Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL AWB_NO_9078538809.exe

Overview

General Information

Sample name:DHL AWB_NO_9078538809.exe
Analysis ID:1562270
MD5:0e317b92296b874f54a63b7ce8ef3c65
SHA1:a2c482fc7c9fea2543fac305fc4857ed6ddb8ac4
SHA256:802838172640a2ed4ea87b5ecbfd07629e151f25ae46e1c03d3ae11b0f78add6
Tags:DHLexeRATRemcosRATuser-abuse_ch
Infos:

Detection

PureLog Stealer, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Remcos RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL AWB_NO_9078538809.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe" MD5: 0E317B92296B874F54A63B7CE8EF3C65)
    • powershell.exe (PID: 7708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7952 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7732 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • DHL AWB_NO_9078538809.exe (PID: 7860 cmdline: "C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe" MD5: 0E317B92296B874F54A63B7CE8EF3C65)
  • GAmFKUIDBo.exe (PID: 7900 cmdline: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe MD5: 0E317B92296B874F54A63B7CE8EF3C65)
    • schtasks.exe (PID: 8080 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpF888.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • GAmFKUIDBo.exe (PID: 8128 cmdline: "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe" MD5: 0E317B92296B874F54A63B7CE8EF3C65)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["windowsupdateserveraug.duckdns.org:45682:1"], "Assigned name": "wn", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "msc-XYOFLE", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.1800318977.0000000001317000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000006.00000002.4206115164.00000000012C7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.1774853678.0000000004FE0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x691e0:$a1: Remcos restarted by watchdog!
          • 0x69738:$a3: %02i:%02i:%02i:%03i
          • 0x69abd:$a4: * Remcos v
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.DHL AWB_NO_9078538809.exe.4fe0000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.DHL AWB_NO_9078538809.exe.36ce790.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.DHL AWB_NO_9078538809.exe.4fe0000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x661e0:$a1: Remcos restarted by watchdog!
                  • 0x66738:$a3: %02i:%02i:%02i:%03i
                  • 0x66abd:$a4: * Remcos v
                  Click to see the 24 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe", ParentImage: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe, ParentProcessId: 7532, ParentProcessName: DHL AWB_NO_9078538809.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe", ProcessId: 7708, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe", ParentImage: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe, ParentProcessId: 7532, ParentProcessName: DHL AWB_NO_9078538809.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe", ProcessId: 7708, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpF888.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpF888.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe, ParentImage: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe, ParentProcessId: 7900, ParentProcessName: GAmFKUIDBo.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpF888.tmp", ProcessId: 8080, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe", ParentImage: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe, ParentProcessId: 7532, ParentProcessName: DHL AWB_NO_9078538809.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp", ProcessId: 7732, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe", ParentImage: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe, ParentProcessId: 7532, ParentProcessName: DHL AWB_NO_9078538809.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe", ProcessId: 7708, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe", ParentImage: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe, ParentProcessId: 7532, ParentProcessName: DHL AWB_NO_9078538809.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp", ProcessId: 7732, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-25T12:48:00.789488+010020365941Malware Command and Control Activity Detected192.168.2.450019185.214.10.22545682TCP
                  2024-11-25T12:48:28.143421+010020365941Malware Command and Control Activity Detected192.168.2.449733185.214.10.22545682TCP
                  2024-11-25T12:48:51.222307+010020365941Malware Command and Control Activity Detected192.168.2.449742185.214.10.22545682TCP
                  2024-11-25T12:49:14.294086+010020365941Malware Command and Control Activity Detected192.168.2.449743185.214.10.22545682TCP
                  2024-11-25T12:49:37.654004+010020365941Malware Command and Control Activity Detected192.168.2.449789185.214.10.22545682TCP
                  2024-11-25T12:50:00.717754+010020365941Malware Command and Control Activity Detected192.168.2.449840185.214.10.22545682TCP
                  2024-11-25T12:50:23.826794+010020365941Malware Command and Control Activity Detected192.168.2.449891185.214.10.22545682TCP
                  2024-11-25T12:50:47.192523+010020365941Malware Command and Control Activity Detected192.168.2.449943185.214.10.22545682TCP
                  2024-11-25T12:51:10.227033+010020365941Malware Command and Control Activity Detected192.168.2.449994185.214.10.22545682TCP
                  2024-11-25T12:51:33.297121+010020365941Malware Command and Control Activity Detected192.168.2.450017185.214.10.22545682TCP
                  2024-11-25T12:51:57.156591+010020365941Malware Command and Control Activity Detected192.168.2.450018185.214.10.22545682TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["windowsupdateserveraug.duckdns.org:45682:1"], "Assigned name": "wn", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "msc-XYOFLE", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeReversingLabs: Detection: 34%
                  Multi AV Scanner detection for submitted file
                  Source: DHL AWB_NO_9078538809.exeReversingLabs: Detection: 34%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.GAmFKUIDBo.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.GAmFKUIDBo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.1800318977.0000000001317000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4206115164.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_9078538809.exe PID: 7532, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_9078538809.exe PID: 7860, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: GAmFKUIDBo.exe PID: 8128, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: DHL AWB_NO_9078538809.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,11_2_004315EC
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_cabea92e-b
                  Source: DHL AWB_NO_9078538809.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: DHL AWB_NO_9078538809.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: FTtR.pdb source: DHL AWB_NO_9078538809.exe, GAmFKUIDBo.exe.0.dr
                  Source: Binary string: FTtR.pdbSHA256c% source: DHL AWB_NO_9078538809.exe, GAmFKUIDBo.exe.0.dr
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041A01B
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,11_2_0040B28E
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_0040838E
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_004087A0
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,11_2_00407848
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004068CD FindFirstFileW,FindNextFileW,11_2_004068CD
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,11_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,11_2_00417AAB
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,11_2_0040AC78
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,11_2_00406D28

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49742 -> 185.214.10.225:45682
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49733 -> 185.214.10.225:45682
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49743 -> 185.214.10.225:45682
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49789 -> 185.214.10.225:45682
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49840 -> 185.214.10.225:45682
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49891 -> 185.214.10.225:45682
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49943 -> 185.214.10.225:45682
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49994 -> 185.214.10.225:45682
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50018 -> 185.214.10.225:45682
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50017 -> 185.214.10.225:45682
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50019 -> 185.214.10.225:45682
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: windowsupdateserveraug.duckdns.org
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 185.214.10.225 ports 2,4,5,6,8,45682
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: windowsupdateserveraug.duckdns.org
                  Source: global trafficTCP traffic: 192.168.2.4:49733 -> 185.214.10.225:45682
                  Source: Joe Sandbox ViewASN Name: YISP-ASNL YISP-ASNL
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,11_2_0041936B
                  Source: global trafficDNS traffic detected: DNS query: windowsupdateserveraug.duckdns.org
                  Source: GAmFKUIDBo.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, DHL AWB_NO_9078538809.exe, 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, GAmFKUIDBo.exe, 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1769398141.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, GAmFKUIDBo.exe, 00000007.00000002.1802091104.0000000002908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: DHL AWB_NO_9078538809.exe, GAmFKUIDBo.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775778667.0000000005080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com08
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000011_2_00409340
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,11_2_0040A65A
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,11_2_00414EC1
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,11_2_0040A65A
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,11_2_00409468

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.GAmFKUIDBo.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.GAmFKUIDBo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.1800318977.0000000001317000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4206115164.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_9078538809.exe PID: 7532, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_9078538809.exe PID: 7860, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: GAmFKUIDBo.exe PID: 8128, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0041A76C SystemParametersInfoW,11_2_0041A76C

