14444e0-14459d9 CreateActCtxA 1689 14459e2-1445a3c 1686->1689 1690 14459db-14459e1 1686->1690 1697 1445a3e-1445a41 1689->1697 1698 1445a4b-1445a4f 1689->1698 1690->1689 1697->1698 1699 1445a60 1698->1699 1700 1445a51-1445a5d 1698->1700 1702 1445a61 1699->1702 1700->1699 1702->1702
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 014459C9
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1866229392.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1440000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 1811fb68864f9d753619f3729ca6f2e8e994c956012bc0afd49898215159cb27
                                      • Instruction ID: 8be1e1692cabf28fd74a78e4d64275a53ab50d4d9898ec1d383558404dc35c80
                                      • Opcode Fuzzy Hash: 1811fb68864f9d753619f3729ca6f2e8e994c956012bc0afd49898215159cb27
                                      • Instruction Fuzzy Hash: AF41C2B0C0071DCBEF24DFA9C984B9EBBB6BF49304F64805AD408AB251DB756945CF90
                                      Function 0144590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1703 144590c-1445913 1704 1445918-14459d9 CreateActCtxA 1703->1704 1706 14459e2-1445a3c 1704->1706 1707 14459db-14459e1 1704->1707 1714 1445a3e-1445a41 1706->1714 1715 1445a4b-1445a4f 1706->1715 1707->1706 1714->1715 1716 1445a60 1715->1716 1717 1445a51-1445a5d 1715->1717 1719 1445a61 1716->1719 1717->1716 1719->1719
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 014459C9
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1866229392.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1440000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 67b346028456a479981f1c394ec24ed1871b51107e9c1942e75b9861bb1bf8b4
                                      • Instruction ID: 7ff52048299a644305bf5750a61ba31e9343a1846e3cef17def384c2385b7b8e
                                      • Opcode Fuzzy Hash: 67b346028456a479981f1c394ec24ed1871b51107e9c1942e75b9861bb1bf8b4
                                      • Instruction Fuzzy Hash: D041C0B1C0071DCBEF24CFA9C984B9EBBB6BF49304F64805AD408AB265DB756945CF90
                                      Function 05364050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1720 5364050-536408c 1721 5364092-5364097 1720->1721 1722 536413c-536415c 1720->1722 1723 53640ea-5364122 CallWindowProcW 1721->1723 1724 5364099-53640d0 1721->1724 1729 536415f-536416c 1722->1729 1725 5364124-536412a 1723->1725 1726 536412b-536413a 1723->1726 1730 53640d2-53640d8 1724->1730 1731 53640d9-53640e8 1724->1731 1725->1726 1726->1729 1730->1731 1731->1729
                                      APIs
                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05364111
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1869999421.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_5360000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: CallProcWindow
                                      • String ID:
                                      • API String ID: 2714655100-0
                                      • Opcode ID: 85ec1c680409661c7c82a44e25cccc3f3632e6210e647f73921cfefe4a3552da
                                      • Instruction ID: 405dfb8a21651b7e7e2bf7895e6d8536b9d3ed75f09c863abd281f070c9f68b5
                                      • Opcode Fuzzy Hash: 85ec1c680409661c7c82a44e25cccc3f3632e6210e647f73921cfefe4a3552da
                                      • Instruction Fuzzy Hash: 9A411BB8A00305CFCB14CF99C488A9ABBF6FF88314F24C459D519AB321D775A841CFA0
                                      Function 0144D701 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1734 144d701-144d708 1735 144d6c4-144d6d4 DuplicateHandle 1734->1735 1736 144d70a-144d82e 1734->1736 1737 144d6d6-144d6dc 1735->1737 1738 144d6dd-144d6fa 1735->1738 1737->1738
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0144D606,?,?,?,?,?), ref: 0144D6C7
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1866229392.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1440000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: abd1d14c48e6e819d2559960b84ddeff288434cba852962bc1c656688eb80a30
                                      • Instruction ID: 427ad53c7afcac2cfb2070ddaaa307676ce348e979b581277acaf97c6191a960
                                      • Opcode Fuzzy Hash: abd1d14c48e6e819d2559960b84ddeff288434cba852962bc1c656688eb80a30
                                      • Instruction Fuzzy Hash: 89318574A403418FE704EF61E8597693FADF794311F218636EB158B3D8CAB45959CF10
                                      Function 0732F0D1 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1752 732f0d1-732f126 1755 732f136-732f175 WriteProcessMemory 1752->1755 1756 732f128-732f134 1752->1756 1758 732f177-732f17d 1755->1758 1759 732f17e-732f1ae 1755->1759 1756->1755 1758->1759
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0732F168
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 492ff51d0bf512cfc1383ba08ca1023fb255d9e1ffaa143295273310d5e9b943
                                      • Instruction ID: c12d8bb31f1dcb5d51c3fe304f9adc4154f9c72b256a9cfac42dc7ad2377ab57
                                      • Opcode Fuzzy Hash: 492ff51d0bf512cfc1383ba08ca1023fb255d9e1ffaa143295273310d5e9b943
                                      • Instruction Fuzzy Hash: 41214BB590035A9FDB10CFA9C981BDEBFF5FF48320F50842AE558A7240C7799541DBA1
                                      Function 0732F0D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0732F168
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 8d68749dd59e76758f9b1cf2a0fcc044f4ff8242b123855bc12498ea00ab6f81
                                      • Instruction ID: bac940e34d3196282afbfa7bb04f962076e640d9513449654959b7340cf820b8
                                      • Opcode Fuzzy Hash: 8d68749dd59e76758f9b1cf2a0fcc044f4ff8242b123855bc12498ea00ab6f81
                                      • Instruction Fuzzy Hash: 84212AB590035A9FDB10CFA9C981BDEBBF5FF48310F50842AE519A7240C778A541DBA1
                                      Function 0732F1C0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0732F248
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: fcf77254ece4d63a62b916c0a17c8523b6b8b6522781d6f62ac9cb69cac6e336
                                      • Instruction ID: fbb9cebb811579b5057123ee65f525c28738f7f8032c243c135c332628c517c9
                                      • Opcode Fuzzy Hash: fcf77254ece4d63a62b916c0a17c8523b6b8b6522781d6f62ac9cb69cac6e336
                                      • Instruction Fuzzy Hash: 432139B580035A9FDB10CFAAC881AEEFBF5FF48320F14842AE559A7240C7789501DBA1
                                      Function 0732EF39 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0732EFBE
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: e60b721c76116bec50d650093cd42d12137fed0c2c1986974abe7e069f4c92d7
                                      • Instruction ID: da3cb37c3da03bede641e67cd903e504caf3548ae99ae92e40fad2ea1e8c0ac7
                                      • Opcode Fuzzy Hash: e60b721c76116bec50d650093cd42d12137fed0c2c1986974abe7e069f4c92d7
                                      • Instruction Fuzzy Hash: 09216AB19003199FDB10CFAAC4857EEBFF4EF48324F64842AD559A7240C7789945CFA1
                                      Function 0144B750 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0144D606,?,?,?,?,?), ref: 0144D6C7
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1866229392.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1440000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: f11fb72f20b7014ff4328e13789dc3c4aae0e94a0d41bfc17c6fdeb8a5ff68cb
                                      • Instruction ID: d0e741d4fe8ed45a5ab382d8b473744360ebd09fb708a030d58c17bf4abb0047
                                      • Opcode Fuzzy Hash: f11fb72f20b7014ff4328e13789dc3c4aae0e94a0d41bfc17c6fdeb8a5ff68cb
                                      • Instruction Fuzzy Hash: 2821E3B5D002589FDB10CF9AD984ADEBBF9EB48320F14841AE918A7310D378A950CFA5
                                      Function 0732F1C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0732F248
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: b29f095345c06d7cd15869b2605ee61c5d95b35ec9acaebd7a10c84ac82cedfe
                                      • Instruction ID: a91bf2b4e13909f23a9cbd1475e1daf9885cb08538f5c58796d38dc0dc8f4fb1
                                      • Opcode Fuzzy Hash: b29f095345c06d7cd15869b2605ee61c5d95b35ec9acaebd7a10c84ac82cedfe
                                      • Instruction Fuzzy Hash: 4F2139B5D003599FDB10CFAAC981AEEFBF5FF48320F10842AE519A7240C7799501DBA1
                                      Function 0732EF40 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0732EFBE
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 49b16f797e4cf427ba0709882603c27d4b9938c713ae14cda1f2fdfac9accaf9
                                      • Instruction ID: 1c42039360deec6f4b76424928a16e2c0c89d89fec9521351ee120c828d32299
                                      • Opcode Fuzzy Hash: 49b16f797e4cf427ba0709882603c27d4b9938c713ae14cda1f2fdfac9accaf9
                                      • Instruction Fuzzy Hash: 932138B59003199FDB10CFAAC4857AEBBF4EF48324F54842AD419A7240C7789945DFA1
                                      Function 0144D638 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0144D606,?,?,?,?,?), ref: 0144D6C7
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1866229392.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1440000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 1bdc2beca352b3bcc208939b433ab896f8eb97887c47f3ea9275e0503168ffff
                                      • Instruction ID: 68399c2120672ff8abe0add64a0df32a29945dcb08c1dcaa07c1f37a37c0eff1
                                      • Opcode Fuzzy Hash: 1bdc2beca352b3bcc208939b433ab896f8eb97887c47f3ea9275e0503168ffff
                                      • Instruction Fuzzy Hash: AF21E3B5D002489FDB10CFAAD584ADEBBF5FB48320F24841AE918A7311C378A954DF65
                                      Function 0732F010 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0732F086
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 5a0c4dea504dcb38649c79d411b309639566dc9847b94cd7bb3413412f1e2d22
                                      • Instruction ID: 120d2b0d56bd294097279c398ddc4fbd736a39f6715d370b56c942bef38195a5
                                      • Opcode Fuzzy Hash: 5a0c4dea504dcb38649c79d411b309639566dc9847b94cd7bb3413412f1e2d22
                                      • Instruction Fuzzy Hash: 90216AB590024A9FCB10CFA9C841ADEBFF5EF48320F208419E519A7210C775A541DFA1
                                      Function 0732EE89 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 6a1d73bb80919d9884d97c946aebaf1ec6378e02a6a8b752115a0a38dbe91589
                                      • Instruction ID: 7ef124151ceceecdcc7afaf85cf1f9a361d3286328e002890cff6d651cdf60a8
                                      • Opcode Fuzzy Hash: 6a1d73bb80919d9884d97c946aebaf1ec6378e02a6a8b752115a0a38dbe91589
                                      • Instruction Fuzzy Hash: A4118BB59003898FDB20CFAAC4457DFFFF9AF88320F24841AD419A7240CB756841CBA5
                                      Function 0732F018 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0732F086
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: ad31c4624b4964dde264aff5e28b00a568fb2e30195bdb69478831d76416d0a0
                                      • Instruction ID: ec11cd220ff40a3150c7d8f04df11ea523f3b564284fb9870de4349ae757eecd
                                      • Opcode Fuzzy Hash: ad31c4624b4964dde264aff5e28b00a568fb2e30195bdb69478831d76416d0a0
                                      • Instruction Fuzzy Hash: 1B113AB5900249DFDB10DFAAC845ADFBFF5EF48320F248419E519A7250C775A540DFA1
                                      Function 0A6F15C0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 0A6F1625
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1872897990.000000000A6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_a6f0000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: ce50fc756cba24d2cd8af4aecad135da56aafe7bb2df00fb2b5ef42db1cdd988
                                      • Instruction ID: 8e8199ad94832da7e0fa62b84b226ab1539d1969223912cbdef2e62165aecce6
                                      • Opcode Fuzzy Hash: ce50fc756cba24d2cd8af4aecad135da56aafe7bb2df00fb2b5ef42db1cdd988
                                      • Instruction Fuzzy Hash: AE11E3B5800349DFDB10CF9AD945BDEBBF8EB49324F24841AE654A7240C375A544CFA5
                                      Function 0732EE90 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1871404713.0000000007320000.00000040.00000800.00020000.00000000.sdmp, Offset: 07320000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7320000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: b6d150793edf901cab39d661cbd48677ae14f3fb476d002afea377209c39d4b8
                                      • Instruction ID: cc11c84ce75b34c223b3f7a30f4b619fb0fffcb09254510863a2ca1d37690cb8
                                      • Opcode Fuzzy Hash: b6d150793edf901cab39d661cbd48677ae14f3fb476d002afea377209c39d4b8
                                      • Instruction Fuzzy Hash: 3C1136B5D003598FDB20DFAAC44579EFBF9EF88324F24841AD519A7340CB79A940CBA5
                                      Function 0144AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0144AFBE
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1866229392.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1440000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 95bd4dd4cb0ed023886733dd77699a540f2482548e5422f803096347b6666832
                                      • Instruction ID: bb7d11db5cae62c9efe4940f36e78aaae84f75a5584fa9a9717e37633eaf5f29
                                      • Opcode Fuzzy Hash: 95bd4dd4cb0ed023886733dd77699a540f2482548e5422f803096347b6666832
                                      • Instruction Fuzzy Hash: FB11E0B5C002498FEB10CF9AD544ADEFBF9EF88324F24841AD919A7750C379A545CFA1
                                      Function 0A6F15C8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 0A6F1625
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1872897990.000000000A6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_a6f0000_rjOyFV.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: d6e2075a1223fd10319463b4b7b8963b5c65840e4eeab39c745743b449ac2b24
                                      • Instruction ID: 5ebd1df08c3a2c3cfa0ee6c7a0cb87981cc23f5d83c0220f606cab3c0fcc6bf3
                                      • Opcode Fuzzy Hash: d6e2075a1223fd10319463b4b7b8963b5c65840e4eeab39c745743b449ac2b24
                                      • Instruction Fuzzy Hash: 0811D3B5800349DFDB10CF9AD985BDEBBF8EB49324F24841AD658A7700C379A544CFA5
                                      Function 010AD3D8 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1865415885.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10ad000_rjOyFV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e787d92f5d0cff792fc59ccd64ed832f15e8e332a090c85766147083c435e980
                                      • Instruction ID: f07d424798eaff0298a1f294386de6319e408ffe6be7fb53998c73cbd268c598
                                      • Opcode Fuzzy Hash: e787d92f5d0cff792fc59ccd64ed832f15e8e332a090c85766147083c435e980
                                      • Instruction Fuzzy Hash: EF216AB1504200DFDB05DF88C9C0B6ABFA5FB88324F60C5ADE9490F656C736E446CBA1
                                      Function 010BD01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1865471705.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10bd000_rjOyFV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 750eb0accafd87f6f4ed292b7d5fcad2fd6f5efe756bd5fa46b1604774e96967
                                      • Instruction ID: 034cfd7eedcc72a1195452f4fb2a52327fd57428a5ddc9ce4d31382f18a1f687
                                      • Opcode Fuzzy Hash: 750eb0accafd87f6f4ed292b7d5fcad2fd6f5efe756bd5fa46b1604774e96967
                                      • Instruction Fuzzy Hash: F1210375514200DFCB15DF58D5C0B26FBA5EB84358F24C9ADE98A4B246C33AD407CB61
                                      Function 010BD1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1865471705.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10bd000_rjOyFV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 786f75370935e933858017f8d2c569db78c374f912fba14cd5c5e9d945da7e9a
                                      • Instruction ID: 0ed302cc49f7be152858f88da7a65a19f8b582779e49f1e797b44fe50e635268
                                      • Opcode Fuzzy Hash: 786f75370935e933858017f8d2c569db78c374f912fba14cd5c5e9d945da7e9a
                                      • Instruction Fuzzy Hash: 202149B1504240EFDB05DF98D5C0B26FBA5FB94328F20C9ADE9894B252C336D806CB61
                                      Function 010BD006 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1865471705.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10bd000_rjOyFV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 894342dc470f3528f7ce087e58760f1cef3568812ac9951ace8d7b366718ba1f
                                      • Instruction ID: 9a47179086d74dbb20243ba5c1b2ce74140d2716236faf57dc27a1615ef492d8
                                      • Opcode Fuzzy Hash: 894342dc470f3528f7ce087e58760f1cef3568812ac9951ace8d7b366718ba1f
                                      • Instruction Fuzzy Hash: 672153755083809FDB12CF54D9D4B11BFB1EB46214F28C5DAD8898F2A7C33AD856CB62
                                      Function 010AD3D3 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1865415885.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10ad000_rjOyFV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                      • Instruction ID: 3831365af5c082359b9bed9babe2d96423de2b3e3bce0f329e3e5ba6733a4dff
                                      • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                      • Instruction Fuzzy Hash: 7C110376404240CFDB12CF84D5C4B56BFB2FB84324F24C2A9D9490B657C33AE45ACBA1
                                      Function 010BD1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1865471705.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10bd000_rjOyFV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                      • Instruction ID: ca9cd63d935613c2be3069ea0a47a79a555cc51a6cae37518a4b8f270dc3646a
                                      • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                      • Instruction Fuzzy Hash: AC11BB75504280DFDB12CF54C5C0B15FFA2FB84228F24C6AAD8894B696C33AD84ACB61
                                      Function 010AD759 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1865415885.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10ad000_rjOyFV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 650ef6f6babb91eb160a03d0c6e722236e30112ff41435b71d5e480ba0b482db
                                      • Instruction ID: fe639c95e2dd34af89fe617b7912a94e19fe647057402524ffde404076a04a5d
                                      • Opcode Fuzzy Hash: 650ef6f6babb91eb160a03d0c6e722236e30112ff41435b71d5e480ba0b482db
                                      • Instruction Fuzzy Hash: 3701F7710043809AE7558AE9CCC4B6EBFE8EF41360F58C45BED494A682D7389840C7B1
                                      Function 010AD758 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1865415885.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10ad000_rjOyFV.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 99a796b2f75a1b6d572765491775e7dad879a90413173b0406cf61609ea89ef4
                                      • Instruction ID: bd452a110e781ebcfda595e6a05d65d2956cf1fee14bea673d2f7a75bcd83915
                                      • Opcode Fuzzy Hash: 99a796b2f75a1b6d572765491775e7dad879a90413173b0406cf61609ea89ef4
                                      • Instruction Fuzzy Hash: 37F0C2714043809EE7258A4ADDC4B66FFE8EF51624F18C45BED494A686D379A844CBB0

                                      Execution Graph

                                      Execution Coverage:1.8%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:3.6%
                                      Total number of Nodes:643
                                      Total number of Limit Nodes:17
                                      execution_graph 45145 404e06 WaitForSingleObject 45146 404e20 SetEvent CloseHandle 45145->45146 45147 404e37 closesocket 45145->45147 45148 404eb8 45146->45148 45149 404e44 45147->45149 45150 404e5a 45149->45150 45158 4050c4 83 API calls 45149->45158 45152 404e6c WaitForSingleObject 45150->45152 45153 404eae SetEvent CloseHandle 45150->45153 45159 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45152->45159 45153->45148 45155 404e7b SetEvent WaitForSingleObject 45160 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45155->45160 45157 404e93 SetEvent CloseHandle CloseHandle 45157->45153 45158->45150 45159->45155 45160->45157 45161 4457a9 GetLastError 45162 4457c2 45161->45162 45163 4457c8 45161->45163 45187 445ceb 11 API calls 2 library calls 45162->45187 45167 44581f SetLastError 45163->45167 45180 443005 45163->45180 45170 445828 45167->45170 45168 4457e2 45188 443c92 20 API calls _free 45168->45188 45172 4457f7 45172->45168 45174 4457fe 45172->45174 45173 4457e8 45175 445816 SetLastError 45173->45175 45190 445597 20 API calls _free 45174->45190 45175->45170 45177 445809 45191 443c92 20 API calls _free 45177->45191 45179 44580f 45179->45167 45179->45175 45185 443012 __Getctype 45180->45185 45181 443052 45193 43ad91 20 API calls _free 45181->45193 45182 44303d RtlAllocateHeap 45183 443050 45182->45183 45182->45185 45183->45168 45189 445d41 11 API calls 2 library calls 45183->45189 45185->45181 45185->45182 45192 440480 7 API calls 2 library calls 45185->45192 45187->45163 45188->45173 45189->45172 45190->45177 45191->45179 45192->45185 45193->45183 45194 40163e 45195 401646 45194->45195 45196 401649 45194->45196 45197 401688 45196->45197 45199 401676 45196->45199 45202 43229f 45197->45202 45201 43229f new 22 API calls 45199->45201 45200 40167c 45201->45200 45204 4322a4 45202->45204 45205 4322d0 45204->45205 45209 439adb 45204->45209 45216 440480 7 API calls 2 library calls 45204->45216 45217 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45204->45217 45218 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45204->45218 45205->45200 45214 443649 __Getctype 45209->45214 45210 443687 45220 43ad91 20 API calls _free 45210->45220 45211 443672 RtlAllocateHeap 45213 443685 45211->45213 45211->45214 45213->45204 45214->45210 45214->45211 45219 440480 7 API calls 2 library calls 45214->45219 45216->45204 45219->45214 45220->45213 45221 43263c 45222 432648 ___BuildCatchObject 45221->45222 45247 43234b 45222->45247 45224 43264f 45226 432678 45224->45226 45511 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 45224->45511 45234 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45226->45234 45512 441763 5 API calls ___crtLCMapStringA 45226->45512 45228 432691 45230 432697 ___BuildCatchObject 45228->45230 45513 441707 5 API calls ___crtLCMapStringA 45228->45513 45231 432717 45258 4328c9 45231->45258 45234->45231 45514 4408e7 35 API calls 6 library calls 45234->45514 45242 432743 45244 43274c 45242->45244 45515 4408c2 28 API calls _Atexit 45242->45515 45516 4324c2 13 API calls 2 library calls 45244->45516 45248 432354 45247->45248 45517 4329da IsProcessorFeaturePresent 45248->45517 45250 432360 45518 436cd1 10 API calls 4 library calls 45250->45518 45252 432365 45253 432369 45252->45253 45519 4415bf 45252->45519 45253->45224 45256 432380 45256->45224 45535 434c30 45258->45535 45261 43271d 45262 4416b4 45261->45262 45537 44c239 45262->45537 45264 432726 45267 40d3f0 45264->45267 45265 4416bd 45265->45264 45541 443d25 35 API calls 45265->45541 45543 41a8da LoadLibraryA GetProcAddress 45267->45543 45269 40d40c 45550 40dd83 45269->45550 45271 40d415 45565 4020d6 45271->45565 45274 4020d6 28 API calls 45275 40d433 45274->45275 45571 419d87 45275->45571 45279 40d445 45597 401e6d 45279->45597 45281 40d44e 45282 40d461 45281->45282 45283 40d4b8 45281->45283 45603 40e609 45282->45603 45284 401e45 22 API calls 45283->45284 45286 40d4c6 45284->45286 45290 401e45 22 API calls 45286->45290 45289 40d47f 45618 40f98d 45289->45618 45291 40d4e5 45290->45291 45634 4052fe 45291->45634 45294 40d4f4 45639 408209 45294->45639 45303 40d4a3 45305 401fb8 11 API calls 45303->45305 45307 40d4ac 