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
                  Source: 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: DHL AWB_NO_9078538809.exe PID: 7532, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: GAmFKUIDBo.exe PID: 8128, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,11_2_00414DB4
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_00C1D3440_2_00C1D344
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_026800400_2_02680040
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_026800060_2_02680006
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_026872690_2_02687269
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_051505590_2_05150559
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_051505600_2_05150560
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_051596680_2_05159668
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_0515B1780_2_0515B178
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_0515B1690_2_0515B169
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_051592300_2_05159230
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_05159ED80_2_05159ED8
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_05159EC80_2_05159EC8
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_05159AA00_2_05159AA0
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_0A4509400_2_0A450940
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_00C7D3447_2_00C7D344
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D5F76B7_2_06D5F76B
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D596687_2_06D59668
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D505597_2_06D50559
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D505607_2_06D50560
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D592307_2_06D59230
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D5B1787_2_06D5B178
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D5B1697_2_06D5B169
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D59ED87_2_06D59ED8
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D59EC87_2_06D59EC8
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D59AA07_2_06D59AA0
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0042515211_2_00425152
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0043528611_2_00435286
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004513D411_2_004513D4
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0045050B11_2_0045050B
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0043651011_2_00436510
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004316FB11_2_004316FB
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0043569E11_2_0043569E
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0044370011_2_00443700
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004257FB11_2_004257FB
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004128E311_2_004128E3
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0042596411_2_00425964
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0041B91711_2_0041B917
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0043D9CC11_2_0043D9CC
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00435AD311_2_00435AD3
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00424BC311_2_00424BC3
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0043DBFB11_2_0043DBFB
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0044ABA911_2_0044ABA9
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00433C0B11_2_00433C0B
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00434D8A11_2_00434D8A
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0043DE2A11_2_0043DE2A
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0041CEAF11_2_0041CEAF
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00435F0811_2_00435F08
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: String function: 00402073 appears 51 times
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: String function: 00432B90 appears 53 times
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: String function: 00432525 appears 41 times
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1769398141.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs DHL AWB_NO_9078538809.exe
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs DHL AWB_NO_9078538809.exe
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL AWB_NO_9078538809.exe
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1768155994.000000000098E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL AWB_NO_9078538809.exe
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1777399953.0000000006FE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL AWB_NO_9078538809.exe
                  Source: DHL AWB_NO_9078538809.exe, 00000000.00000002.1774853678.0000000004FE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs DHL AWB_NO_9078538809.exe
                  Source: DHL AWB_NO_9078538809.exeBinary or memory string: OriginalFilenameFTtR.exe@ vs DHL AWB_NO_9078538809.exe
                  Source: DHL AWB_NO_9078538809.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 11.2.GAmFKUIDBo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
                  Source: 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: DHL AWB_NO_9078538809.exe PID: 7532, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: GAmFKUIDBo.exe PID: 8128, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: DHL AWB_NO_9078538809.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: GAmFKUIDBo.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.DHL AWB_NO_9078538809.exe.4fe0000.4.raw.unpack, id.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, id.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, MYeZpd0o7ythZ8Oq4X.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, AOu7yJeP0Pk1uxa6oE.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, AOu7yJeP0Pk1uxa6oE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, AOu7yJeP0Pk1uxa6oE.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, MYeZpd0o7ythZ8Oq4X.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, AOu7yJeP0Pk1uxa6oE.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, AOu7yJeP0Pk1uxa6oE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, AOu7yJeP0Pk1uxa6oE.csSecurity API names: _0020.AddAccessRule
                  Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@16/11@4/1
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,11_2_00415C90
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,11_2_0040E2E7
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,11_2_00419493
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,11_2_00418A00
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeFile created: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeMutant created: \Sessions\1\BaseNamedObjects\msc-XYOFLE
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeFile created: C:\Users\user\AppData\Local\Temp\tmpECF0.tmpJump to behavior
                  Source: DHL AWB_NO_9078538809.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: DHL AWB_NO_9078538809.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: DHL AWB_NO_9078538809.exeReversingLabs: Detection: 34%
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeFile read: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe "C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe"
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe "C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpF888.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess created: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe"
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe "C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpF888.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess created: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: DHL AWB_NO_9078538809.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: DHL AWB_NO_9078538809.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: DHL AWB_NO_9078538809.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: FTtR.pdb source: DHL AWB_NO_9078538809.exe, GAmFKUIDBo.exe.0.dr
                  Source: Binary string: FTtR.pdbSHA256c% source: DHL AWB_NO_9078538809.exe, GAmFKUIDBo.exe.0.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.DHL AWB_NO_9078538809.exe.4fe0000.4.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  .NET source code contains potential unpacker
                  Source: DHL AWB_NO_9078538809.exe, LogInGUI.cs.Net Code: InitializeComponent contains xor as well as GetObject
                  Source: GAmFKUIDBo.exe.0.dr, LogInGUI.cs.Net Code: InitializeComponent contains xor as well as GetObject
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, AOu7yJeP0Pk1uxa6oE.cs.Net Code: sSfpNMWFWc System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, AOu7yJeP0Pk1uxa6oE.cs.Net Code: sSfpNMWFWc System.Reflection.Assembly.Load(byte[])
                  Source: DHL AWB_NO_9078538809.exeStatic PE information: 0x93F3112B [Thu Aug 27 22:33:15 2048 UTC]
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041A8DA
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_00C18F6C push ebp; ret 0_2_00C18FE7
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_0268F4D7 pushfd ; iretd 0_2_0268F4E6
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_02685C25 push esi; ret 0_2_02685C26
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_051585F1 push esi; iretd 0_2_0515860F
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_0515679F pushad ; iretd 0_2_051567A1
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_0515C63B push eax; retf 0_2_0515C64B
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_0515C680 push esp; retf 0_2_0515C681
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_05158DA2 pushad ; retf 0_2_05158DA9
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_05156830 pushad ; iretd 0_2_05156831
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeCode function: 0_2_05158A5C push edx; iretd 0_2_05158A5D
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D5C680 push esp; retf 7_2_06D5C681
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D5C63B push eax; retf 7_2_06D5C64B
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 7_2_06D58DA2 pushad ; retf 7_2_06D58DA9
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004000D8 push es; iretd 11_2_004000D9
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040008C push es; iretd 11_2_0040008D
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004542E6 push ecx; ret 11_2_004542F9
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0045B4FD push esi; ret 11_2_0045B506
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00432BD6 push ecx; ret 11_2_00432BE9
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00454C08 push eax; ret 11_2_00454C26
                  Source: DHL AWB_NO_9078538809.exeStatic PE information: section name: .text entropy: 7.959184226551168
                  Source: GAmFKUIDBo.exe.0.drStatic PE information: section name: .text entropy: 7.959184226551168