45305->45307 45506 4407f6 GetModuleHandleW 45307->45506 45308 401fb8 11 API calls 45309 40d520 45308->45309 45310 401e45 22 API calls 45309->45310 45311 40d529 45310->45311 45656 401fa0 45311->45656 45313 40d534 45314 401e45 22 API calls 45313->45314 45315 40d54f 45314->45315 45316 401e45 22 API calls 45315->45316 45317 40d569 45316->45317 45318 40d5cf 45317->45318 45660 40822a 28 API calls 45317->45660 45319 401e45 22 API calls 45318->45319 45326 40d5dc 45319->45326 45321 40d594 45322 401fc2 28 API calls 45321->45322 45323 40d5a0 45322->45323 45324 401fb8 11 API calls 45323->45324 45327 40d5a9 45324->45327 45325 40d650 45330 40d660 CreateMutexA GetLastError 45325->45330 45326->45325 45328 401e45 22 API calls 45326->45328 45661 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45327->45661 45329 40d5f5 45328->45329 45333 40d5fc OpenMutexA 45329->45333 45331 40d987 45330->45331 45332 40d67f 45330->45332 45336 401fb8 11 API calls 45331->45336 45373 40d9ec 45331->45373 45334 40d688 45332->45334 45335 40d68a GetModuleFileNameW 45332->45335 45338 40d622 45333->45338 45339 40d60f WaitForSingleObject CloseHandle 45333->45339 45334->45335 45664 4192ae 33 API calls 45335->45664 45360 40d99a ___scrt_get_show_window_mode 45336->45360 45662 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45338->45662 45339->45338 45341 40d5c5 45341->45318 45343 40dd0f 45341->45343 45342 40d6a0 45345 40d6f5 45342->45345 45347 401e45 22 API calls 45342->45347 45694 41239a 30 API calls 45343->45694 45346 401e45 22 API calls 45345->45346 45355 40d720 45346->45355 45353 40d6bf 45347->45353 45349 40dd22 45695 410eda 65 API calls ___scrt_get_show_window_mode 45349->45695 45351 40dcfa 45382 40dd6a 45351->45382 45696 402073 28 API calls 45351->45696 45352 40d63b 45352->45325 45663 41239a 30 API calls 45352->45663 45353->45345 45361 40d6f7 45353->45361 45366 40d6db 45353->45366 45354 40d731 45359 401e45 22 API calls 45354->45359 45355->45354 45668 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 45355->45668 45369 40d73a 45359->45369 45676 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 45360->45676 45666 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 45361->45666 45362 40dd3a 45697 4052dd 28 API calls 45362->45697 45366->45345 45665 4067a0 36 API calls ___scrt_get_show_window_mode 45366->45665 45375 401e45 22 API calls 45369->45375 45372 40d70d 45372->45345 45667 4066a6 58 API calls 45372->45667 45376 401e45 22 API calls 45373->45376 45379 40d755 45375->45379 45380 40da10 45376->45380 45383 401e45 22 API calls 45379->45383 45677 402073 28 API calls 45380->45677 45698 413980 161 API calls 45382->45698 45385 40d76f 45383->45385 45389 401e45 22 API calls 45385->45389 45388 40da22 45678 41215f 14 API calls 45388->45678 45390 40d789 45389->45390 45395 401e45 22 API calls 45390->45395 45392 40da38 45393 401e45 22 API calls 45392->45393 45394 40da44 45393->45394 45679 439867 39 API calls _swprintf 45394->45679 45399 40d7a3 45395->45399 45397 40da51 45401 40da7e 45397->45401 45680 41aa4f 81 API calls ___scrt_get_show_window_mode 45397->45680 45398 40d810 45398->45360 45402 401e45 22 API calls 45398->45402 45437 40d89f ___scrt_get_show_window_mode 45398->45437 45399->45398 45400 401e45 22 API calls 45399->45400 45409 40d7b8 _wcslen 45400->45409 45681 402073 28 API calls 45401->45681 45405 40d831 45402->45405 45412 401e45 22 API calls 45405->45412 45406 40da70 CreateThread 45406->45401 45953 41b212 10 API calls 45406->45953 45407 40da8d 45682 402073 28 API calls 45407->45682 45409->45398 45414 401e45 22 API calls 45409->45414 45410 40da9c 45683 4194da 79 API calls 45410->45683 45415 40d843 45412->45415 45413 40daa1 45416 401e45 22 API calls 45413->45416 45417 40d7d3 45414->45417 45419 401e45 22 API calls 45415->45419 45418 40daad 45416->45418 45421 401e45 22 API calls 45417->45421 45422 401e45 22 API calls 45418->45422 45420 40d855 45419->45420 45425 401e45 22 API calls 45420->45425 45423 40d7e8 45421->45423 45424 40dabf 45422->45424 45669 40c5ed 31 API calls 45423->45669 45428 401e45 22 API calls 45424->45428 45426 40d87e 45425->45426 45433 401e45 22 API calls 45426->45433 45431 40dad5 45428->45431 45429 40d7fb 45670 401ef3 28 API calls 45429->45670 45436 401e45 22 API calls 45431->45436 45432 40d807 45671 401ee9 11 API calls 45432->45671 45435 40d88f 45433->45435 45672 40b871 46 API calls _wcslen 45435->45672 45438 40daf5 45436->45438 45673 412338 31 API calls 45437->45673 45684 439867 39 API calls _swprintf 45438->45684 45441 40d942 ctype 45445 401e45 22 API calls 45441->45445 45443 40db02 45444 401e45 22 API calls 45443->45444 45446 40db0d 45444->45446 45448 40d959 45445->45448 45447 401e45 22 API calls 45446->45447 45449 40db1e 45447->45449 45448->45373 45450 401e45 22 API calls 45448->45450 45685 408f1f 166 API calls _wcslen 45449->45685 45451 40d976 45450->45451 45674 419bca 28 API calls 45451->45674 45453 40d982 45675 40de34 88 API calls 45453->45675 45456 40db33 45457 401e45 22 API calls 45456->45457 45459 40db3c 45457->45459 45458 40db83 45461 401e45 22 API calls 45458->45461 45459->45458 45460 43229f new 22 API calls 45459->45460 45462 40db53 45460->45462 45466 40db91 45461->45466 45463 401e45 22 API calls 45462->45463 45464 40db65 45463->45464 45469 40db6c CreateThread 45464->45469 45465 40dbd9 45468 401e45 22 API calls 45465->45468 45466->45465 45467 43229f new 22 API calls 45466->45467 45470 40dba5 45467->45470 45474 40dbe2 45468->45474 45469->45458 45951 417f6a 100 API calls __EH_prolog 45469->45951 45471 401e45 22 API calls 45470->45471 45472 40dbb6 45471->45472 45475 40dbbd CreateThread 45472->45475 45473 40dc4c 45476 401e45 22 API calls 45473->45476 45474->45473 45477 401e45 22 API calls 45474->45477 45475->45465 45948 417f6a 100 API calls __EH_prolog 45475->45948 45479 40dc55 45476->45479 45478 40dbfc 45477->45478 45481 401e45 22 API calls 45478->45481 45480 40dc99 45479->45480 45482 401e45 22 API calls 45479->45482 45691 4195f8 79 API calls 45480->45691 45483 40dc11 45481->45483 45485 40dc69 45482->45485 45686 40c5a1 31 API calls 45483->45686 45491 401e45 22 API calls 45485->45491 45486 40dca2 45692 401ef3 28 API calls 45486->45692 45488 40dcad 45693 401ee9 11 API calls 45488->45693 45494 40dc7e 45491->45494 45492 40dc24 45687 401ef3 28 API calls 45492->45687 45493 40dcb6 CreateThread 45498 40dce5 45493->45498 45499 40dcd9 CreateThread 45493->45499 45949 40e18d 122 API calls 45493->45949 45689 439867 39 API calls _swprintf 45494->45689 45497 40dc30 45688 401ee9 11 API calls 45497->45688 45498->45351 45501 40dcee CreateThread 45498->45501 45499->45498 45950 410b5c 137 API calls 45499->45950 45501->45351 45952 411140 38 API calls ___scrt_get_show_window_mode 45501->45952 45503 40dc39 CreateThread 45503->45473 45954 401bc9 49 API calls 45503->45954 45504 40dc8b 45690 40b0a3 7 API calls 45504->45690 45507 432739 45506->45507 45507->45242 45508 44091f 45507->45508 45956 44069c 45508->45956 45511->45224 45512->45228 45513->45234 45514->45231 45515->45244 45516->45230 45517->45250 45518->45252 45523 44cd48 45519->45523 45522 436cfa 8 API calls 3 library calls 45522->45253 45524 44cd61 45523->45524 45527 432d4b 45524->45527 45526 432372 45526->45256 45526->45522 45528 432d56 IsProcessorFeaturePresent 45527->45528 45529 432d54 45527->45529 45531 432d98 45528->45531 45529->45526 45534 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45531->45534 45533 432e7b 45533->45526 45534->45533 45536 4328dc GetStartupInfoW 45535->45536 45536->45261 45538 44c24b 45537->45538 45539 44c242 45537->45539 45538->45265 45542 44c138 48 API calls 4 library calls 45539->45542 45541->45265 45542->45538 45544 41a919 LoadLibraryA GetProcAddress 45543->45544 45545 41a909 GetModuleHandleA GetProcAddress 45543->45545 45546 41a947 GetModuleHandleA GetProcAddress 45544->45546 45547 41a937 GetModuleHandleA GetProcAddress 45544->45547 45545->45544 45548 41a973 24 API calls 45546->45548 45549 41a95f GetModuleHandleA GetProcAddress 45546->45549 45547->45546 45548->45269 45549->45548 45699 419493 FindResourceA 45550->45699 45553 439adb new 21 API calls 45554 40ddad ctype 45553->45554 45702 402097 45554->45702 45557 401fc2 28 API calls 45558 40ddd3 45557->45558 45559 401fb8 11 API calls 45558->45559 45560 40dddc 45559->45560 45561 439adb new 21 API calls 45560->45561 45562 40dded ctype 45561->45562 45708 4062ee 45562->45708 45564 40de20 45564->45271 45566 4020ec 45565->45566 45567 4023ae 11 API calls 45566->45567 45568 402106 45567->45568 45569 402549 28 API calls 45568->45569 45570 402114 45569->45570 45570->45274 45743 4020bf 45571->45743 45573 401fb8 11 API calls 45574 419e3c 45573->45574 45575 401fb8 11 API calls 45574->45575 45577 419e44 45575->45577 45576 419e0c 45759 404182 28 API calls 45576->45759 45580 401fb8 11 API calls 45577->45580 45583 40d43c 45580->45583 45581 419e18 45584 401fc2 28 API calls 45581->45584 45582 419d9a 45582->45576 45585 401fc2 28 API calls 45582->45585 45587 401fb8 11 API calls 45582->45587 45592 419e0a 45582->45592 45747 404182 28 API calls 45582->45747 45748 41ab9a 45582->45748 45593 40e563 45583->45593 45586 419e21 45584->45586 45585->45582 45588 401fb8 11 API calls 45586->45588 45587->45582 45589 419e29 45588->45589 45590 41ab9a 28 API calls 45589->45590 45590->45592 45592->45573 45594 40e56f 45593->45594 45596 40e576 45593->45596 45785 402143 11 API calls 45594->45785 45596->45279 45598 402143 45597->45598 45602 40217f 45598->45602 45786 402710 11 API calls 45598->45786 45600 402164 45787 4026f2 11 API calls std::_Deallocate 45600->45787 45602->45281 45604 40e624 45603->45604 45788 40f57c 45604->45788 45610 40e663 45611 40d473 45610->45611 45804 40f663 45610->45804 45613 401e45 45611->45613 45614 401e4d 45613->45614 45615 401e55 45614->45615 45899 402138 22 API calls 45614->45899 45615->45289 45620 40f997 __EH_prolog 45618->45620 45900 40fcfb 45620->45900 45621 40f663 36 API calls 45622 40fb90 45621->45622 45904 40fce0 45622->45904 45624 40d491 45626 40e5ba 45624->45626 45625 40fa1a 45625->45621 45910 40f4c6 45626->45910 45629 40d49a 45631 40dd70 45629->45631 45630 40f663 36 API calls 45630->45629 45920 40e5da 70 API calls 45631->45920 45633 40dd7b 45635 4020bf 11 API calls 45634->45635 45636 40530a 45635->45636 45921 403280 45636->45921 45638 405326 45638->45294 45926 4051cf 45639->45926 45641 408217 45930 402035 45641->45930 45644 401fc2 45645 401fd1 45644->45645 45652 402019 45644->45652 45646 4023ae 11 API calls 45645->45646 45647 401fda 45646->45647 45648 40201c 45647->45648 45649 401ff5 45647->45649 45650 40265a 11 API calls 45648->45650 45945 403078 28 API calls 45649->45945 45650->45652 45653 401fb8 45652->45653 45654 4023ae 11 API calls 45653->45654 45655 401fc1 45654->45655 45655->45308 45657 401fb2 45656->45657 45658 401fa9 45656->45658 45657->45313 45946 4025c0 28 API calls 45658->45946 45660->45321 45661->45341 45662->45352 45663->45325 45664->45342 45665->45345 45666->45372 45667->45345 45668->45354 45669->45429 45670->45432 45671->45398 45672->45437 45673->45441 45674->45453 45675->45331 45676->45373 45677->45388 45678->45392 45679->45397 45680->45406 45681->45407 45682->45410 45683->45413 45684->45443 45685->45456 45686->45492 45687->45497 45688->45503 45689->45504 45690->45480 45691->45486 45692->45488 45693->45493 45694->45349 45696->45362 45947 418ccd 104 API calls 45698->45947 45700 4194b0 LoadResource LockResource SizeofResource 45699->45700 45701 40dd9e 45699->45701 45700->45701 45701->45553 45703 40209f 45702->45703 45711 4023ae 45703->45711 45705 4020aa 45715 4024ea 45705->45715 45707 4020b9 45707->45557 45709 402097 28 API calls 45708->45709 45710 406302 45709->45710 45710->45564 45712 402408 45711->45712 45713 4023b8 45711->45713 45712->45705 45713->45712 45722 402787 11 API calls std::_Deallocate 45713->45722 45716 4024fa 45715->45716 45717 402500 45716->45717 45718 402515 45716->45718 45723 402549 45717->45723 45733 4028c8 28 API calls 45718->45733 45721 402513 45721->45707 45722->45712 45734 402868 45723->45734 45725 40255d 45726 402572 45725->45726 45727 402587 45725->45727 45739 402a14 22 API calls 45726->45739 45741 4028c8 28 API calls 45727->45741 45730 40257b 45740 4029ba 22 API calls 45730->45740 45732 402585 45732->45721 45733->45721 45735 402870 45734->45735 45736 402878 45735->45736 45742 402c83 22 API calls 45735->45742 45736->45725 45739->45730 45740->45732 45741->45732 45744 4020c7 45743->45744 45745 4023ae 11 API calls 45744->45745 45746 4020d2 45745->45746 45746->45582 45747->45582 45749 41aba7 45748->45749 45750 41ac06 45749->45750 45754 41abb7 45749->45754 45751 41ac20 45750->45751 45752 41ad46 28 API calls 45750->45752 45769 41aec3 28 API calls 45751->45769 45752->45751 45755 41abef 45754->45755 45760 41ad46 45754->45760 45768 41aec3 28 API calls 45755->45768 45756 41ac02 45756->45582 45759->45581 45762 41ad4e 45760->45762 45761 41ad80 45761->45755 45762->45761 45763 41ad84 45762->45763 45766 41ad68 45762->45766 45780 402705 22 API calls 45763->45780 45770 41adb7 45766->45770 45768->45756 45769->45756 45771 41adc1 __EH_prolog 45770->45771 45781 4026f7 22 API calls 45771->45781 45773 41add4 45782 41aeda 11 API calls 45773->45782 45775 41ae32 45775->45761 45776 41adfa 45776->45775 45783 402710 11 API calls 45776->45783 45778 41ae19 45784 4026f2 11 API calls std::_Deallocate 45778->45784 45781->45773 45782->45776 45783->45778 45784->45775 45785->45596 45786->45600 45787->45602 45808 40f821 45788->45808 45791 40f55d 45886 40f7fb 45791->45886 45793 40f565 45891 40f44c 45793->45891 45795 40e651 45796 40f502 45795->45796 45797 40f510 45796->45797 45803 40f53f std::ios_base::_Ios_base_dtor 45796->45803 45896 4335cb 65 API calls 45797->45896 45799 40f51d 45800 40f44c 20 API calls 45799->45800 45799->45803 45801 40f52e 45800->45801 45897 40fbc8 56 API calls 6 library calls 45801->45897 45803->45610 45805 40f66b 45804->45805 45806 40f67e 45804->45806 45898 40f854 36 API calls 45805->45898 45806->45611 45815 40d2ce 45808->45815 45812 40f83c 45813 40e631 45812->45813 45814 40f663 36 API calls 45812->45814 45813->45791 45814->45813 45816 40d2ff 45815->45816 45817 43229f new 22 API calls 45816->45817 45818 40d306 45817->45818 45825 40cb7a 45818->45825 45821 40f887 45822 40f896 45821->45822 45860 40f8b7 45822->45860 45824 40f89c std::ios_base::_Ios_base_dtor 45824->45812 45828 4332ea 45825->45828 45827 40cb84 45827->45821 45829 4332f6 __EH_prolog3 45828->45829 45840 4330a5 45829->45840 45834 433314 45854 43347f 37 API calls _Atexit 45834->45854 45835 433370 std::locale::_Init 45835->45827 45837 43331c 45855 433240 21 API calls 2 library calls 45837->45855 45839 433332 45846 4330fd 45839->45846 45841 4330b4 45840->45841 45843 4330bb 45840->45843 45856 442df9 EnterCriticalSection std::_Lockit::_Lockit 45841->45856 45844 4330b9 45843->45844 45857 43393c EnterCriticalSection 45843->45857 45844->45839 45853 43345a 22 API calls 2 library calls 45844->45853 45847 433107 45846->45847 45848 442e02 45846->45848 45849 43311a 45847->45849 45858 43394a LeaveCriticalSection 45847->45858 45859 442de2 LeaveCriticalSection 45848->45859 45849->45835 45852 442e09 45852->45835 45853->45834 45854->45837 45855->45839 45856->45844 45857->45844 45858->45849 45859->45852 45861 4330a5 std::_Lockit::_Lockit 2 API calls 45860->45861 45862 40f8c9 45861->45862 45881 40cae9 4 API calls 2 library calls 45862->45881 45864 40f8dc 45865 40f8ef 45864->45865 45882 40ccd4 56 API calls new 45864->45882 45866 4330fd std::_Lockit::~_Lockit 2 API calls 45865->45866 45867 40f925 45866->45867 45867->45824 45869 40f8ff 45870 40f906 45869->45870 45871 40f92d 45869->45871 45883 4332b6 22 API calls new 45870->45883 45884 436ec6 RaiseException 45871->45884 45874 40f943 45875 40f984 45874->45875 45885 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 45874->45885 45875->45824 45881->45864 45882->45869 45883->45865 45884->45874 45887 43229f new 22 API calls 45886->45887 45888 40f80b 45887->45888 45889 40cb7a 41 API calls 45888->45889 45890 40f813 45889->45890 45890->45793 45892 40f469 45891->45892 45893 40f48b 45892->45893 45895 43aa1a 20 API calls 2 library calls 45892->45895 45893->45795 45895->45893 45896->45799 45897->45803 45898->45806 45902 40fd0e 45900->45902 45901 40fd3c 45901->45625 45902->45901 45908 40fe14 36 API calls 45902->45908 45905 40fce8 45904->45905 45907 40fcf3 45905->45907 45909 40fe79 36 API calls __EH_prolog 45905->45909 45907->45624 45908->45901 45909->45907 45911 40f4d4 45910->45911 45917 40f4d0 45910->45917 45918 40f30b 67 API calls 45911->45918 45913 40f4d9 45919 43a716 64 API calls 3 library calls 45913->45919 45914 40f44c 20 API calls 45916 40e5c5 45914->45916 45916->45629 45916->45630 45917->45914 45918->45913 45919->45917 45920->45633 45923 40328a 45921->45923 45922 4032a9 45922->45638 45923->45922 45925 4028c8 28 API calls 45923->45925 45925->45922 45927 4051db 45926->45927 45936 405254 45927->45936 45929 4051e8 45929->45641 45931 402041 45930->45931 45932 4023ae 11 API calls 45931->45932 45933 40205b 45932->45933 45941 40265a 45933->45941 45937 405262 45936->45937 45940 402884 22 API calls 45937->45940 45942 40266b 45941->45942 45943 4023ae 11 API calls 45942->45943 45944 40206d 45943->45944 45944->45644 45945->45652 45946->45657 45955 411253 61 API calls 45950->45955 45957 4406a8 _Atexit 45956->45957 45958 4406c0 45957->45958 45959 4407f6 _Atexit GetModuleHandleW 45957->45959 45978 442d9a EnterCriticalSection 45958->45978 45961 4406b4 45959->45961 45961->45958 45990 44083a GetModuleHandleExW 45961->45990 45962 440766 45979 4407a6 45962->45979 45965 4406c8 45965->45962 45967 44073d 45965->45967 45998 441450 20 API calls _Atexit 45965->45998 45970 440755 45967->45970 45999 441707 5 API calls ___crtLCMapStringA 45967->45999 45968 440783 45982 4407b5 45968->45982 45969 4407af 46001 454909 5 API calls ___crtLCMapStringA 45969->46001 46000 441707 5 API calls ___crtLCMapStringA 45970->46000 45978->45965 46002 442de2 LeaveCriticalSection 45979->46002 45981 44077f 45981->45968 45981->45969 46003 4461f8 45982->46003 45985 4407e3 45988 44083a _Atexit 8 API calls 45985->45988 45986 4407c3 GetPEB 45986->45985 45987 4407d3 GetCurrentProcess TerminateProcess 45986->45987 45987->45985 45989 4407eb ExitProcess 45988->45989 45991 440864 GetProcAddress 45990->45991 45992 440887 45990->45992 45993 440879 45991->45993 45994 440896 45992->45994 45995 44088d FreeLibrary 45992->45995 45993->45992 45996 432d4b ___crtLCMapStringA 5 API calls 45994->45996 45995->45994 45997 4408a0 45996->45997 45997->45958 45998->45967 45999->45970 46000->45962 46002->45981 46004 44621d 46003->46004 46006 446213 46003->46006 46009 4459f9 46004->46009 46007 432d4b ___crtLCMapStringA 5 API calls 46006->46007 46008 4407bf 46007->46008 46008->45985 46008->45986 46010 445a29 46009->46010 46014 445a25 46009->46014 46010->46006 46011 445a49 46011->46010 46013 445a55 GetProcAddress 46011->46013 46015 445a65 __crt_fast_encode_pointer 46013->46015 46014->46010 46014->46011 46016 445a95 46014->46016 46015->46010 46017 445ab6 LoadLibraryExW 46016->46017 46018 445aab 46016->46018 46019 445ad3 GetLastError 46017->46019 46022 445aeb 46017->46022 46018->46014 46020 445ade LoadLibraryExW 46019->46020 46019->46022 46020->46022 46021 445b02 FreeLibrary 46021->46018 46022->46018 46022->46021

                                      Executed Functions

                                      Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                      • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                      • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                      • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                      • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                      • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                      • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                      • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                                      • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$HandleModule$LibraryLoad
                                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                                      • API String ID: 551388010-2474455403
                                      • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                      • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                                      • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                      • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                                      Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 473 4407b5-4407c1 call 4461f8 476 4407e3-4407ef call 44083a ExitProcess 473->476 477 4407c3-4407d1 GetPEB 473->477 477->476 478 4407d3-4407dd GetCurrentProcess TerminateProcess 477->478 478->476
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                                      • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                                      • ExitProcess.KERNEL32 ref: 004407EF
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                      • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                                      • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                      • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                                      Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 81 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->81 82 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->82 90 40d991-40d99a call 401fb8 81->90 91 40d67f-40d686 81->91 98 40d622-40d63f call 401f8b call 411f34 82->98 99 40d60f-40d61c WaitForSingleObject CloseHandle 82->99 109 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->109 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 107 40d6b0-40d6b4 95->107 108 40d6a9-40d6ab 95->108 124 40d651 98->124 125 40d641-40d650 call 401f8b call 41239a 98->125 99->98 134 40dd2c 105->134 113 40d6b6-40d6c9 call 401e45 call 401f8b 107->113 114 40d717-40d72a call 401e45 call 401f8b 107->114 108->107 175 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 109->175 113->114 138 40d6cb-40d6d1 113->138 140 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 114->140 141 40d72c call 40e501 114->141 124->81 125->124 139 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 134->139 138->114 145 40d6d3-40d6d9 138->145 189 40dd6a-40dd6f call 413980 139->189 217 40d815-40d819 140->217 218 40d7af-40d7c8 call 401e45 call 401f8b call 439891 140->218 141->140 151 40d6f7-40d710 call 401f8b call 411eea 145->151 152 40d6db-40d6ee call 4060ea 145->152 151->114 178 40d712 call 4066a6 151->178 152->114 166 40d6f0-40d6f5 call 4067a0 152->166 166->114 220 40da61-40da63 175->220 221 40da65-40da67 175->221 178->114 217->109 219 40d81f-40d826 217->219 218->217 249 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 218->249 224 40d8a7-40d8b1 call 408093 219->224 225 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 219->225 226 40da6b-40da7c call 41aa4f CreateThread 220->226 227 40da69 221->227 228 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 221->228 237 40d8b6-40d8de call 40245c call 43254d 224->237 225->237 226->228 227->226 349 40db83-40db9a call 401e45 call 401f8b 228->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 228->350 255 40d8f0 237->255 256 40d8e0-40d8ee call 434c30 237->256 249->217 262 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 255->262 256->262 262->175 332 40d96d-40d98c call 401e45 call 419bca call 40de34 262->332 332->175 346 40d98e-40d990 332->346 346->90 359 40dbd9-40dbeb call 401e45 call 401f8b 349->359 360 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->360 350->349 372 40dc4c-40dc5e call 401e45 call 401f8b 359->372 373 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 359->373 360->359 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 372->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 372->384 373->372 383->384 404 40dcc1 384->404 405 40dcc4-40dcd7 CreateThread 384->405 404->405 408 40dce5-40dcec 405->408 409 40dcd9-40dce3 CreateThread 405->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->134 416 40dd03-40dd06 412->416 413->412 416->189 418 40dd08-40dd0d 416->418 418->139
                                      APIs
                                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                                        • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                                      • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                                      • API String ID: 1529173511-1365410817