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, ftSCu6XgBYlEwrYxnP.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'O2fc8JFqur', 'oLJcLbjpAj', 'BUfczde8R5', 'UohKtif5hM', 'ywLKwkcK7g', 'YatKcdUN4C', 'G1MKK2kW3w', 'kZOqnjXtF4ABa3Yp3IX'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, Fmv3q0c6cDpcoW6gNX.csHigh entropy of concatenated method names: 'mlPNWOaPm', 'GF3b79eJ9', 'uI5WWSYv0', 'm3Iaq2iKK', 'IqAJOUshA', 'uOMIdBpgQ', 'xQRD2Sb2eBUr5ncRER', 'ncE2OiBbbXQMAl0qNn', 'biVHBUF5lLQ2tKbTsC', 'ncwBJ1fGO'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, Fel6EwLfEGg31rZw1X.csHigh entropy of concatenated method names: 'pxgSXPe4hI', 'THLSf3qvCD', 'Fn4SOUHKAl', 'Oy0SDM5WgJ', 'sCaSYHXFDi', 'BSbSe0u7wC', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, sV5QyYGDKjA3Zq8NFS.csHigh entropy of concatenated method names: 'Ha5DTTEuMe', 'iqeDXkceeu', 'HpGDOTQNme', 'maBOL77qNm', 'lCDOzlROVF', 'NsRDtucCcp', 'F4RDwjaLZr', 'mXLDcUZJFc', 'I65DKHPSqX', 'zBrDpj5ZN6'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, YCiH4ypto4DKShvbFp.csHigh entropy of concatenated method names: 'weswDYeZpd', 'p7ywethZ8O', 'nUJw5YoQSd', 'm0Pwlg3pWC', 'ixjwneLqO7', 'h4iwo6VSbW', 'NhHdNAneW9f56FgbJi', 'VwqAAeNqWTBh6BPt0k', 'Xw7wwtWmR2', 'DwZwKx3Dxj'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, zGO78Eh8Yhk1EogUsp.csHigh entropy of concatenated method names: 'npMnrYndLP', 'P29nMalw6h', 'BMqnhEyYST', 'buMnU0B19d', 'a64nVI0YJX', 'oJUn2hfPbS', 'Q4XnAuHTC6', 'v8NnqQfvwO', 'rDsn9jbDbW', 'JOunGRuD2t'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, ferLlfZdUshClAMowi.csHigh entropy of concatenated method names: 'LjRP59oNEQ', 'QIBPlP5JlU', 'ToString', 'nfnPTN39BX', 'NZoPuMUAuZ', 'nDRPXpJmvB', 'RgVPfyaAAq', 'gmdPOb8miH', 'vmfPDPdA6Y', 'w8vPeHiucZ'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, viyILSwpAqLnr0RrIhW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NaXgYVqHwc', 'jHYgS6GPMP', 'rjtgmJ1ZcG', 'wHeggScKgF', 'B0bgEYiZr0', 'YDRg6cwAKd', 'cRtgilFWgt'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, gOPAovww86mwRbEejr6.csHigh entropy of concatenated method names: 'QSqSLUrw5u', 'N3HSzNIJow', 'qnrmtNZQlK', 'tOvmwrcg41', 'BY6mcfkbUZ', 'gpsmK8ltuT', 'rstmphjX6i', 'hLsmR5Sl6C', 'er8mTVGjKF', 'rqvmuwmq2j'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, UpWCKWI4hkfwyOxjeL.csHigh entropy of concatenated method names: 'gOMfjewbyS', 'TcNfai9751', 'vYfX2s5U2K', 'NKPXAftFQp', 'hepXqZU9eX', 'EIvX9iK0ZW', 'SxAXGWItZq', 'h2YXsUiWoR', 'GErXysScoZ', 's5HXr3KyVa'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, OHI6ilJUJYoQSd50Pg.csHigh entropy of concatenated method names: 'dMdXbA0EUk', 'B2sXW3mlVf', 'wXVX0kHuW2', 'N8AXJ0wnVI', 'K6yXn40xXR', 'G7sXordH1D', 'xxaXP5Ckg4', 'tpBXBNbd4k', 'JZGXYicbaF', 'F11XS2Buau'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, jbxxOdutweJdfBRBAq.csHigh entropy of concatenated method names: 'Dispose', 't2Rw8GbWUR', 'VLtcVR4jem', 'XNTfRmHNnk', 'iYKwLGvnoy', 'vyjwzPuw9Y', 'ProcessDialogKey', 'c7Actc1KI5', 'BYvcwO9rXR', 't4mccIel6E'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, JO7f4i16VSbWHjuLyf.csHigh entropy of concatenated method names: 'a1lORDU8wW', 'bD1OuNVkwI', 'lgCOf680KQ', 'vH5ODPTR0V', 'gpGOeMUnZP', 'qWKf3UpMMw', 'FolfQshR8N', 'kHrfFneFx7', 'jJQfCC3Ol7', 'uBQf8VnbNh'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, Ic1KI58WYvO9rXRm4m.csHigh entropy of concatenated method names: 'Nc7Y1lq7Op', 'vkJYVxlNqy', 'ccUY24CJcp', 'Kq5YAouFPZ', 'y7WYqhgpEu', 'fUVY9FaeS6', 'RT8YGikobT', 's3hYsaYfC8', 'MSwYyOQoAn', 'USXYrLUIok'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, HLu36EQFkf3FeNd2GE.csHigh entropy of concatenated method names: 'NvJPCw83ux', 'acjPL60TQh', 's3UBtXxqye', 'M9RBwI0gZu', 'OXkPdxi8nU', 'BmXPMDMc25', 'TwKPv5gMoN', 'qhdPhKNMR7', 'XqyPU8E1eF', 'kWQP7lSYPM'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, S3p1UCF2Km2RGbWURO.csHigh entropy of concatenated method names: 'TQZYnMiNXh', 'SQMYPxg5BP', 'Ib1YYE3RYP', 'GVUYmQrVJG', 'nSWYEMq7lI', 'E2VYiC5M5u', 'Dispose', 'sCCBTQ1qsA', 'MYsBuGBUd3', 'UWrBXQoj9R'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, PGLiqqwtOfYWANkA6Zg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wTuSdHxA3n', 'J8GSM6OKxB', 'M4bSvi5fyt', 'nPHShocwcS', 'SfhSUWHUJd', 'BWyS7HSEAx', 'Y44SZCECt2'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, UFXcrtymmyNVjLFcU5.csHigh entropy of concatenated method names: 'U1cDHbvuxa', 'mDuDxutG51', 'hpkDNtT0Wu', 'LYuDbf2yuQ', 'bfKDjEwfEi', 'p1nDWdi6UV', 'c7DDa3JOwQ', 'xTqD0J8XXN', 'fJCDJ1AFDk', 'BSuDIEGqrK'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, xThhnSv73yYUFin57T.csHigh entropy of concatenated method names: 'uGE402g2iO', 'VTx4JgiUW1', 'yej41c55gs', 'Imn4Vdod0W', 'uLL4AyhyI7', 'YPP4qcaxgW', 'wO44GPgw6V', 'zAK4sLE1rL', 'ghi4rDItXh', 'VJ94dL11nq'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, nusq6b7v52v55Qbvl8.csHigh entropy of concatenated method names: 'ToString', 'tjKodanP05', 'BKqoVIIc7C', 'ai7o2MMh4D', 'AQEoASCJFM', 'K5doqkFbkL', 'oiho978k98', 'xSboGGBRjM', 'JGAosf2tl8', 'xq2oydBnya'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, T7YW91zJ2j78Dsutdo.csHigh entropy of concatenated method names: 'FlNSWeOki2', 'AxhS0dS3ZG', 'LuTSJXjwa9', 'XSwS1hF6Zp', 'GJNSVRHPTy', 'nuySALDpEi', 'lyCSqjkbKH', 'T2BSiU1AuO', 'A9LSHrDhAu', 'ExUSxSKGCi'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, AOu7yJeP0Pk1uxa6oE.csHigh entropy of concatenated method names: 'mqSKRlMWAk', 'hHmKTYR1mq', 'YVfKuqfhjT', 'PD6KXOuS88', 'eoAKfIR8Cu', 'BdmKOvUDfF', 'bRJKDYPCoG', 'S9tKep8y5M', 'PbuKklIePC', 'Qq1K5dmsbW'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.3861258.1.raw.unpack, MYeZpd0o7ythZ8Oq4X.csHigh entropy of concatenated method names: 'mAhuhpmysl', 'z2KuU9FGDb', 'jIRu7XhnXY', 'WxJuZ1lCon', 'D8nu38UetO', 'i8uuQr1ZI0', 'cTbuFdmvVm', 'GPmuC82d1C', 'HHPu8nM0Bg', 'Ca7uLL82Tw'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, ftSCu6XgBYlEwrYxnP.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'O2fc8JFqur', 'oLJcLbjpAj', 'BUfczde8R5', 'UohKtif5hM', 'ywLKwkcK7g', 'YatKcdUN4C', 'G1MKK2kW3w', 'kZOqnjXtF4ABa3Yp3IX'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, Fmv3q0c6cDpcoW6gNX.csHigh entropy of concatenated method names: 'mlPNWOaPm', 'GF3b79eJ9', 'uI5WWSYv0', 'm3Iaq2iKK', 'IqAJOUshA', 'uOMIdBpgQ', 'xQRD2Sb2eBUr5ncRER', 'ncE2OiBbbXQMAl0qNn', 'biVHBUF5lLQ2tKbTsC', 'ncwBJ1fGO'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, Fel6EwLfEGg31rZw1X.csHigh entropy of concatenated method names: 'pxgSXPe4hI', 'THLSf3qvCD', 'Fn4SOUHKAl', 'Oy0SDM5WgJ', 'sCaSYHXFDi', 'BSbSe0u7wC', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, sV5QyYGDKjA3Zq8NFS.csHigh entropy of concatenated method names: 'Ha5DTTEuMe', 'iqeDXkceeu', 'HpGDOTQNme', 'maBOL77qNm', 'lCDOzlROVF', 'NsRDtucCcp', 'F4RDwjaLZr', 'mXLDcUZJFc', 'I65DKHPSqX', 'zBrDpj5ZN6'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, YCiH4ypto4DKShvbFp.csHigh entropy of concatenated method names: 'weswDYeZpd', 'p7ywethZ8O', 'nUJw5YoQSd', 'm0Pwlg3pWC', 'ixjwneLqO7', 'h4iwo6VSbW', 'NhHdNAneW9f56FgbJi', 'VwqAAeNqWTBh6BPt0k', 'Xw7wwtWmR2', 'DwZwKx3Dxj'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, zGO78Eh8Yhk1EogUsp.csHigh entropy of concatenated method names: 'npMnrYndLP', 'P29nMalw6h', 'BMqnhEyYST', 'buMnU0B19d', 'a64nVI0YJX', 'oJUn2hfPbS', 'Q4XnAuHTC6', 'v8NnqQfvwO', 'rDsn9jbDbW', 'JOunGRuD2t'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, ferLlfZdUshClAMowi.csHigh entropy of concatenated method names: 'LjRP59oNEQ', 'QIBPlP5JlU', 'ToString', 'nfnPTN39BX', 'NZoPuMUAuZ', 'nDRPXpJmvB', 'RgVPfyaAAq', 'gmdPOb8miH', 'vmfPDPdA6Y', 'w8vPeHiucZ'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, viyILSwpAqLnr0RrIhW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NaXgYVqHwc', 'jHYgS6GPMP', 'rjtgmJ1ZcG', 'wHeggScKgF', 'B0bgEYiZr0', 'YDRg6cwAKd', 'cRtgilFWgt'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, gOPAovww86mwRbEejr6.csHigh entropy of concatenated method names: 'QSqSLUrw5u', 'N3HSzNIJow', 'qnrmtNZQlK', 'tOvmwrcg41', 'BY6mcfkbUZ', 'gpsmK8ltuT', 'rstmphjX6i', 'hLsmR5Sl6C', 'er8mTVGjKF', 'rqvmuwmq2j'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, UpWCKWI4hkfwyOxjeL.csHigh entropy of concatenated method names: 'gOMfjewbyS', 'TcNfai9751', 'vYfX2s5U2K', 'NKPXAftFQp', 'hepXqZU9eX', 'EIvX9iK0ZW', 'SxAXGWItZq', 'h2YXsUiWoR', 'GErXysScoZ', 's5HXr3KyVa'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, OHI6ilJUJYoQSd50Pg.csHigh entropy of concatenated method names: 'dMdXbA0EUk', 'B2sXW3mlVf', 'wXVX0kHuW2', 'N8AXJ0wnVI', 'K6yXn40xXR', 'G7sXordH1D', 'xxaXP5Ckg4', 'tpBXBNbd4k', 'JZGXYicbaF', 'F11XS2Buau'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, jbxxOdutweJdfBRBAq.csHigh entropy of concatenated method names: 'Dispose', 't2Rw8GbWUR', 'VLtcVR4jem', 'XNTfRmHNnk', 'iYKwLGvnoy', 'vyjwzPuw9Y', 'ProcessDialogKey', 'c7Actc1KI5', 'BYvcwO9rXR', 't4mccIel6E'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, JO7f4i16VSbWHjuLyf.csHigh entropy of concatenated method names: 'a1lORDU8wW', 'bD1OuNVkwI', 'lgCOf680KQ', 'vH5ODPTR0V', 'gpGOeMUnZP', 'qWKf3UpMMw', 'FolfQshR8N', 'kHrfFneFx7', 'jJQfCC3Ol7', 'uBQf8VnbNh'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, Ic1KI58WYvO9rXRm4m.csHigh entropy of concatenated method names: 'Nc7Y1lq7Op', 'vkJYVxlNqy', 'ccUY24CJcp', 'Kq5YAouFPZ', 'y7WYqhgpEu', 'fUVY9FaeS6', 'RT8YGikobT', 's3hYsaYfC8', 'MSwYyOQoAn', 'USXYrLUIok'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, HLu36EQFkf3FeNd2GE.csHigh entropy of concatenated method names: 'NvJPCw83ux', 'acjPL60TQh', 's3UBtXxqye', 'M9RBwI0gZu', 'OXkPdxi8nU', 'BmXPMDMc25', 'TwKPv5gMoN', 'qhdPhKNMR7', 'XqyPU8E1eF', 'kWQP7lSYPM'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, S3p1UCF2Km2RGbWURO.csHigh entropy of concatenated method names: 'TQZYnMiNXh', 'SQMYPxg5BP', 'Ib1YYE3RYP', 'GVUYmQrVJG', 'nSWYEMq7lI', 'E2VYiC5M5u', 'Dispose', 'sCCBTQ1qsA', 'MYsBuGBUd3', 'UWrBXQoj9R'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, PGLiqqwtOfYWANkA6Zg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wTuSdHxA3n', 'J8GSM6OKxB', 'M4bSvi5fyt', 'nPHShocwcS', 'SfhSUWHUJd', 'BWyS7HSEAx', 'Y44SZCECt2'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, UFXcrtymmyNVjLFcU5.csHigh entropy of concatenated method names: 'U1cDHbvuxa', 'mDuDxutG51', 'hpkDNtT0Wu', 'LYuDbf2yuQ', 'bfKDjEwfEi', 'p1nDWdi6UV', 'c7DDa3JOwQ', 'xTqD0J8XXN', 'fJCDJ1AFDk', 'BSuDIEGqrK'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, xThhnSv73yYUFin57T.csHigh entropy of concatenated method names: 'uGE402g2iO', 'VTx4JgiUW1', 'yej41c55gs', 'Imn4Vdod0W', 'uLL4AyhyI7', 'YPP4qcaxgW', 'wO44GPgw6V', 'zAK4sLE1rL', 'ghi4rDItXh', 'VJ94dL11nq'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, nusq6b7v52v55Qbvl8.csHigh entropy of concatenated method names: 'ToString', 'tjKodanP05', 'BKqoVIIc7C', 'ai7o2MMh4D', 'AQEoASCJFM', 'K5doqkFbkL', 'oiho978k98', 'xSboGGBRjM', 'JGAosf2tl8', 'xq2oydBnya'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, T7YW91zJ2j78Dsutdo.csHigh entropy of concatenated method names: 'FlNSWeOki2', 'AxhS0dS3ZG', 'LuTSJXjwa9', 'XSwS1hF6Zp', 'GJNSVRHPTy', 'nuySALDpEi', 'lyCSqjkbKH', 'T2BSiU1AuO', 'A9LSHrDhAu', 'ExUSxSKGCi'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, AOu7yJeP0Pk1uxa6oE.csHigh entropy of concatenated method names: 'mqSKRlMWAk', 'hHmKTYR1mq', 'YVfKuqfhjT', 'PD6KXOuS88', 'eoAKfIR8Cu', 'BdmKOvUDfF', 'bRJKDYPCoG', 'S9tKep8y5M', 'PbuKklIePC', 'Qq1K5dmsbW'
                  Source: 0.2.DHL AWB_NO_9078538809.exe.6fe0000.5.raw.unpack, MYeZpd0o7ythZ8Oq4X.csHigh entropy of concatenated method names: 'mAhuhpmysl', 'z2KuU9FGDb', 'jIRu7XhnXY', 'WxJuZ1lCon', 'D8nu38UetO', 'i8uuQr1ZI0', 'cTbuFdmvVm', 'GPmuC82d1C', 'HHPu8nM0Bg', 'Ca7uLL82Tw'
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004063C6 ShellExecuteW,URLDownloadToFileW,11_2_004063C6
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeFile created: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp"
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,11_2_00418A00