                                      • Opcode ID: 247c226a062b47ce7864b045c16d0391970f561cd3808a145f5236f79d582a9c
                                      • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                                      • Opcode Fuzzy Hash: 247c226a062b47ce7864b045c16d0391970f561cd3808a145f5236f79d582a9c
                                      • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                                      Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                      • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                      • CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                      • closesocket.WS2_32(?), ref: 00404E3A
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                                      • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                                      • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                                      • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                                      • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                                      • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                                      • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                      • String ID:
                                      • API String ID: 3658366068-0
                                      • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                      • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                                      • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                      • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                                      Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 437 4457a9-4457c0 GetLastError 438 4457c2-4457cc call 445ceb 437->438 439 4457ce-4457d5 call 443005 437->439 438->439 444 44581f-445826 SetLastError 438->444 443 4457da-4457e0 439->443 445 4457e2 443->445 446 4457eb-4457f9 call 445d41 443->446 448 445828-44582d 444->448 449 4457e3-4457e9 call 443c92 445->449 453 4457fe-445814 call 445597 call 443c92 446->453 454 4457fb-4457fc 446->454 455 445816-44581d SetLastError 449->455 453->444 453->455 454->449 455->448
                                      APIs
                                      • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                                      • _free.LIBCMT ref: 004457E3
                                      • _free.LIBCMT ref: 0044580A
                                      • SetLastError.KERNEL32(00000000), ref: 00445817
                                      • SetLastError.KERNEL32(00000000), ref: 00445820
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                                      • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                                      • Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                                      • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                                      Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 460 445a95-445aa9 461 445ab6-445ad1 LoadLibraryExW 460->461 462 445aab-445ab4 460->462 464 445ad3-445adc GetLastError 461->464 465 445afa-445b00 461->465 463 445b0d-445b0f 462->463 466 445ade-445ae9 LoadLibraryExW 464->466 467 445aeb 464->467 468 445b02-445b03 FreeLibrary 465->468 469 445b09 465->469 471 445aed-445aef 466->471 467->471 468->469 470 445b0b-445b0c 469->470 470->463 471->465 472 445af1-445af8 471->472 472->470
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                                      • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                      • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                                      • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                      • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                                      Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 481 4459f9-445a23 482 445a25-445a27 481->482 483 445a8e 481->483 484 445a2d-445a33 482->484 485 445a29-445a2b 482->485 486 445a90-445a94 483->486 487 445a35-445a37 call 445a95 484->487 488 445a4f 484->488 485->486 493 445a3c-445a3f 487->493 489 445a51-445a53 488->489 491 445a55-445a63 GetProcAddress 489->491 492 445a7e-445a8c 489->492 496 445a65-445a6e call 432123 491->496 497 445a78 491->497 492->483 494 445a70-445a76 493->494 495 445a41-445a47 493->495 494->489 495->487 498 445a49 495->498 496->485 497->492 498->488
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc__crt_fast_encode_pointer
                                      • String ID:
                                      • API String ID: 2279764990-0
                                      • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                      • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                                      • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                      • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                                      Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 501 40163e-401644 502 401646-401648 501->502 503 401649-401654 501->503 504 401656 503->504 505 40165b-401665 503->505 504->505 506 401667-40166d 505->506 507 401688-401689 call 43229f 505->507 506->507 508 40166f-401674 506->508 511 40168e-40168f 507->511 508->504 510 401676-401686 call 43229f 508->510 513 401691-401693 510->513 511->513
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                      • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                                      • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                      • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                                      Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 515 443005-443010 516 443012-44301c 515->516 517 44301e-443024 515->517 516->517 518 443052-44305d call 43ad91 516->518 519 443026-443027 517->519 520 44303d-44304e RtlAllocateHeap 517->520 525 44305f-443061 518->525 519->520 521 443050 520->521 522 443029-443030 call 442a57 520->522 521->525 522->518 528 443032-44303b call 440480 522->528 528->518 528->520
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                      • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                                      • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                      • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                                      Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 531 443649-443655 532 443687-443692 call 43ad91 531->532 533 443657-443659 531->533 540 443694-443696 532->540 534 443672-443683 RtlAllocateHeap 533->534 535 44365b-44365c 533->535 538 443685 534->538 539 44365e-443665 call 442a57 534->539 535->534 538->540 539->532 543 443667-443670 call 440480 539->543 543->532 543->534
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                      • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                                      • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                      • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                                      Non-executed Functions

                                      Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                                        • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                        • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                        • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                                      • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                                      • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                      • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                                      • API String ID: 3018269243-1736093966
                                      • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                      • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                                      • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                      • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                                      Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 00406D4A
                                      • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                                      • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                                        • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                        • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                        • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                        • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                        • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                        • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                        • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                                      • DeleteFileA.KERNEL32(?), ref: 0040768E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                                      • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                      • API String ID: 1385304114-1507758755
                                      • Opcode ID: 626ef3b8f9062db525714a88906249109dc5c65f2cd14a7855506d530d800d82
                                      • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                                      • Opcode Fuzzy Hash: 626ef3b8f9062db525714a88906249109dc5c65f2cd14a7855506d530d800d82
                                      • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                                      Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 004056C6
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      • __Init_thread_footer.LIBCMT ref: 00405703
                                      • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                                      • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                                        • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                                      • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                                      • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                                      • CloseHandle.KERNEL32 ref: 00405A03
                                      • CloseHandle.KERNEL32 ref: 00405A0B
                                      • CloseHandle.KERNEL32 ref: 00405A1D
                                      • CloseHandle.KERNEL32 ref: 00405A25
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                      • String ID: SystemDrive$cmd.exe
                                      • API String ID: 2994406822-3633465311
                                      • Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                      • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                                      • Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
                                      • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                                      Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                                      • FindClose.KERNEL32(00000000), ref: 0040AB0A
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                                      • FindClose.KERNEL32(00000000), ref: 0040AC53
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                      • API String ID: 1164774033-3681987949
                                      • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                      • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                                      • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                      • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                                      Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                                      • FindClose.KERNEL32(00000000), ref: 0040AD0A
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                                      • FindClose.KERNEL32(00000000), ref: 0040ADF0
                                      • FindClose.KERNEL32(00000000), ref: 0040AE11
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$File$FirstNext
                                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 3527384056-432212279
                                      • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                      • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                                      • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                      • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                                      Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 00414EC2
                                      • EmptyClipboard.USER32 ref: 00414ED0
                                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                                      • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                                      • CloseClipboard.USER32 ref: 00414F55
                                      • OpenClipboard.USER32 ref: 00414F5C
                                      • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                      • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                      • CloseClipboard.USER32 ref: 00414F84
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                      • String ID:
                                      • API String ID: 3520204547-0
                                      • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                      • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                                      • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                      • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                                      Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0$1$2$3$4$5$6$7
                                      • API String ID: 0-3177665633
                                      • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                      • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                                      • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                      • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                                      Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                                      • GetLastError.KERNEL32 ref: 00418771
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                      • String ID:
                                      • API String ID: 3587775597-0
                                      • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                      • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                                      • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                      • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                                      Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                                      • FindClose.KERNEL32(00000000), ref: 0040B3BE
                                      • FindClose.KERNEL32(00000000), ref: 0040B3E9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 1164774033-405221262
                                      • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                      • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                                      • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                      • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                                      Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                                        • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                      • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                      • String ID:
                                      • API String ID: 2341273852-0
                                      • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                      • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                                      • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                      • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                                      Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                                      • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                                      • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                                      • SetLastError.KERNEL32(0000000E), ref: 0041082E
                                        • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                                      • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                                      • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                                      • SetLastError.KERNEL32(0000045A), ref: 0041098F
                                        • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                                        • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                      • String ID: $.F
                                      • API String ID: 3950776272-1421728423
                                      • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                      • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                                      • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                      • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                                      Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                                      • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                                      • GetLastError.KERNEL32 ref: 00409375
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                                      • TranslateMessage.USER32(?), ref: 004093D2
                                      • DispatchMessageA.USER32(?), ref: 004093DD
                                      Strings
                                      • Keylogger initialization failure: error , xrefs: 00409389
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                      • String ID: Keylogger initialization failure: error
                                      • API String ID: 3219506041-952744263
                                      • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                      • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                                      • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                      • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                                      Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                                      • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressCloseCreateLibraryLoadProcsend
                                      • String ID: SHDeleteKeyW$Shlwapi.dll
                                      • API String ID: 2127411465-314212984
                                      • Opcode ID: f2d69b9d43562cab7e836be07482607efef349bb97d02b02476618c5377839be
                                      • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                                      • Opcode Fuzzy Hash: f2d69b9d43562cab7e836be07482607efef349bb97d02b02476618c5377839be
                                      • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                                      Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                                        • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                                        • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                                      • Sleep.KERNEL32(00000BB8), ref: 0040E243
                                      • ExitProcess.KERNEL32 ref: 0040E2B4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseExitOpenProcessQuerySleepValue
                                      • String ID: 3.8.0 Pro$override$pth_unenc$!G
                                      • API String ID: 2281282204-1386060931
                                      • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                      • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                                      • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                      • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                                      Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                                      • InternetCloseHandle.WININET(00000000), ref: 00419407
                                      • InternetCloseHandle.WININET(00000000), ref: 0041940A
                                      Strings
                                      • http://geoplugin.net/json.gp, xrefs: 004193A2
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleOpen$FileRead
                                      • String ID: http://geoplugin.net/json.gp
                                      • API String ID: 3121278467-91888290
                                      • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                      • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                                      • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                      • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                                      Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                                      • GetLastError.KERNEL32 ref: 0040A999
                                      Strings
                                      • [Chrome StoredLogins not found], xrefs: 0040A9B3
                                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                                      • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                                      • UserProfile, xrefs: 0040A95F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                      • API String ID: 2018770650-1062637481
                                      • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                      • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                                      • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                      • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                                      Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                      • GetLastError.KERNEL32 ref: 00415CDB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 3534403312-3733053543
                                      • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                      • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                                      • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                      • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                                      Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00408393
                                        • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                                        • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                        • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                        • Part of subcall function 00404E06: CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                      • FindClose.KERNEL32(00000000), ref: 004086F4
                                        • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                        • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                      • String ID:
                                      • API String ID: 1824512719-0
                                      • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                      • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                                      • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                      • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                                      Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 0040949C
                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                      • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                      • GetKeyState.USER32(00000010), ref: 004094B8
                                      • GetKeyboardState.USER32(?), ref: 004094C5
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                      • String ID:
                                      • API String ID: 3566172867-0
                                      • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                      • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                                      • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                      • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                                      Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                                      • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                                      • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                                      • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ManagerStart
                                      • String ID:
                                      • API String ID: 276877138-0
                                      • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                      • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                                      • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                      • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                                      Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$CreateFirstNext
                                      • String ID: H"G$`'G$`'G
                                      • API String ID: 341183262-2774397156
                                      • Opcode ID: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
                                      • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                                      • Opcode Fuzzy Hash: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
                                      • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                                      Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                        • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                        • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                        • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                        • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                                      • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                                      • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                      • String ID: PowrProf.dll$SetSuspendState
                                      • API String ID: 1589313981-1420736420
                                      • Opcode ID: 485f73e636cde54b00929bf3910efae957862298eb284d08d9347c6df5f92bed
                                      • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                                      • Opcode Fuzzy Hash: 485f73e636cde54b00929bf3910efae957862298eb284d08d9347c6df5f92bed
                                      • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                                      Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0044F6B5
                                      • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0044F6DE
                                      • GetACP.KERNEL32 ref: 0044F6F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: ACP$OCP
                                      • API String ID: 2299586839-711371036
                                      • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                      • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                                      • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                      • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                                      Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                      • wsprintfW.USER32 ref: 0040A13F
                                        • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EventLocalTimewsprintf
                                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                      • API String ID: 1497725170-248792730
                                      • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                      • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                                      • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                      • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                                      Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                                      • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                                      • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                                      • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID: SETTINGS
                                      • API String ID: 3473537107-594951305
                                      • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                      • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                                      • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                      • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                                      Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004087A5
                                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstH_prologNext
                                      • String ID:
                                      • API String ID: 1157919129-0
                                      • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                      • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                                      • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                      • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                                      Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                      • GetUserDefaultLCID.KERNEL32 ref: 0044F8FC
                                      • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                                      • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                                      • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                                      • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0044F9CD
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                      • String ID:
                                      • API String ID: 745075371-0
                                      • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                      • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                                      • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                      • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                                      Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0040784D
                                      • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                      • String ID:
                                      • API String ID: 1771804793-0
                                      • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                      • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                                      • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                      • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                                      Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                                        • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                                        • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 1735047541-0
                                      • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                      • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                                      • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                      • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                                      Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: A%E$A%E
                                      • API String ID: 0-137320553
                                      • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                      • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                                      • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                      • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                                      Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                                        • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                                        • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                                        • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateInfoParametersSystemValue
                                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                      • API String ID: 4127273184-3576401099
                                      • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                      • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                                      • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                      • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                                      Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • IsValidCodePage.KERNEL32(00000000), ref: 0044EF9A
                                      • _wcschr.LIBVCRUNTIME ref: 0044F02A
                                      • _wcschr.LIBVCRUNTIME ref: 0044F038
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 0044F0DB
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                      • String ID:
                                      • API String ID: 4212172061-0
                                      • Opcode ID: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
                                      • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                                      • Opcode Fuzzy Hash: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
                                      • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                                      Function 004468DC Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 004468EC
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • GetTimeZoneInformation.KERNEL32 ref: 004468FE
                                      • WideCharToMultiByte.KERNEL32(00000000,?,0046F754,000000FF,?,0000003F,?,?), ref: 00446976
                                      • WideCharToMultiByte.KERNEL32(00000000,?,0046F7A8,000000FF,?,0000003F,?,?,?,0046F754,000000FF,?,0000003F,?,?), ref: 004469A3
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                      • String ID:
                                      • API String ID: 806657224-0
                                      • Opcode ID: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
                                      • Instruction ID: 2b7d8a9ac893eb444b3138181a21c3719d458e34cf104297cae44ef8c21a1482
                                      • Opcode Fuzzy Hash: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
                                      • Instruction Fuzzy Hash: 4F31A5B1904245EFDB11DF69DC80469BBB8FF0671171602BFE090972A1D7B49D04DB5A
                                      Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadExecuteFileShell
                                      • String ID: open
                                      • API String ID: 2825088817-2758837156
                                      • Opcode ID: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
                                      • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                                      • Opcode Fuzzy Hash: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
                                      • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                                      Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorInfoLastLocale$_free$_abort
                                      • String ID:
                                      • API String ID: 2829624132-0
                                      • Opcode ID: c08902af5a4ebae337e65d4f4913ac80c8ce7fcb5dd297238357898b4052817f
                                      • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                                      • Opcode Fuzzy Hash: c08902af5a4ebae337e65d4f4913ac80c8ce7fcb5dd297238357898b4052817f
                                      • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                                      Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 004399A4
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                      • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                                      • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                      • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                                      Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                                      • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                                      • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Crypt$Context$AcquireRandomRelease
                                      • String ID:
                                      • API String ID: 1815803762-0
                                      • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                      • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                                      • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                      • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                                      Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(00000000), ref: 0040A65D
                                      • GetClipboardData.USER32(0000000D), ref: 0040A669
                                      • CloseClipboard.USER32 ref: 0040A671
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseDataOpen
                                      • String ID:
                                      • API String ID: 2058664381-0
                                      • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                      • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                                      • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                      • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                                      Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FeaturePresentProcessor
                                      • String ID:
                                      • API String ID: 2325560087-3916222277
                                      • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                      • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                                      • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                      • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                                      Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: GetLocaleInfoEx
                                      • API String ID: 2299586839-2904428671
                                      • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                      • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                                      • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                      • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                                      Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$FirstNextsend
                                      • String ID:
                                      • API String ID: 4113138495-0
                                      • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                      • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                                      • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                      • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                                      Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$InfoLocale_abort
                                      • String ID:
                                      • API String ID: 1663032902-0
                                      • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                      • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                                      • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                      • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                                      Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001), ref: 0044F1ED
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 673455fbabca7124b3ca300a5bad4779d617d2069552d52611791679d418f519
                                      • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                                      • Opcode Fuzzy Hash: 673455fbabca7124b3ca300a5bad4779d617d2069552d52611791679d418f519
                                      • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                                      Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$InfoLocale_abort_free
                                      • String ID:
                                      • API String ID: 2692324296-0
                                      • Opcode ID: e8e40a4c1e4a1452f322ea5d58aa65e712e874c7af3971ed527245fc130c3ff5
                                      • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                                      • Opcode Fuzzy Hash: e8e40a4c1e4a1452f322ea5d58aa65e712e874c7af3971ed527245fc130c3ff5
                                      • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                                      Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001), ref: 0044F262
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: e9707e75e047b008c80f6bc881a45fe398cc0546891e27ca4c894483a9e1b79d
                                      • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                                      • Opcode Fuzzy Hash: e9707e75e047b008c80f6bc881a45fe398cc0546891e27ca4c894483a9e1b79d
                                      • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                                      Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                      • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                                      • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                      • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                                      Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                                      • EnumSystemLocalesW.KERNEL32(Function_000458CE,00000001,0046B680,0000000C), ref: 0044594C
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                      • String ID:
                                      • API String ID: 1272433827-0
                                      • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                      • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                                      • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                      • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                                      Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • EnumSystemLocalesW.KERNEL32(0044F087,00000001), ref: 0044F167
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                      • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                                      • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                      • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                                      Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID:
                                      • API String ID: 2299586839-0
                                      • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                      • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                                      • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                      • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                                      Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                      • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                                      • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                      • Instruction Fuzzy Hash:
                                      Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                                        • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                                      • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                                      • DeleteDC.GDI32(00000000), ref: 00416F32
                                      • DeleteDC.GDI32(00000000), ref: 00416F35
                                      • DeleteObject.GDI32(00000000), ref: 00416F38
                                      • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                                      • DeleteDC.GDI32(00000000), ref: 00416F6A
                                      • DeleteDC.GDI32(00000000), ref: 00416F6D
                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                                      • GetIconInfo.USER32(?,?), ref: 00416FC5
                                      • DeleteObject.GDI32(?), ref: 00416FF4
                                      • DeleteObject.GDI32(?), ref: 00417001
                                      • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                                      • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                                      • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                                      • DeleteDC.GDI32(?), ref: 0041713C
                                      • DeleteDC.GDI32(00000000), ref: 0041713F
                                      • DeleteObject.GDI32(00000000), ref: 00417142
                                      • GlobalFree.KERNEL32(?), ref: 0041714D
                                      • DeleteObject.GDI32(00000000), ref: 00417201
                                      • GlobalFree.KERNEL32(?), ref: 00417208
                                      • DeleteDC.GDI32(?), ref: 00417218
                                      • DeleteDC.GDI32(00000000), ref: 00417223
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                      • String ID: DISPLAY
                                      • API String ID: 479521175-865373369