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041A8DA
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_9078538809.exe PID: 7532, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: GAmFKUIDBo.exe PID: 7900, type: MEMORYSTR
                  Delayed program exit found
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040E18D Sleep,ExitProcess,11_2_0040E18D
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeMemory allocated: BD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeMemory allocated: 26B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeMemory allocated: C50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeMemory allocated: 75A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeMemory allocated: 85A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeMemory allocated: 8750000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeMemory allocated: 9750000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeMemory allocated: C70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeMemory allocated: 28C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeMemory allocated: 72E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeMemory allocated: 82E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeMemory allocated: 8480000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeMemory allocated: 9480000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,11_2_004186FE
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7817Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1731Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeWindow / User API: threadDelayed 9863Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeAPI coverage: 5.0 %
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe TID: 7552Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe TID: 7884Thread sleep count: 129 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe TID: 7884Thread sleep time: -387000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe TID: 7884Thread sleep count: 9863 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe TID: 7884Thread sleep time: -29589000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe TID: 7920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,11_2_0041A01B
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,11_2_0040B28E
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_0040838E
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,11_2_004087A0
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,11_2_00407848
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004068CD FindFirstFileW,FindNextFileW,11_2_004068CD
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,11_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,11_2_00417AAB
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,11_2_0040AC78
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,11_2_00406D28
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: DHL AWB_NO_9078538809.exe, 00000006.00000002.4206115164.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
                  Source: DHL AWB_NO_9078538809.exe, GAmFKUIDBo.exe.0.drBinary or memory string: xqemuH
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_004327AE
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,11_2_0041A8DA
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004407B5 mov eax, dword ptr fs:[00000030h]11_2_004407B5
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,11_2_00410763
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_004327AE
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004328FC SetUnhandledExceptionFilter,11_2_004328FC
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_004398AC
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00432D5C
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe"
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeMemory written: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeMemory written: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe11_2_00410B5C
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004175E1 mouse_event,11_2_004175E1
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeProcess created: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe "C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpF888.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeProcess created: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004329DA cpuid 11_2_004329DA
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: EnumSystemLocalesW,11_2_0044F17B
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: EnumSystemLocalesW,11_2_0044F130
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: EnumSystemLocalesW,11_2_0044F216
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,11_2_0044F2A3
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: GetLocaleInfoA,11_2_0040E2BB
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: GetLocaleInfoW,11_2_0044F4F3
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_0044F61C
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: GetLocaleInfoW,11_2_0044F723
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_0044F7F0
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: EnumSystemLocalesW,11_2_00445914
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: GetLocaleInfoW,11_2_00445E1C
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,11_2_0044EEB8
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeQueries volume information: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_0040A0B0 GetLocalTime,wsprintfW,11_2_0040A0B0
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004195F8 GetUserNameW,11_2_004195F8
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: 11_2_004468DC _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,11_2_004468DC
                  Source: C:\Users\user\Desktop\DHL AWB_NO_9078538809.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.4fe0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.4fe0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1774853678.0000000004FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.GAmFKUIDBo.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.GAmFKUIDBo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.1800318977.0000000001317000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4206115164.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_9078538809.exe PID: 7532, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_9078538809.exe PID: 7860, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: GAmFKUIDBo.exe PID: 8128, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data11_2_0040A953
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\11_2_0040AA71
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: \key3.db11_2_0040AA71