                                      • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                      • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                                      • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                      • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                                      Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                                      • GetProcAddress.KERNEL32(00000000), ref: 00416477
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                                      • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                                      • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                                      • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                                      • ResumeThread.KERNEL32(?), ref: 00416773
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                                      • GetCurrentProcess.KERNEL32(?), ref: 00416795
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                                      • GetLastError.KERNEL32 ref: 004167B8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                      • API String ID: 4188446516-3035715614
                                      • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                      • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                                      • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                      • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                                      Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                        • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                                      • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                        • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                        • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                                      • ExitProcess.KERNEL32 ref: 0040C389
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                                      • API String ID: 1861856835-1953526029
                                      • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                      • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                                      • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                      • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                                      Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                                      • ExitProcess.KERNEL32(00000000), ref: 00410F05
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                                      • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                                      • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                                      • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                                      • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                                        • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                                      • Sleep.KERNEL32(000001F4), ref: 004110E7
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                                      • CloseHandle.KERNEL32(00000000), ref: 0041110E
                                      • GetCurrentProcessId.KERNEL32 ref: 00411114
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                      • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                                      • API String ID: 2649220323-71629269
                                      • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                      • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                                      • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                      • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                                      Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 0040B882
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                                      • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                                      • _wcslen.LIBCMT ref: 0040B968
                                      • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                                      • _wcslen.LIBCMT ref: 0040BA25
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                                      • ExitProcess.KERNEL32 ref: 0040BC36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                                      • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                                      • API String ID: 2743683619-2376316431
                                      • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                      • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                                      • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                      • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                                      Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                        • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                        • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                        • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                                      • ExitProcess.KERNEL32 ref: 0040BFD7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                      • API String ID: 3797177996-2974882535
                                      • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                      • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                                      • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                      • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                                      Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                                      • SetEvent.KERNEL32 ref: 004191CF
                                      • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                                      • CloseHandle.KERNEL32 ref: 004191F0
                                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                      • API String ID: 738084811-1354618412
                                      • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                      • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                                      • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                      • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                                      Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                                      • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                                      • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                                      • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Write$Create
                                      • String ID: RIFF$WAVE$data$fmt
                                      • API String ID: 1602526932-4212202414
                                      • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                      • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                                      • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                      • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                                      Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                                      • LoadLibraryA.KERNEL32(?), ref: 0041386D
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                                      • FreeLibrary.KERNEL32(00000000), ref: 00413894
                                      • LoadLibraryA.KERNEL32(?), ref: 004138CC
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                                      • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                                      • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                      • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                                      • API String ID: 2490988753-3443138237
                                      • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                      • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                                      • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                      • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                                      Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$EnvironmentVariable$_wcschr
                                      • String ID:
                                      • API String ID: 3899193279-0
                                      • Opcode ID: 7152c14c9f043405eb9b9a37d5c5f1e16380f97c3d25ee63cda43d2d9904c190
                                      • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                                      • Opcode Fuzzy Hash: 7152c14c9f043405eb9b9a37d5c5f1e16380f97c3d25ee63cda43d2d9904c190
                                      • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                                      Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                                      • _free.LIBCMT ref: 0044E4DF
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • _free.LIBCMT ref: 0044E501
                                      • _free.LIBCMT ref: 0044E516
                                      • _free.LIBCMT ref: 0044E521
                                      • _free.LIBCMT ref: 0044E543
                                      • _free.LIBCMT ref: 0044E556
                                      • _free.LIBCMT ref: 0044E564
                                      • _free.LIBCMT ref: 0044E56F
                                      • _free.LIBCMT ref: 0044E5A7
                                      • _free.LIBCMT ref: 0044E5AE
                                      • _free.LIBCMT ref: 0044E5CB
                                      • _free.LIBCMT ref: 0044E5E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID: pF
                                      • API String ID: 161543041-2973420481
                                      • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                      • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                                      • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                      • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                                      Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                                        • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                        • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                        • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                      • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                                      • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                                      • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                                      • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                                      • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                                      • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                                      • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                                      • Sleep.KERNEL32(00000064), ref: 00411C63
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                      • String ID: /stext "$$.F$@#G$@#G
                                      • API String ID: 1223786279-2596709126
                                      • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                      • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                                      • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                      • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                                      Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: pF
                                      • API String ID: 269201875-2973420481
                                      • Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                      • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                                      • Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                      • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                                      Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                                        • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                                      • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                      • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                                      • API String ID: 193334293-3226144251
                                      • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                      • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                                      • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                      • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                                      Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                                      • GetCursorPos.USER32(?), ref: 0041B39E
                                      • SetForegroundWindow.USER32(?), ref: 0041B3A7
                                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                                      • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                                      • ExitProcess.KERNEL32 ref: 0041B41A
                                      • CreatePopupMenu.USER32 ref: 0041B420
                                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                      • String ID: Close
                                      • API String ID: 1657328048-3535843008
                                      • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                      • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                                      • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                      • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                                      Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$Info
                                      • String ID:
                                      • API String ID: 2509303402-0
                                      • Opcode ID: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                                      • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                                      • Opcode Fuzzy Hash: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                                      • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                                      Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                                      • __aulldiv.LIBCMT ref: 00407D89
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                                      • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                                      • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                                      • CloseHandle.KERNEL32(00000000), ref: 00408038
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                      • API String ID: 3086580692-2596673759
                                      • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                      • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                                      • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                      • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                                      Function 0041A47D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExA.ADVAPI32 ref: 0041A47F
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041A4B0
                                      • RegCloseKey.ADVAPI32(?), ref: 0041A749
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumOpen
                                      • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$UninstallString
                                      • API String ID: 1332880857-3730529168
                                      • Opcode ID: 990104b7cba7af691029d385b930f1776e062702f879198157bcb1f4d53fc8db
                                      • Instruction ID: 4431336161eaad6e2d2aa402c01db4654b3b7c935e82bf046b55a61e03329e01
                                      • Opcode Fuzzy Hash: 990104b7cba7af691029d385b930f1776e062702f879198157bcb1f4d53fc8db
                                      • Instruction Fuzzy Hash: 966132311182419BC328EB51D891EEFB3E8EF94348F50493FF586921E2EF749949CA5A
                                      Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                        • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                        • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                        • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                        • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                                      • ExitProcess.KERNEL32 ref: 0040C57D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                      • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                                      • API String ID: 1913171305-2600661426
                                      • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                      • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                                      • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                      • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                                      Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • connect.WS2_32(?,?,?), ref: 004048C0
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                                      • WSAGetLastError.WS2_32 ref: 00404A01
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                      • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                      • API String ID: 994465650-2151626615
                                      • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                      • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                                      • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                      • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                                      Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                                      • __dosmaperr.LIBCMT ref: 00452ED6
                                      • GetFileType.KERNEL32(00000000), ref: 00452EE2
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                                      • __dosmaperr.LIBCMT ref: 00452EF5
                                      • CloseHandle.KERNEL32(00000000), ref: 00452F15
                                      • CloseHandle.KERNEL32(00000000), ref: 0045305F
                                      • GetLastError.KERNEL32 ref: 00453091
                                      • __dosmaperr.LIBCMT ref: 00453098
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: H
                                      • API String ID: 4237864984-2852464175
                                      • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                      • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                                      • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                      • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                                      Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 65535$udp
                                      • API String ID: 0-1267037602
                                      • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                      • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                                      • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                      • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                                      Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 00409C81
                                      • Sleep.KERNEL32(000001F4), ref: 00409C8C
                                      • GetForegroundWindow.USER32 ref: 00409C92
                                      • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                                      • Sleep.KERNEL32(000003E8), ref: 00409D9D
                                        • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                      • String ID: [${ User has been idle for $ minutes }$]
                                      • API String ID: 911427763-3954389425
                                      • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                      • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                                      • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                      • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                                      Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LongNamePath
                                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                      • API String ID: 82841172-425784914
                                      • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                      • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                                      • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                      • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                                      Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                                      • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                                      • __dosmaperr.LIBCMT ref: 00438646
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                                      • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                                      • __dosmaperr.LIBCMT ref: 00438683
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                                      • __dosmaperr.LIBCMT ref: 004386D7
                                      • _free.LIBCMT ref: 004386E3
                                      • _free.LIBCMT ref: 004386EA
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                      • String ID:
                                      • API String ID: 2441525078-0
                                      • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                      • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                                      • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                      • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                                      Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: pF$tF
                                      • API String ID: 269201875-2954683558
                                      • Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                      • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                                      • Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                      • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                                      Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 0040549F
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                                      • TranslateMessage.USER32(?), ref: 0040555E