                  Remote Access Functionality

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.4fe0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.4fe0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1774853678.0000000004FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.41dfd00.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.GAmFKUIDBo.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.GAmFKUIDBo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.37a7838.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DHL AWB_NO_9078538809.exe.36ce790.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.1800318977.0000000001317000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4206115164.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_9078538809.exe PID: 7532, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: DHL AWB_NO_9078538809.exe PID: 7860, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: GAmFKUIDBo.exe PID: 8128, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exeCode function: cmd.exe11_2_0040567A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services12
                  Archive Collected Data                  		11
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		11
                  Deobfuscate/Decode Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		1
                  Windows Service                  		3
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook121
                  Process Injection                  		22
                  Software Packing                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture1
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Scheduled Task/Job                  		1
                  Timestomp                  		LSA Secrets33
                  System Information Discovery                  		SSHKeylogging21
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials121
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync31
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                  Virtualization/Sandbox Evasion                  		Proc Filesystem2
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron121
                  Process Injection                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562270 Sample: DHL AWB_NO_9078538809.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 42 windowsupdateserveraug.duckdns.org 2->42 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 56 14 other signatures 2->56 8 GAmFKUIDBo.exe 5 2->8         started        11 DHL AWB_NO_9078538809.exe 7 2->11         started        signatures3 54 Uses dynamic DNS services 42->54 process4 file5 58 Multi AV Scanner detection for dropped file 8->58 60 Contains functionalty to change the wallpaper 8->60 62 Machine Learning detection for dropped file 8->62 68 4 other signatures 8->68 14 schtasks.exe 1 8->14         started        16 GAmFKUIDBo.exe 8->16         started        34 C:\Users\user\AppData\...behaviorgraphAmFKUIDBo.exe, PE32 11->34 dropped 36 C:\Users\...behaviorgraphAmFKUIDBo.exe:Zone.Identifier, ASCII 11->36 dropped 38 C:\Users\user\AppData\Local\...\tmpECF0.tmp, XML 11->38 dropped 40 C:\Users\...\DHL AWB_NO_9078538809.exe.log, ASCII 11->40 dropped 64 Adds a directory exclusion to Windows Defender 11->64 66 Injects a PE file into a foreign processes 11->66 18 powershell.exe 23 11->18         started        21 DHL AWB_NO_9078538809.exe 2 11->21         started        24 schtasks.exe 1 11->24         started        signatures6 process7 dnsIp8 26 conhost.exe 14->26         started        46 Loading BitLocker PowerShell Module 18->46 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        44 windowsupdateserveraug.duckdns.org 185.214.10.225, 45682, 49733, 49742 YISP-ASNL United Kingdom 21->44 32 conhost.exe 24->32         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  DHL AWB_NO_9078538809.exe34%ReversingLabsWin32.Trojan.Leonem
                  DHL AWB_NO_9078538809.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe34%ReversingLabsWin32.Trojan.Leonem

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.sakkal.com080%Avira URL Cloudsafe
                  windowsupdateserveraug.duckdns.org0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  windowsupdateserveraug.duckdns.org
                  		185.214.10.225
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    windowsupdateserveraug.duckdns.orgtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.sakkal.com08DHL AWB_NO_9078538809.exe, 00000000.00000002.1775778667.0000000005080000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/?DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/DataSet1.xsdDHL AWB_NO_9078538809.exe, GAmFKUIDBo.exe.0.drfalse
                                  		high
                                  http://www.tiro.comDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designersDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.carterandcone.comlDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sajatypeworks.comDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://geoplugin.net/json.gpGAmFKUIDBo.exefalse
                                              		high
                                              http://www.typography.netDDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers/cabarga.htmlNDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/cTheDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.galapagosdesign.com/staff/dennis.htmDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cnDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/frere-user.htmlDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://geoplugin.net/json.gp/CDHL AWB_NO_9078538809.exe, 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, DHL AWB_NO_9078538809.exe, 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, GAmFKUIDBo.exe, 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.galapagosdesign.com/DPleaseDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.com/designers8DHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.fonts.comDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.sandoll.co.krDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.urwpp.deDPleaseDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.zhongyicts.com.cnDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL AWB_NO_9078538809.exe, 00000000.00000002.1769398141.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, GAmFKUIDBo.exe, 00000007.00000002.1802091104.0000000002908000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.sakkal.comDHL AWB_NO_9078538809.exe, 00000000.00000002.1775977864.0000000006732000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              185.214.10.225
                                                                              		windowsupdateserveraug.duckdns.orgUnited Kingdom
                                                                              		58073YISP-ASNLtrue

                                                                              General Information

                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                              Analysis ID:1562270
                                                                              Start date and time:2024-11-25 12:47:04 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 8m 27s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:16
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:DHL AWB_NO_9078538809.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.rans.troj.spyw.evad.winEXE@16/11@4/1
                                                                              EGA Information:
                                                                              • Successful, ratio: 100%
                                                                              HCA Information:
                                                                              • Successful, ratio: 98%
                                                                              • Number of executed functions: 75
                                                                              • Number of non-executed functions: 193
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • VT rate limit hit for: DHL AWB_NO_9078538809.exe

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              06:48:02API Interceptor4955402x Sleep call for process: DHL AWB_NO_9078538809.exe modified
                                                                              06:48:04API Interceptor15x Sleep call for process: powershell.exe modified
                                                                              06:48:05API Interceptor1x Sleep call for process: GAmFKUIDBo.exe modified
                                                                              11:48:04Task SchedulerRun new task: GAmFKUIDBo path: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              No context

                                                                              Domains

                                                                              No context

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              YISP-ASNLhttp://45.92.156.166/klove/psktGet hashmaliciousUnknownBrowse
                                                                              • 45.92.156.166
                                                                              rorderIstanbul-TURKEY.exeGet hashmaliciousRemcosBrowse
                                                                              • 188.215.229.33
                                                                              https://koithebd.com/admin/Scanned_document_836736373.TarGet hashmaliciousDBatLoader, RemcosBrowse
                                                                              • 5.253.18.241
                                                                              8holJWXFZe.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                                                                              • 2.58.21.105
                                                                              Pekao_Kopia_potwierdzenia_platnosci_EU8120000034194000045210000008.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                              • 5.253.19.33
                                                                              Pekao_Kopia_potwierdzenia_platnosci_EU8120000034194000045210000008.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                              • 5.253.19.33
                                                                              q8fKBhaj2x.exeGet hashmaliciousAsyncRATBrowse
                                                                              • 188.215.229.107
                                                                              RFQ110623.pdf_.exeGet hashmaliciousRemcosBrowse
                                                                              • 5.253.18.198
                                                                              Invoice8473.exeGet hashmaliciousRemcosBrowse
                                                                              • 185.214.10.18
                                                                              RFQ_210005632100056343000675001.tarGet hashmaliciousCobaltStrikeBrowse
                                                                              • 5.253.19.33

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL AWB_NO_9078538809.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1216
                                                                              Entropy (8bit):5.34331486778365
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                              Malicious:true
                                                                              Reputation:high, very likely benign file
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GAmFKUIDBo.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1216
                                                                              Entropy (8bit):5.34331486778365
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                              Malicious:false
                                                                              Reputation:high, very likely benign file
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):2232
                                                                              Entropy (8bit):5.379552885213346
                                                                              Encrypted:false
                                                                              SSDEEP:48:fWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//Zf0Uyus:fLHxvCZfIfSKRHmOugo1s
                                                                              MD5:F846582E69ED7C1D9D773D62143B0081
                                                                              SHA1:F68B60C2549E263CC0D21B5ACF73A520C235F7C3
                                                                              SHA-256:7A7B068FEBAC5AEE7FB2A2993E9A79DF12E0C890E7EBD2E317B5FD168E6D34C2
                                                                              SHA-512:73771951152B4E801239D6AB40E1E3E94F604F2C08FF43228DED6F0B52298A4E980169CBD7E7528F3ABC3E84936060C8325AC059F6D19E8B18B3800452107E0F
                                                                              Malicious:false
                                                                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_di0oxyq3.4gm.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_em3hefzd.oli.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdnkqmoe.nxi.psm1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhguzsjp.mc4.ps1

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\tmpECF0.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe
                                                                              File Type:XML 1.0 document, ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):1576
                                                                              Entropy (8bit):5.117186912045643
                                                                              Encrypted:false
                                                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaExvn:cge1wYrFdOFzOzN33ODOiDdKrsuT5v
                                                                              MD5:2557D8933914DC62F2AF47EFBE327190
                                                                              SHA1:1A420B73D6B02734FBCAA5E0FC6748A77BE3425D
                                                                              SHA-256:344CC6D849369A0F460EB8F309C8B030C4EE1161512288C08F1B231557BBC065
                                                                              SHA-512:9880B612C894AB17C9678F4271EFEB764168FCF2D16678A7EDFA8CEA4230765419EAFD14FF0F1BA8C623410C4BF53E735476A7B50947511DF5766A51788F82F7
                                                                              Malicious:true
                                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                              C:\Users\user\AppData\Local\Temp\tmpF888.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe
                                                                              File Type:XML 1.0 document, ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):1576
                                                                              Entropy (8bit):5.117186912045643
                                                                              Encrypted:false
                                                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaExvn:cge1wYrFdOFzOzN33ODOiDdKrsuT5v
                                                                              MD5:2557D8933914DC62F2AF47EFBE327190
                                                                              SHA1:1A420B73D6B02734FBCAA5E0FC6748A77BE3425D
                                                                              SHA-256:344CC6D849369A0F460EB8F309C8B030C4EE1161512288C08F1B231557BBC065
                                                                              SHA-512:9880B612C894AB17C9678F4271EFEB764168FCF2D16678A7EDFA8CEA4230765419EAFD14FF0F1BA8C623410C4BF53E735476A7B50947511DF5766A51788F82F7
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                              C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):961536
                                                                              Entropy (8bit):7.9537450021177385
                                                                              Encrypted:false
                                                                              SSDEEP:24576:VUJe35eXoREhAiOsBVdYZVB4fUtPgtmNxS3Ah77Q4cLSqc6w3:Gm1RIb3dYZVumowSG/rcLSqc6w3
                                                                              MD5:0E317B92296B874F54A63B7CE8EF3C65
                                                                              SHA1:A2C482FC7C9FEA2543FAC305FC4857ED6DDB8AC4
                                                                              SHA-256:802838172640A2ED4EA87B5ECBFD07629E151F25AE46E1C03D3AE11B0F78ADD6
                                                                              SHA-512:CA5DE1BB5BF884B28857229419371FAA73D0D3570C465F19906409AEBD7C821C3C5A68655E6CEC8289B39CB922CA6A0FE9EB0BE40C186DF06448E959D0A57A99
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 34%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+................0.................. ........@.. ....................................@.................................1...O.......(...............................p............................................ ............... ..H............text........ ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................e.......H...........l.............. ............................................0..L.........}.....(.......(......(............s......( ....o!.....("....o#.....($....*.0............}........(%........(&.....,5...(............s......(.....o!.....(.....o#....85....r...p.V...('...o(...tV.......()..........9.....s.........s*...s+...o,......o ...r...po-..........,$..( .....o ...r...po-...s....o.........o/...(0.......o1...(2.......o3...(4.......o5...(6.......o7...(8.......o9...(:.........

                                                                              C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe:Zone.Identifier

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):26
                                                                              Entropy (8bit):3.95006375643621
                                                                              Encrypted:false
                                                                              SSDEEP:3:ggPYV:rPYV
                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                              Malicious:true
                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):7.9537450021177385
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                              File name:DHL AWB_NO_9078538809.exe
                                                                              File size:961'536 bytes
                                                                              MD5:0e317b92296b874f54a63b7ce8ef3c65
                                                                              SHA1:a2c482fc7c9fea2543fac305fc4857ed6ddb8ac4
                                                                              SHA256:802838172640a2ed4ea87b5ecbfd07629e151f25ae46e1c03d3ae11b0f78add6
                                                                              SHA512:ca5de1bb5bf884b28857229419371faa73d0d3570c465f19906409aebd7c821c3c5a68655e6cec8289b39cb922ca6a0fe9eb0be40c186df06448e959d0a57a99
                                                                              SSDEEP:24576:VUJe35eXoREhAiOsBVdYZVB4fUtPgtmNxS3Ah77Q4cLSqc6w3:Gm1RIb3dYZVumowSG/rcLSqc6w3
                                                                              TLSH:5B1523207278AF92C57E03FA4944A38007F5E1155231E2691EC7A5DB2BA7F178EB2F47
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+.................0.................. ........@.. ....................................@................................

                                                                              File Icon

                                                                              Icon Hash:90cececece8e8eb0

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4ebf86
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x93F3112B [Thu Aug 27 22:33:15 2048 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add al, byte ptr [eax]
                                                                              adc byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              and byte ptr [eax], al
                                                                              add byte ptr [eax+00000018h], al
                                                                              push eax
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], 00000000h
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add dword ptr [eax], eax
                                                                              add dword ptr [eax], eax
                                                                              add byte ptr [eax], al
                                                                              cmp byte ptr [eax], al
                                                                              add byte ptr [eax+00000000h], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add dword ptr [eax], eax
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], 00000000h

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xebf310x4f.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xec0000x628.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xee0000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xe94e00x70.text
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000xe9f8c0xea0009b7d28293ac138a8d003feacb01711feFalse0.9608853331997863data7.959184226551168IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xec0000x6280x8001383cb45ef7422c5cc6bcc9b6d17dbacFalse0.3388671875data3.4655941507559183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0xee0000xc0x20084463cbfe945b23f965b8ff557c5135cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_VERSION0xec0900x398OpenPGP Public Key0.4206521739130435
                                                                              RT_MANIFEST0xec4380x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-11-25T12:48:00.789488+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450019185.214.10.22545682TCP
                                                                              2024-11-25T12:48:28.143421+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449733185.214.10.22545682TCP
                                                                              2024-11-25T12:48:51.222307+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449742185.214.10.22545682TCP
                                                                              2024-11-25T12:49:14.294086+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449743185.214.10.22545682TCP
                                                                              2024-11-25T12:49:37.654004+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449789185.214.10.22545682TCP
                                                                              2024-11-25T12:50:00.717754+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449840185.214.10.22545682TCP
                                                                              2024-11-25T12:50:23.826794+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449891185.214.10.22545682TCP
                                                                              2024-11-25T12:50:47.192523+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449943185.214.10.22545682TCP
                                                                              2024-11-25T12:51:10.227033+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449994185.214.10.22545682TCP
                                                                              2024-11-25T12:51:33.297121+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450017185.214.10.22545682TCP
                                                                              2024-11-25T12:51:57.156591+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450018185.214.10.22545682TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 25, 2024 12:48:06.132540941 CET4973345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:06.252230883 CET4568249733185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:48:06.252317905 CET4973345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:06.257433891 CET4973345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:06.377667904 CET4568249733185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:48:28.143295050 CET4568249733185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:48:28.143420935 CET4973345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:28.153923035 CET4973345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:28.273746014 CET4568249733185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:48:29.165498018 CET4974245682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:29.286199093 CET4568249742185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:48:29.286480904 CET4974245682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:29.289627075 CET4974245682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:29.409271002 CET4568249742185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:48:51.222115040 CET4568249742185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:48:51.222306967 CET4974245682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:51.223372936 CET4974245682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:51.343038082 CET4568249742185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:48:52.228061914 CET4974345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:52.349585056 CET4568249743185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:48:52.350212097 CET4974345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:52.355974913 CET4974345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:48:52.475855112 CET4568249743185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:49:14.293989897 CET4568249743185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:49:14.294085979 CET4974345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:49:14.294174910 CET4974345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:49:14.413737059 CET4568249743185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:49:15.614980936 CET4978945682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:49:15.735306025 CET4568249789185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:49:15.735383034 CET4978945682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:49:15.740026951 CET4978945682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:49:15.859889030 CET4568249789185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:49:37.653834105 CET4568249789185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:49:37.654004097 CET4978945682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:49:37.654206038 CET4978945682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:49:37.773652077 CET4568249789185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:49:38.665375948 CET4984045682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:49:38.785708904 CET4568249840185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:49:38.785805941 CET4984045682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:49:38.789530039 CET4984045682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:49:38.909111023 CET4568249840185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:00.717561007 CET4568249840185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:00.717753887 CET4984045682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:00.717819929 CET4984045682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:00.837340117 CET4568249840185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:01.728060007 CET4989145682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:01.847791910 CET4568249891185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:01.850759983 CET4989145682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:01.854204893 CET4989145682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:01.973953962 CET4568249891185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:23.826643944 CET4568249891185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:23.826793909 CET4989145682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:23.826793909 CET4989145682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:23.946495056 CET4568249891185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:25.157814980 CET4994345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:25.277605057 CET4568249943185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:25.277679920 CET4994345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:25.281076908 CET4994345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:25.400595903 CET4568249943185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:47.192467928 CET4568249943185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:47.192523003 CET4994345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:47.200201035 CET4994345682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:47.319835901 CET4568249943185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:48.212588072 CET4999445682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:48.332226038 CET4568249994185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:50:48.332351923 CET4999445682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:48.337976933 CET4999445682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:50:48.457428932 CET4568249994185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:10.224796057 CET4568249994185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:10.227032900 CET4999445682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:10.227034092 CET4999445682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:10.346851110 CET4568249994185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:11.228166103 CET5001745682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:11.348074913 CET4568250017185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:11.350967884 CET5001745682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:11.354552031 CET5001745682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:11.475045919 CET4568250017185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:33.297025919 CET4568250017185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:33.297121048 CET5001745682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:33.297169924 CET5001745682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:33.416609049 CET4568250017185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:35.074359894 CET5001845682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:35.193767071 CET4568250018185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:35.193840981 CET5001845682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:35.198446989 CET5001845682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:35.318291903 CET4568250018185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:57.156497002 CET4568250018185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:57.156590939 CET5001845682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:57.156651974 CET5001845682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:57.276187897 CET4568250018185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:58.166260958 CET5001945682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:58.285944939 CET4568250019185.214.10.225192.168.2.4
                                                                              Nov 25, 2024 12:51:58.286192894 CET5001945682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:58.289438009 CET5001945682192.168.2.4185.214.10.225
                                                                              Nov 25, 2024 12:51:58.409115076 CET4568250019185.214.10.225192.168.2.4