                                      • DispatchMessageA.USER32(?), ref: 00405569
                                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                      • String ID: CloseChat$DisplayMessage$GetMessage
                                      • API String ID: 2956720200-749203953
                                      • Opcode ID: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
                                      • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                                      • Opcode Fuzzy Hash: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
                                      • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                                      Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                                      • CloseHandle.KERNEL32(00000000), ref: 00416123
                                      • DeleteFileA.KERNEL32(00000000), ref: 00416132
                                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                      • String ID: <$@$@%G$@%G$Temp
                                      • API String ID: 1704390241-4139030828
                                      • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                      • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                                      • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                      • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                                      Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                      • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                                      • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                      • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                                      Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00445645
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • _free.LIBCMT ref: 00445651
                                      • _free.LIBCMT ref: 0044565C
                                      • _free.LIBCMT ref: 00445667
                                      • _free.LIBCMT ref: 00445672
                                      • _free.LIBCMT ref: 0044567D
                                      • _free.LIBCMT ref: 00445688
                                      • _free.LIBCMT ref: 00445693
                                      • _free.LIBCMT ref: 0044569E
                                      • _free.LIBCMT ref: 004456AC
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                      • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                                      • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                      • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                                      Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00417F6F
                                      • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                                      • Sleep.KERNEL32(000003E8), ref: 004180B3
                                      • GetLocalTime.KERNEL32(?), ref: 004180BB
                                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                      • API String ID: 489098229-3790400642
                                      • Opcode ID: e53bd955e1239445be9f05899463632c52afdf35a26c57d2f447966bafceb32c
                                      • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                                      • Opcode Fuzzy Hash: e53bd955e1239445be9f05899463632c52afdf35a26c57d2f447966bafceb32c
                                      • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                                      Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00001388), ref: 00409738
                                        • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                        • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                        • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                        • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                      • String ID: H"G$H"G
                                      • API String ID: 3795512280-1424798214
                                      • Opcode ID: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                                      • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                                      • Opcode Fuzzy Hash: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                                      • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                                      Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DecodePointer
                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                      • API String ID: 3527080286-3064271455
                                      • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                      • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                                      • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                      • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                                      Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                      • Sleep.KERNEL32(00000064), ref: 00415A46
                                      • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CreateDeleteExecuteShellSleep
                                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                      • API String ID: 1462127192-2001430897
                                      • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                      • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                                      • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                      • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                                      Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                                      • ExitProcess.KERNEL32 ref: 00406782
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteExitProcessShell
                                      • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                      • API String ID: 1124553745-1488154373
                                      • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                      • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                                      • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                      • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                                      Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                                      • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocConsoleShowWindow
                                      • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                                      • API String ID: 4118500197-4025029772
                                      • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                      • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                                      • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                      • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                                      Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                                        • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                                        • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                        • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                                      • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                                      • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                                      • TranslateMessage.USER32(?), ref: 0041B29E
                                      • DispatchMessageA.USER32(?), ref: 0041B2A8
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                      • String ID: Remcos
                                      • API String ID: 1970332568-165870891
                                      • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                      • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                                      • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                      • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                                      Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                      • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                                      • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                      • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                                      Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(?,?), ref: 0045100F
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00451092
                                      • __alloca_probe_16.LIBCMT ref: 004510CA
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451125
                                      • __alloca_probe_16.LIBCMT ref: 00451174
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0045113C
                                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004511B8
                                      • __freea.LIBCMT ref: 004511E3
                                      • __freea.LIBCMT ref: 004511EF
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                      • String ID:
                                      • API String ID: 201697637-0
                                      • Opcode ID: 6ebe38f30125ab260d7bf90636684c5f617b7255880676fca2bd247c862c4a42
                                      • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                                      • Opcode Fuzzy Hash: 6ebe38f30125ab260d7bf90636684c5f617b7255880676fca2bd247c862c4a42
                                      • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                                      Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                      • _memcmp.LIBVCRUNTIME ref: 00442935
                                      • _free.LIBCMT ref: 004429A6
                                      • _free.LIBCMT ref: 004429BF
                                      • _free.LIBCMT ref: 004429F1
                                      • _free.LIBCMT ref: 004429FA
                                      • _free.LIBCMT ref: 00442A06
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast$_abort_memcmp
                                      • String ID: C
                                      • API String ID: 1679612858-1037565863
                                      • Opcode ID: 3cd607daeafeb172cd12d40b3ef98e411c3f82b6d125e495381489309ccb8190
                                      • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                                      • Opcode Fuzzy Hash: 3cd607daeafeb172cd12d40b3ef98e411c3f82b6d125e495381489309ccb8190
                                      • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                                      Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: tcp$udp
                                      • API String ID: 0-3725065008
                                      • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                      • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                                      • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                      • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                                      Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Eventinet_ntoa
                                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                      • API String ID: 3578746661-168337528
                                      • Opcode ID: 9f8430c51871c80c74665717bbf62fde7bb4a1b9aedcca63b22f363a7fcccbf8
                                      • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                                      • Opcode Fuzzy Hash: 9f8430c51871c80c74665717bbf62fde7bb4a1b9aedcca63b22f363a7fcccbf8
                                      • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                                      Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                                      • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                                        • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                                        • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                      • String ID: .part
                                      • API String ID: 1303771098-3499674018
                                      • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                      • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                                      • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                      • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                                      Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                                      • __alloca_probe_16.LIBCMT ref: 00447056
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                                      • __alloca_probe_16.LIBCMT ref: 0044713B
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                                      • __freea.LIBCMT ref: 004471AB
                                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      • __freea.LIBCMT ref: 004471B4
                                      • __freea.LIBCMT ref: 004471D9
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                      • String ID:
                                      • API String ID: 3864826663-0
                                      • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                      • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                                      • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                      • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                                      Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                                      • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InputSend
                                      • String ID:
                                      • API String ID: 3431551938-0
                                      • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                      • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                                      • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                      • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                                      Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 00414F41
                                      • EmptyClipboard.USER32 ref: 00414F4F
                                      • CloseClipboard.USER32 ref: 00414F55
                                      • OpenClipboard.USER32 ref: 00414F5C
                                      • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                      • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                      • CloseClipboard.USER32 ref: 00414F84
                                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                      • String ID:
                                      • API String ID: 2172192267-0
                                      • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                      • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                                      • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                      • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                                      Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                                      • __fassign.LIBCMT ref: 00447814
                                      • __fassign.LIBCMT ref: 0044782F
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                                      • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                                      • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                      • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                                      • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                      • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                                      Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: $-E$$-E
                                      • API String ID: 269201875-3140958853
                                      • Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                                      • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                                      • Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                                      • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                                      Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strftime.LIBCMT ref: 00401D30
                                        • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                      • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                                      • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                                      • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                      • String ID: %Y-%m-%d %H.%M$.wav
                                      • API String ID: 3809562944-3597965672
                                      • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                      • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                                      • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                      • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                                      Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                        • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                        • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                                      • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                      • API String ID: 1133728706-4073444585
                                      • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                      • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                                      • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                      • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                                      Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                      • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                                      • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                      • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                                      Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                                      • _free.LIBCMT ref: 0044E128
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • _free.LIBCMT ref: 0044E133
                                      • _free.LIBCMT ref: 0044E13E
                                      • _free.LIBCMT ref: 0044E192
                                      • _free.LIBCMT ref: 0044E19D
                                      • _free.LIBCMT ref: 0044E1A8
                                      • _free.LIBCMT ref: 0044E1B3
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                      • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                                      • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                      • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                                      Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                        • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                        • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                        • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                      • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue
                                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      • API String ID: 1866151309-2070987746
                                      • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                      • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                                      • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                      • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                                      Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                                      • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                      • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                                      • Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                      • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                                      Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                                      • GetLastError.KERNEL32 ref: 0040AA28
                                      Strings
                                      • [Chrome Cookies not found], xrefs: 0040AA42
                                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                                      • UserProfile, xrefs: 0040A9EE
                                      • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                      • API String ID: 2018770650-304995407
                                      • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                      • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                                      • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                      • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                                      Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                      Download Yara Rule
                                      APIs
                                      • __allrem.LIBCMT ref: 00438A09
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                                      • __allrem.LIBCMT ref: 00438A3C
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                                      • __allrem.LIBCMT ref: 00438A71
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 1992179935-0
                                      • Opcode ID: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
                                      • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                                      • Opcode Fuzzy Hash: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
                                      • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                                      Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __cftoe
                                      • String ID:
                                      • API String ID: 4189289331-0
                                      • Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                      • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                                      • Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                      • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                                      Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __freea$__alloca_probe_16_free
                                      • String ID: a/p$am/pm
                                      • API String ID: 2936374016-3206640213