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 25, 2024 12:48:05.813230991 CET5214153192.168.2.41.1.1.1
                                                                              Nov 25, 2024 12:48:06.127912998 CET53521411.1.1.1192.168.2.4
                                                                              Nov 25, 2024 12:49:15.305584908 CET5492853192.168.2.41.1.1.1
                                                                              Nov 25, 2024 12:49:15.614063025 CET53549281.1.1.1192.168.2.4
                                                                              Nov 25, 2024 12:50:24.837125063 CET6398353192.168.2.41.1.1.1
                                                                              Nov 25, 2024 12:50:25.156753063 CET53639831.1.1.1192.168.2.4
                                                                              Nov 25, 2024 12:51:34.306036949 CET4947053192.168.2.41.1.1.1
                                                                              Nov 25, 2024 12:51:35.073385000 CET53494701.1.1.1192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Nov 25, 2024 12:48:05.813230991 CET192.168.2.41.1.1.10xf393Standard query (0)windowsupdateserveraug.duckdns.orgA (IP address)IN (0x0001)false
                                                                              Nov 25, 2024 12:49:15.305584908 CET192.168.2.41.1.1.10x7a4bStandard query (0)windowsupdateserveraug.duckdns.orgA (IP address)IN (0x0001)false
                                                                              Nov 25, 2024 12:50:24.837125063 CET192.168.2.41.1.1.10xcffbStandard query (0)windowsupdateserveraug.duckdns.orgA (IP address)IN (0x0001)false
                                                                              Nov 25, 2024 12:51:34.306036949 CET192.168.2.41.1.1.10xb1a7Standard query (0)windowsupdateserveraug.duckdns.orgA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Nov 25, 2024 12:48:06.127912998 CET1.1.1.1192.168.2.40xf393No error (0)windowsupdateserveraug.duckdns.org185.214.10.225A (IP address)IN (0x0001)false
                                                                              Nov 25, 2024 12:49:15.614063025 CET1.1.1.1192.168.2.40x7a4bNo error (0)windowsupdateserveraug.duckdns.org185.214.10.225A (IP address)IN (0x0001)false
                                                                              Nov 25, 2024 12:50:25.156753063 CET1.1.1.1192.168.2.40xcffbNo error (0)windowsupdateserveraug.duckdns.org185.214.10.225A (IP address)IN (0x0001)false
                                                                              Nov 25, 2024 12:51:35.073385000 CET1.1.1.1192.168.2.40xb1a7No error (0)windowsupdateserveraug.duckdns.org185.214.10.225A (IP address)IN (0x0001)false

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:06:48:01
                                                                              Start date:25/11/2024
                                                                              Path:C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe"
                                                                              Imagebase:0x190000
                                                                              File size:961'536 bytes
                                                                              MD5 hash:0E317B92296B874F54A63B7CE8EF3C65
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1774853678.0000000004FE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1770366632.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1770366632.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:06:48:03
                                                                              Start date:25/11/2024
                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe"
                                                                              Imagebase:0xb60000
                                                                              File size:433'152 bytes
                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:06:48:04
                                                                              Start date:25/11/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:06:48:04
                                                                              Start date:25/11/2024
                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpECF0.tmp"
                                                                              Imagebase:0xf80000
                                                                              File size:187'904 bytes
                                                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:06:48:04
                                                                              Start date:25/11/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:06:48:04
                                                                              Start date:25/11/2024
                                                                              Path:C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\DHL AWB_NO_9078538809.exe"
                                                                              Imagebase:0xa30000
                                                                              File size:961'536 bytes
                                                                              MD5 hash:0E317B92296B874F54A63B7CE8EF3C65
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4206115164.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:7
                                                                              Start time:06:48:04
                                                                              Start date:25/11/2024
                                                                              Path:C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe
                                                                              Imagebase:0x430000
                                                                              File size:961'536 bytes
                                                                              MD5 hash:0E317B92296B874F54A63B7CE8EF3C65
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 34%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:06:48:06
                                                                              Start date:25/11/2024
                                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                              Imagebase:0x7ff693ab0000
                                                                              File size:496'640 bytes
                                                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:06:48:07
                                                                              Start date:25/11/2024
                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GAmFKUIDBo" /XML "C:\Users\user\AppData\Local\Temp\tmpF888.tmp"
                                                                              Imagebase:0xf80000
                                                                              File size:187'904 bytes
                                                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:06:48:07
                                                                              Start date:25/11/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff7699e0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:06:48:07
                                                                              Start date:25/11/2024
                                                                              Path:C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe"
                                                                              Imagebase:0xb80000
                                                                              File size:961'536 bytes
                                                                              MD5 hash:0E317B92296B874F54A63B7CE8EF3C65
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.1800318977.0000000001317000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:9%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:139
                                                                                Total number of Limit Nodes:10
                                                                                execution_graph 40270 c1ac90 40271 c1ac9f 40270->40271 40274 c1ad79 40270->40274 40279 c1ad88 40270->40279 40275 c1adbc 40274->40275 40276 c1ad99 40274->40276 40275->40271 40276->40275 40277 c1afc0 GetModuleHandleW 40276->40277 40278 c1afed 40277->40278 40278->40271 40280 c1adbc 40279->40280 40281 c1ad99 40279->40281 40280->40271 40281->40280 40282 c1afc0 GetModuleHandleW 40281->40282 40283 c1afed 40282->40283 40283->40271 40326 515c6a6 40328 515c2e1 40326->40328 40327 515c3d6 40328->40327 40329 515e771 11 API calls 40328->40329 40330 515e778 11 API calls 40328->40330 40329->40328 40330->40328 40148 515c3dd 40149 515c3d6 40148->40149 40150 515c2e1 40148->40150 40150->40149 40153 515e771 40150->40153 40166 515e778 40150->40166 40154 515e792 40153->40154 40155 515e7b6 40154->40155 40179 515f21c 40154->40179 40183 515f2b2 40154->40183 40187 515f113 40154->40187 40191 515eba1 40154->40191 40197 515ef35 40154->40197 40201 515ed78 40154->40201 40206 515f0de 40154->40206 40211 515ef4e 40154->40211 40216 515edff 40154->40216 40221 515edaf 40154->40221 40155->40150 40167 515e792 40166->40167 40168 515e7b6 40167->40168 40169 515ef35 ResumeThread 40167->40169 40170 515eba1 2 API calls 40167->40170 40171 515f113 2 API calls 40167->40171 40172 515f2b2 2 API calls 40167->40172 40173 515f21c ResumeThread 40167->40173 40174 515edaf 2 API calls 40167->40174 40175 515edff 2 API calls 40167->40175 40176 515ef4e 2 API calls 40167->40176 40177 515f0de 2 API calls 40167->40177 40178 515ed78 2 API calls 40167->40178 40168->40150 40169->40168 40170->40168 40171->40168 40172->40168 40173->40168 40174->40168 40175->40168 40176->40168 40177->40168 40178->40168 40180 515f222 40179->40180 40225 515b9f8 40180->40225 40229 515baa1 40183->40229 40233 515baa8 40183->40233 40184 515f2cf 40237 515bb80 40187->40237 40241 515bb78 40187->40241 40188 515ed23 40188->40155 40193 515ebad 40191->40193 40192 515ebcf 40192->40155 40193->40192 40245 515bebc 40193->40245 40250 515bec8 40193->40250 40198 515ef3c 40197->40198 40200 515b9f8 ResumeThread 40198->40200 40199 515f3a9 40200->40199 40202 515f08f 40201->40202 40254 515bd30 40202->40254 40258 515bd28 40202->40258 40203 515eec9 40203->40155 40207 515f40a 40206->40207 40209 515baa1 Wow64SetThreadContext 40207->40209 40210 515baa8 Wow64SetThreadContext 40207->40210 40208 515f1e6 40208->40155 40209->40208 40210->40208 40213 515ef5b 40211->40213 40212 515f4a8 40262 515bc40 40213->40262 40266 515bc38 40213->40266 40217 515ee08 40216->40217 40219 515bc40 WriteProcessMemory 40217->40219 40220 515bc38 WriteProcessMemory 40217->40220 40218 515ed23 40218->40155 40219->40218 40220->40218 40223 515bc40 WriteProcessMemory 40221->40223 40224 515bc38 WriteProcessMemory 40221->40224 40222 515ede0 40222->40155 40223->40222 40224->40222 40226 515ba38 ResumeThread 40225->40226 40228 515ba69 40226->40228 40230 515baa8 Wow64SetThreadContext 40229->40230 40232 515bb35 40230->40232 40232->40184 40234 515baed Wow64SetThreadContext 40233->40234 40236 515bb35 40234->40236 40236->40184 40238 515bbc0 VirtualAllocEx 40237->40238 40240 515bbfd 40238->40240 40240->40188 40242 515bbc0 VirtualAllocEx 40241->40242 40244 515bbfd 40242->40244 40244->40188 40246 515be8b 40245->40246 40247 515bec7 CreateProcessA 40245->40247 40249 515c113 40247->40249 40249->40249 40251 515bf51 CreateProcessA 40250->40251 40253 515c113 40251->40253 40255 515bd7b ReadProcessMemory 40254->40255 40257 515bdbf 40255->40257 40257->40203 40259 515bd30 ReadProcessMemory 40258->40259 40261 515bdbf 40259->40261 40261->40203 40263 515bc88 WriteProcessMemory 40262->40263 40265 515bcdf 40263->40265 40265->40212 40267 515bc88 WriteProcessMemory 40266->40267 40269 515bcdf 40267->40269 40269->40212 40331 2684050 40332 2684092 40331->40332 40334 2684099 40331->40334 40333 26840ea CallWindowProcW 40332->40333 40332->40334 40333->40334 40284 c1d418 40285 c1d45e 40284->40285 40289 c1d5f8 40285->40289 40292 c1d5e9 40285->40292 40286 c1d54b 40290 c1d626 40289->40290 40295 c1b770 40289->40295 40290->40286 40293 c1b770 DuplicateHandle 40292->40293 40294 c1d626 40293->40294 40294->40286 40296 c1d660 DuplicateHandle 40295->40296 40297 c1d6f6 40296->40297 40297->40290 40298 c14668 40299 c1467a 40298->40299 40300 c14686 40299->40300 40302 c14778 40299->40302 40303 c1479d 40302->40303 40307 c14879 40303->40307 40311 c14888 40303->40311 40309 c148af 40307->40309 40308 c1498c 40308->40308 40309->40308 40315 c144b4 40309->40315 40313 c148af 40311->40313 40312 c1498c 40312->40312 40313->40312 40314 c144b4 CreateActCtxA 40313->40314 40314->40312 40316 c15918 CreateActCtxA 40315->40316 40318 c159db 40316->40318 40319 515f978 40320 515fb03 40319->40320 40322 515f99e 40319->40322 40322->40320 40323 5158870 40322->40323 40324 515fbf8 PostMessageW 40323->40324 40325 515fc64 40324->40325 40325->40322