                                      • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                      • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                                      • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                      • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                                      Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                                      • int.LIBCPMT ref: 0040F8D7
                                        • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                        • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                      • std::_Facet_Register.LIBCPMT ref: 0040F917
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                                      • __Init_thread_footer.LIBCMT ref: 0040F97F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                      • String ID:
                                      • API String ID: 3815856325-0
                                      • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                      • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                                      • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                      • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                                      Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                      • String ID:
                                      • API String ID: 493672254-0
                                      • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                      • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                                      • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                      • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                                      Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                      • _free.LIBCMT ref: 0044575C
                                      • _free.LIBCMT ref: 00445784
                                      • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                      • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                      • _abort.LIBCMT ref: 004457A3
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                                      • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                                      • Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                                      • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                                      Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                      • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                                      • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                      • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                                      Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                      • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                                      • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                      • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                                      Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                      • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                                      • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                      • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                                      Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                      • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                      • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSizeSleep
                                      • String ID: h G
                                      • API String ID: 1958988193-3300504347
                                      • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                      • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                                      • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                      • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                                      Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegisterClassExA.USER32(00000030), ref: 0041B310
                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                      • GetLastError.KERNEL32 ref: 0041B335
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ClassCreateErrorLastRegisterWindow
                                      • String ID: 0$MsgWindowClass
                                      • API String ID: 2877667751-2410386613
                                      • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                      • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                                      • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                      • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                                      Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                                        • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                                      • _UnwindNestedFrames.LIBCMT ref: 00437631
                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                                      • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                      • String ID: /zC
                                      • API String ID: 2633735394-4132788633
                                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                                      Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                                      • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                                      • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                                      • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MetricsSystem
                                      • String ID: ]tA
                                      • API String ID: 4116985748-3517819141
                                      • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                      • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                                      • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                      • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                                      Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                                      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                                      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                                      Strings
                                      • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreateProcess
                                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                      • API String ID: 2922976086-4183131282
                                      • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                      • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                                      • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                      • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                                      Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                      • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                                      • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                      • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                                      Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                                      • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                                      • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      Strings
                                      • Connection KeepAlive | Disabled, xrefs: 004050D9
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                      • String ID: Connection KeepAlive | Disabled
                                      • API String ID: 2993684571-3818284553
                                      • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                      • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                                      • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                      • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                                      Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                                      • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                                      • Sleep.KERNEL32(00002710), ref: 00418DBD
                                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: PlaySound$HandleLocalModuleSleepTime
                                      • String ID: Alarm triggered
                                      • API String ID: 614609389-2816303416
                                      • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                      • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                                      • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                      • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                                      Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                      • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                                      • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                      • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                                      Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000,?), ref: 004044A4
                                        • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: H_prologSleep
                                      • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                      • API String ID: 3469354165-3547787478
                                      • Opcode ID: d4e7d27dec57a8dd34bb61c44af70be2832e73b29f213221e02055ec641ee880
                                      • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                                      • Opcode Fuzzy Hash: d4e7d27dec57a8dd34bb61c44af70be2832e73b29f213221e02055ec641ee880
                                      • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                                      Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      • _free.LIBCMT ref: 00442318
                                      • _free.LIBCMT ref: 0044232F
                                      • _free.LIBCMT ref: 0044234E
                                      • _free.LIBCMT ref: 00442369
                                      • _free.LIBCMT ref: 00442380
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$AllocateHeap
                                      • String ID:
                                      • API String ID: 3033488037-0
                                      • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                      • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                                      • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                      • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                                      Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                      • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                                      • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                      • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                                      Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                                      • __alloca_probe_16.LIBCMT ref: 0044E391
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                                      • __freea.LIBCMT ref: 0044E3FD
                                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                      • String ID:
                                      • API String ID: 313313983-0
                                      • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                      • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                                      • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                      • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                                      Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                                      • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                                      • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                                      • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                                      • waveInStart.WINMM ref: 00401CDE
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                      • String ID:
                                      • API String ID: 1356121797-0
                                      • Opcode ID: 3b58d0c680de98a2238f286cb7f614a66765342de8d6d8e6ba78ff9c64c57b7c
                                      • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                                      • Opcode Fuzzy Hash: 3b58d0c680de98a2238f286cb7f614a66765342de8d6d8e6ba78ff9c64c57b7c
                                      • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                                      Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                                      • _free.LIBCMT ref: 0044C59F
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                      • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                                      • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                      • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                                      Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                                      • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreatePointerWrite
                                      • String ID:
                                      • API String ID: 1852769593-0
                                      • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                      • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                                      • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                      • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                                      Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                                      • int.LIBCPMT ref: 0040FBE8
                                        • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                        • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                      • std::_Facet_Register.LIBCPMT ref: 0040FC28
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                      • String ID:
                                      • API String ID: 2536120697-0
                                      • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                      • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                                      • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                      • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                                      Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0044DBB4
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • _free.LIBCMT ref: 0044DBC6
                                      • _free.LIBCMT ref: 0044DBD8
                                      • _free.LIBCMT ref: 0044DBEA
                                      • _free.LIBCMT ref: 0044DBFC
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                      • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                                      • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                      • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                                      Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00441566
                                        • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                      • _free.LIBCMT ref: 00441578
                                      • _free.LIBCMT ref: 0044158B
                                      • _free.LIBCMT ref: 0044159C
                                      • _free.LIBCMT ref: 004415AD
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                      • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                                      • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                      • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                                      Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Enum$InfoQueryValue
                                      • String ID: [regsplt]
                                      • API String ID: 3554306468-4262303796
                                      • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                      • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                                      • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                      • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                                      Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __alloca_probe_16__freea
                                      • String ID: H"G$H"GH"G
                                      • API String ID: 1635606685-3036711414
                                      • Opcode ID: b6807b3a581d2ea95bf3fa3bb4dc482b4bbdf0069e2f44a64f4a5d22043e6a4b
                                      • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                                      • Opcode Fuzzy Hash: b6807b3a581d2ea95bf3fa3bb4dc482b4bbdf0069e2f44a64f4a5d22043e6a4b
                                      • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                                      Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 0040189E
                                      • ExitThread.KERNEL32 ref: 004018D6
                                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                                        • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                      • String ID: 8:G
                                      • API String ID: 1649129571-405301104
                                      • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                      • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                                      • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                      • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                                      Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\rjOyFV.exe,00000104), ref: 00440975
                                      • _free.LIBCMT ref: 00440A40
                                      • _free.LIBCMT ref: 00440A4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\AppData\Roaming\rjOyFV.exe
                                      • API String ID: 2506810119-493937704
                                      • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                      • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                                      • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                      • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                                      Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                        • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                        • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                        • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                      • _wcslen.LIBCMT ref: 00419744
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                      • String ID: .exe$program files (x86)\$program files\
                                      • API String ID: 37874593-1203593143
                                      • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                      • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                                      • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                      • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                                      Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                                      • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                                      • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                                        • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                        • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTimewsprintf
                                      • String ID: Offline Keylogger Started
                                      • API String ID: 465354869-4114347211
                                      • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                      • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                                      • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                      • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                                      Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                        • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                                      • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                                      • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTime$wsprintf
                                      • String ID: Online Keylogger Started
                                      • API String ID: 112202259-1258561607
                                      • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                      • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                                      • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                      • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                                      Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 00404F61
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                                      • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                                      Strings
                                      • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$EventLocalThreadTime
                                      • String ID: Connection KeepAlive | Enabled | Timeout:
                                      • API String ID: 2532271599-507513762
                                      • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                      • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                                      • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                      • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                                      Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406097
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: CryptUnprotectData$crypt32
                                      • API String ID: 2574300362-2380590389
                                      • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                      • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                                      • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                      • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                                      Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                                      • CloseHandle.KERNEL32(?), ref: 004051AA
                                      • SetEvent.KERNEL32(?), ref: 004051B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandleObjectSingleWait
                                      • String ID: Connection Timeout
                                      • API String ID: 2055531096-499159329
                                      • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                      • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                                      • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                      • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                                      Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 2005118841-1866435925
                                      • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                      • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                                      • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                      • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                                      Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                      • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: origmsc
                                      • API String ID: 3677997916-68016026
                                      • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                      • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                                      • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                      • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                                      Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: /C $cmd.exe$open
                                      • API String ID: 587946157-3896048727
                                      • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                      • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                                      • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                      • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                                      Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                      • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                      Strings
                                      • http\shell\open\command, xrefs: 00412026
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: http\shell\open\command
                                      • API String ID: 3677997916-1487954565
                                      • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                      • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                                      • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                      • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                                      Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                                      • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                                      • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                                      Strings
                                      • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: Software\Classes\mscfile\shell\open\command
                                      • API String ID: 1818849710-505396733
                                      • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                      • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                                      • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                      • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                                      Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                                        • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                                        • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                      • String ID: bad locale name
                                      • API String ID: 3628047217-1405518554
                                      • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                      • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                                      • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                      • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                                      Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                      • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                      • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: P0F
                                      • API String ID: 1818849710-3540264436
                                      • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                      • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                                      • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                      • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                                      Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                                      • GetProcAddress.KERNEL32(00000000), ref: 00401403
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: GetCursorInfo$User32.dll
                                      • API String ID: 1646373207-2714051624
                                      • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                      • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                                      • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                      • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                                      Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                                      • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetLastInputInfo$User32.dll
                                      • API String ID: 2574300362-1519888992
                                      • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                      • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                                      • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                      • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                                      Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                      • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                                      • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                      • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                                      Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                      • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                                      • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                      • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                                      Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                                      • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                                      • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 3360349984-0
                                      • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                      • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                                      • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                      • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                                      Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • [Cleared browsers logins and cookies.], xrefs: 0040B025
                                      • Cleared browsers logins and cookies., xrefs: 0040B036
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                      • API String ID: 3472027048-1236744412
                                      • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                      • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                                      • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                      • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                                      Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                        • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                        • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                      • Sleep.KERNEL32(00000BB8), ref: 004111DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQuerySleepValue
                                      • String ID: H"G$exepath$!G
                                      • API String ID: 4119054056-2148977334
                                      • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                      • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                                      • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                      • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                                      Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                                        • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                                        • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                                      • Sleep.KERNEL32(000001F4), ref: 0040955A
                                      • Sleep.KERNEL32(00000064), ref: 004095F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$ForegroundLength
                                      • String ID: [ $ ]
                                      • API String ID: 3309952895-93608704
                                      • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                      • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                                      • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                      • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                                      Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                                      • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                                      • Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                                      • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                                      Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                                      • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                                      • Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                                      • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                                      Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                                      • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                      • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                                      • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                      • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                                      Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                                        • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                      • String ID:
                                      • API String ID: 1761009282-0
                                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                                      Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHandling__start
                                      • String ID: pow
                                      • API String ID: 3213639722-2276729525
                                      • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                      • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                                      • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                      • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                                      Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                                        • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                        • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                        • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                      • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                                      Strings
                                      • /sort "Visit Time" /stext ", xrefs: 00404092
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                      • String ID: /sort "Visit Time" /stext "
                                      • API String ID: 368326130-1573945896
                                      • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                      • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                                      • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                      • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                                      Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                      • __Init_thread_footer.LIBCMT ref: 0040A6E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: [End of clipboard]$[Text copied to clipboard]
                                      • API String ID: 1881088180-3686566968
                                      • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                      • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                                      • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                      • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                                      Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetACP.KERNEL32(?,20001004,?,00000002), ref: 0044EDF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ACP$OCP
                                      • API String ID: 0-711371036
                                      • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                      • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                                      • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                      • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                                      Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                                      • IsWindowVisible.USER32(?), ref: 00415B37
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$TextVisible
                                      • String ID: (%G
                                      • API String ID: 1670992164-3377777310
                                      • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                      • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                                      • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                      • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                                      Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                                      Strings
                                      • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: Connection KeepAlive | Enabled | Timeout:
                                      • API String ID: 481472006-507513762
                                      • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                      • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                                      • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                      • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                                      Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                                      • ___raise_securityfailure.LIBCMT ref: 00432E76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FeaturePresentProcessor___raise_securityfailure
                                      • String ID: (F
                                      • API String ID: 3761405300-3109638091
                                      • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                      • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                                      • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                      • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                                      Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: | $%02i:%02i:%02i:%03i
                                      • API String ID: 481472006-2430845779
                                      • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                      • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                                      • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                      • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                                      Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: alarm.wav$x(G
                                      • API String ID: 1174141254-2413638199
                                      • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                      • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                                      • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                      • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                                      Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                        • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                      • CloseHandle.KERNEL32(?), ref: 00409FFD
                                      • UnhookWindowsHookEx.USER32 ref: 0040A010
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                      • String ID: Online Keylogger Stopped
                                      • API String ID: 1623830855-1496645233
                                      • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                      • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                                      • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                      • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                                      Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                      • API String ID: 1174141254-2800177040
                                      • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                      • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                                      • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                      • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                                      Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                      • API String ID: 1174141254-4188645398
                                      • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                      • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                                      • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                      • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                                      Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: AppData$\Opera Software\Opera Stable\
                                      • API String ID: 1174141254-1629609700
                                      • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                      • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                                      • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                      • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                                      Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000011), ref: 0040A597
                                        • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                                        • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                        • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                        • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                                        • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                                        • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                        • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                      • String ID: [AltL]$[AltR]
                                      • API String ID: 3195419117-2658077756
                                      • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                      • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                                      • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                      • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                                      Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000012), ref: 0040A5F1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State
                                      • String ID: [CtrlL]$[CtrlR]
                                      • API String ID: 1649606143-2446555240
                                      • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                      • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                                      • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                      • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                                      Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                                      • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteOpenValue
                                      • String ID: 6h@
                                      • API String ID: 2654517830-73392143
                                      • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                      • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                                      • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                      • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                                      Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                                      • GetLastError.KERNEL32 ref: 0043B4E9
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast
                                      • String ID:
                                      • API String ID: 1717984340-0
                                      • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                      • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                                      • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                      • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                                      Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                                      • SetLastError.KERNEL32(0000007F), ref: 004106DF
                                      • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1865064204.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_rjOyFV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastRead
                                      • String ID:
                                      • API String ID: 4100373531-0
                                      • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                      • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                                      • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                      • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19