                                                                                Executed Functions

                                                                                Function 02687269 Relevance: .9, Instructions: 949COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1769330965.0000000002680000.00000040.00000800.00020000.00000000.sdmp, Offset: 02680000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2680000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0e0dfcb85905c78b1eeee818da332cc53810a733ad98fa13342cdad808cb5d3c
                                                                                • Instruction ID: c0b8b71f7b289349d4582bd241ccfc8d361b0af0449ed21224a524f7dc295a98
                                                                                • Opcode Fuzzy Hash: 0e0dfcb85905c78b1eeee818da332cc53810a733ad98fa13342cdad808cb5d3c
                                                                                • Instruction Fuzzy Hash: 93A29634A50219CFCB55EF64C894AD9B7B2FF8A300F1181E9E9496B365DB31AE85CF40
                                                                                Function 0A450940 Relevance: .6, Instructions: 586COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1780448658.000000000A450000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A450000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_a450000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f9f7c9afb708c0ef2c32a1ccb5460beebd44278e362fa00faa104b7110dba4fd
                                                                                • Instruction ID: dc834f2d00bf89c4e43ed8baffaad307fad4ff9b073daaadc44cb0f5d4b95678
                                                                                • Opcode Fuzzy Hash: f9f7c9afb708c0ef2c32a1ccb5460beebd44278e362fa00faa104b7110dba4fd
                                                                                • Instruction Fuzzy Hash: 2F22AA387012048FDB19DB79D550BAEB7F6AFCA340F24446AE5169B3A2CB34ED41CB51
                                                                                Function 0515BEBC Relevance: 1.8, APIs: 1, Instructions: 265processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 651 515bebc-515bec5 652 515bec7-515bf5d 651->652 653 515be8b-515beb0 651->653 657 515bf96-515bfb6 652->657 658 515bf5f-515bf69 652->658 666 515bfef-515c01e 657->666 667 515bfb8-515bfc2 657->667 658->657 660 515bf6b-515bf6d 658->660 661 515bf90-515bf93 660->661 662 515bf6f-515bf79 660->662 661->657 664 515bf7d-515bf8c 662->664 665 515bf7b 662->665 664->664 668 515bf8e 664->668 665->664 673 515c057-515c111 CreateProcessA 666->673 674 515c020-515c02a 666->674 667->666 669 515bfc4-515bfc6 667->669 668->661 671 515bfe9-515bfec 669->671 672 515bfc8-515bfd2 669->672 671->666 675 515bfd4 672->675 676 515bfd6-515bfe5 672->676 687 515c113-515c119 673->687 688 515c11a-515c1a0 673->688 674->673 678 515c02c-515c02e 674->678 675->676 676->676 677 515bfe7 676->677 677->671 679 515c051-515c054 678->679 680 515c030-515c03a 678->680 679->673 682 515c03c 680->682 683 515c03e-515c04d 680->683 682->683 683->683 685 515c04f 683->685 685->679 687->688 698 515c1b0-515c1b4 688->698 699 515c1a2-515c1a6 688->699 701 515c1c4-515c1c8 698->701 702 515c1b6-515c1ba 698->702 699->698 700 515c1a8 699->700 700->698 704 515c1d8-515c1dc 701->704 705 515c1ca-515c1ce 701->705 702->701 703 515c1bc 702->703 703->701 707 515c1ee-515c1f5 704->707 708 515c1de-515c1e4 704->708 705->704 706 515c1d0 705->706 706->704 709 515c1f7-515c206 707->709 710 515c20c 707->710 708->707 709->710 712 515c20d 710->712 712->712
                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0515C0FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: d3c7111350bd2bb69c69bbe28f34b1a88fd70aa54026b5919bc3c6723414eec1
                                                                                • Instruction ID: 002ad3fdfb9927958d9f9dc340f9d188f421d63615cc167d5e9bbcabc33980d8
                                                                                • Opcode Fuzzy Hash: d3c7111350bd2bb69c69bbe28f34b1a88fd70aa54026b5919bc3c6723414eec1
                                                                                • Instruction Fuzzy Hash: 80A17C71D04319DFDB20CFA8C881BEDBBB2BF44324F1485AAE859A7250DB749985CF91
                                                                                Function 0515BEC8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 713 515bec8-515bf5d 715 515bf96-515bfb6 713->715 716 515bf5f-515bf69 713->716 723 515bfef-515c01e 715->723 724 515bfb8-515bfc2 715->724 716->715 717 515bf6b-515bf6d 716->717 718 515bf90-515bf93 717->718 719 515bf6f-515bf79 717->719 718->715 721 515bf7d-515bf8c 719->721 722 515bf7b 719->722 721->721 725 515bf8e 721->725 722->721 730 515c057-515c111 CreateProcessA 723->730 731 515c020-515c02a 723->731 724->723 726 515bfc4-515bfc6 724->726 725->718 728 515bfe9-515bfec 726->728 729 515bfc8-515bfd2 726->729 728->723 732 515bfd4 729->732 733 515bfd6-515bfe5 729->733 744 515c113-515c119 730->744 745 515c11a-515c1a0 730->745 731->730 735 515c02c-515c02e 731->735 732->733 733->733 734 515bfe7 733->734 734->728 736 515c051-515c054 735->736 737 515c030-515c03a 735->737 736->730 739 515c03c 737->739 740 515c03e-515c04d 737->740 739->740 740->740 742 515c04f 740->742 742->736 744->745 755 515c1b0-515c1b4 745->755 756 515c1a2-515c1a6 745->756 758 515c1c4-515c1c8 755->758 759 515c1b6-515c1ba 755->759 756->755 757 515c1a8 756->757 757->755 761 515c1d8-515c1dc 758->761 762 515c1ca-515c1ce 758->762 759->758 760 515c1bc 759->760 760->758 764 515c1ee-515c1f5 761->764 765 515c1de-515c1e4 761->765 762->761 763 515c1d0 762->763 763->761 766 515c1f7-515c206 764->766 767 515c20c 764->767 765->764 766->767 769 515c20d 767->769 769->769
                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0515C0FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: 9d2484f4f1ce64e749f77839049377866e688c7dca95c383f1c0802b4f64603c
                                                                                • Instruction ID: 523c52ce562f6e0117eb9b97d10a2fddad3673db5e158c85bb50b2a2682af101
                                                                                • Opcode Fuzzy Hash: 9d2484f4f1ce64e749f77839049377866e688c7dca95c383f1c0802b4f64603c
                                                                                • Instruction Fuzzy Hash: 28918E71D04319DFDB10CFA8C881BEDBBB2BF48314F1481AAE859A7250DB749985CF91
                                                                                Function 00C1AD88 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 770 c1ad88-c1ad97 771 c1adc3-c1adc7 770->771 772 c1ad99-c1ada6 call c1a0e0 770->772 774 c1adc9-c1add3 771->774 775 c1addb-c1ae1c 771->775 779 c1ada8 772->779 780 c1adbc 772->780 774->775 781 c1ae29-c1ae37 775->781 782 c1ae1e-c1ae26 775->782 826 c1adae call c1b010 779->826 827 c1adae call c1b020 779->827 780->771 783 c1ae39-c1ae3e 781->783 784 c1ae5b-c1ae5d 781->784 782->781 786 c1ae40-c1ae47 call c1a0ec 783->786 787 c1ae49 783->787 789 c1ae60-c1ae67 784->789 785 c1adb4-c1adb6 785->780 788 c1aef8-c1afb8 785->788 793 c1ae4b-c1ae59 786->793 787->793 821 c1afc0-c1afeb GetModuleHandleW 788->821 822 c1afba-c1afbd 788->822 790 c1ae74-c1ae7b 789->790 791 c1ae69-c1ae71 789->791 794 c1ae88-c1ae91 call c1a0fc 790->794 795 c1ae7d-c1ae85 790->795 791->790 793->789 801 c1ae93-c1ae9b 794->801 802 c1ae9e-c1aea3 794->802 795->794 801->802 803 c1aec1-c1aece 802->803 804 c1aea5-c1aeac 802->804 810 c1aef1-c1aef7 803->810 811 c1aed0-c1aeee 803->811 804->803 806 c1aeae-c1aebe call c1a10c call c1a11c 804->806 806->803 811->810 823 c1aff4-c1b008 821->823 824 c1afed-c1aff3 821->824 822->821 824->823 826->785 827->785
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1AFDE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1768689341.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c10000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 132c115db72f1da52229666d89626f1cc59df81f37f5014d76e419efa628050d
                                                                                • Instruction ID: 3f546adca20117b1c91f615e4f9c6d018ff071214d75b1195a4f07d91b6b4d59
                                                                                • Opcode Fuzzy Hash: 132c115db72f1da52229666d89626f1cc59df81f37f5014d76e419efa628050d
                                                                                • Instruction Fuzzy Hash: 16815670A01B058FDB24DF29D04179ABBF1FF89300F00892DD45AD7A50DB34E995DB91
                                                                                Function 00C1590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 828 c1590c-c159d9 CreateActCtxA 830 c159e2-c15a3c 828->830 831 c159db-c159e1 828->831 838 c15a4b-c15a4f 830->838 839 c15a3e-c15a41 830->839 831->830 840 c15a51-c15a5d 838->840 841 c15a60 838->841 839->838 840->841 843 c15a61 841->843 843->843
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 00C159C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1768689341.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c10000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: 3e4dc649d8adca745cc326797f90ac553b754b5d18a753db13f20fd1208f1f4f
                                                                                • Instruction ID: 7babe1b1764d276fb74f25c7ddabfe03f50c5a30f287054c719618f8cf015e30
                                                                                • Opcode Fuzzy Hash: 3e4dc649d8adca745cc326797f90ac553b754b5d18a753db13f20fd1208f1f4f
                                                                                • Instruction Fuzzy Hash: 704115B0C00619CFDB24CFA9C8847DEBBB5FF85304F24816AD448AB255DB756986DF50
                                                                                Function 00C144B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 844 c144b4-c159d9 CreateActCtxA 847 c159e2-c15a3c 844->847 848 c159db-c159e1 844->848 855 c15a4b-c15a4f 847->855 856 c15a3e-c15a41 847->856 848->847 857 c15a51-c15a5d 855->857 858 c15a60 855->858 856->855 857->858 860 c15a61 858->860 860->860
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 00C159C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1768689341.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c10000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: 319e6425806c2c7c538e72f8f1027d76414a792e349cc40892883f37cde96068
                                                                                • Instruction ID: 8147d0d97431e94eee99f2a98dc42edae0b136c69d364ce05be7601ea210423a
                                                                                • Opcode Fuzzy Hash: 319e6425806c2c7c538e72f8f1027d76414a792e349cc40892883f37cde96068
                                                                                • Instruction Fuzzy Hash: 5E41F4B0C00619CBDB24CFA9C8847DEBBF5FF45304F248059D409AB295DB756986DF90
                                                                                Function 02684050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 861 2684050-268408c 862 268413c-268415c 861->862 863 2684092-2684097 861->863 869 268415f-268416c 862->869 864 2684099-26840d0 863->864 865 26840ea-2684122 CallWindowProcW 863->865 871 26840d9-26840e8 864->871 872 26840d2-26840d8 864->872 867 268412b-268413a 865->867 868 2684124-268412a 865->868 867->869 868->867 871->869 872->871
                                                                                APIs
                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 02684111
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1769330965.0000000002680000.00000040.00000800.00020000.00000000.sdmp, Offset: 02680000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2680000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: CallProcWindow
                                                                                • String ID:
                                                                                • API String ID: 2714655100-0
                                                                                • Opcode ID: eb67703459d4ab1fc4df3cf6a192357b67b2099fc1f29f71ea69049da00c4492
                                                                                • Instruction ID: 35ca754e7ed6a6b69f4860d6e589a602083e778c98b2d2996f074eac634eb802
                                                                                • Opcode Fuzzy Hash: eb67703459d4ab1fc4df3cf6a192357b67b2099fc1f29f71ea69049da00c4492
                                                                                • Instruction Fuzzy Hash: 8B413AB4A00305CFCB14DF99C488AABBBF5FB98314F24C558D559AB321D774A841CFA0
                                                                                Function 0515BC38 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 875 515bc38-515bc8e 877 515bc90-515bc9c 875->877 878 515bc9e-515bcdd WriteProcessMemory 875->878 877->878 880 515bce6-515bd16 878->880 881 515bcdf-515bce5 878->881 881->880
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0515BCD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: e16bb4dd47e5d7eebf3713fb42656f7a106407d2b5f57d724a1cc33459cbc5b6
                                                                                • Instruction ID: 8db51854db9e7a2438eec2d355cbf0eafaea722060bc5d56447f69a7ccaf5350
                                                                                • Opcode Fuzzy Hash: e16bb4dd47e5d7eebf3713fb42656f7a106407d2b5f57d724a1cc33459cbc5b6
                                                                                • Instruction Fuzzy Hash: E32157B1900359DFCB10CFA9C985BDEBBF4FF48320F10882AE959A7250C7789944CBA4
                                                                                Function 0515BC40 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 885 515bc40-515bc8e 887 515bc90-515bc9c 885->887 888 515bc9e-515bcdd WriteProcessMemory 885->888 887->888 890 515bce6-515bd16 888->890 891 515bcdf-515bce5 888->891 891->890
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0515BCD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: 163cb8be97bea8a8b3717bec71a8e02f50322aae486a2f3f7ee46a0b0c57922b
                                                                                • Instruction ID: b7bee300fc09eb2eb1836c3ad1697804d5647427728d33a541d445dc3ff3fe24
                                                                                • Opcode Fuzzy Hash: 163cb8be97bea8a8b3717bec71a8e02f50322aae486a2f3f7ee46a0b0c57922b
                                                                                • Instruction Fuzzy Hash: 1C2169B1900349DFCB10CFA9C881BDEBBF4FF48320F108829E959A7250C778A944CBA4
                                                                                Function 00C1D658 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 895 c1d658-c1d65e 896 c1d660-c1d6f4 DuplicateHandle 895->896 897 c1d6f6-c1d6fc 896->897 898 c1d6fd-c1d71a 896->898 897->898
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C1D626,?,?,?,?,?), ref: 00C1D6E7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1768689341.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c10000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 88f53e0d6e0a01f68349bcfcf95cee89860bbd3269328240ee961e2cfb975d12
                                                                                • Instruction ID: 1b6aed7519810bae86bd61c71c5825ee6a371093bc4ccce68800f0e8c0df3f5d
                                                                                • Opcode Fuzzy Hash: 88f53e0d6e0a01f68349bcfcf95cee89860bbd3269328240ee961e2cfb975d12
                                                                                • Instruction Fuzzy Hash: 1421F2B59002499FDB10CFAAD584ADEBBF4FB48320F14842AE958A7310C378A940CFA5
                                                                                Function 0515BD28 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0515BDB0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: af1f534fb3d53ad519e13d13193bb5b46b396cb6b6f910ab0e3dea3bcf58a004
                                                                                • Instruction ID: be698100ece741f0f219242577a63eb5c7e2b04495b7d74b68842afdc2362a64
                                                                                • Opcode Fuzzy Hash: af1f534fb3d53ad519e13d13193bb5b46b396cb6b6f910ab0e3dea3bcf58a004
                                                                                • Instruction Fuzzy Hash: 572119B5800259DFCB10DFA9C881ADEFBF5FF48320F508429E999A7250D7399945CBA4
                                                                                Function 0515BAA1 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 901 515baa1-515baf3 904 515baf5-515bb01 901->904 905 515bb03-515bb33 Wow64SetThreadContext 901->905 904->905 907 515bb35-515bb3b 905->907 908 515bb3c-515bb6c 905->908 907->908
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0515BB26
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: eb5a6627641549db6c798488c57cebadea9ab54bfb7097a4d01416f9018febd2
                                                                                • Instruction ID: 4bf1113012b0ba1e98166b937534533a189bdc040c1df4bfbe77c759593dd85c
                                                                                • Opcode Fuzzy Hash: eb5a6627641549db6c798488c57cebadea9ab54bfb7097a4d01416f9018febd2
                                                                                • Instruction Fuzzy Hash: 292125719043198FDB10DFAAC4857EEBBF4EF48324F20842AD899A7245D778A945CFA4
                                                                                Function 00C1B770 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C1D626,?,?,?,?,?), ref: 00C1D6E7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1768689341.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c10000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 516dcc57831b877df1f9dd4d564d8782623c8a6f94c860b0fc206f0bccf560a1
                                                                                • Instruction ID: 1e53307e6b4b8651b077a4e7b571fbb3db374db139a7d313fdd3ac3e61fcfa29
                                                                                • Opcode Fuzzy Hash: 516dcc57831b877df1f9dd4d564d8782623c8a6f94c860b0fc206f0bccf560a1
                                                                                • Instruction Fuzzy Hash: FB2114B5900248DFDB10CF9AD584ADEFBF4FB48310F10842AE919A7310C374A940DFA5
                                                                                Function 0515BD30 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0515BDB0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: 7690836cd8e2eecd2208e65dafa7a80a16988e26a079507e1b332f0aa09f939e
                                                                                • Instruction ID: 530342775a617ecf1c7398da62b7ad538ad8fce5b3e1b53e956940e31220ae12
                                                                                • Opcode Fuzzy Hash: 7690836cd8e2eecd2208e65dafa7a80a16988e26a079507e1b332f0aa09f939e
                                                                                • Instruction Fuzzy Hash: 2D2128B1800359DFCB10DFAAC881BDEBBF5FF48320F108429E959A7250C7389944CBA4
                                                                                Function 0515BAA8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0515BB26
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: f60b1f3e867630cb54bcecc51fbc6c9266eaebd492764c6c7e9e1056700cbe05
                                                                                • Instruction ID: d453dc7b3c7702102dba4eedfa1b5dc3453900f940bcd2da90cc9f19e79a64f3
                                                                                • Opcode Fuzzy Hash: f60b1f3e867630cb54bcecc51fbc6c9266eaebd492764c6c7e9e1056700cbe05
                                                                                • Instruction Fuzzy Hash: 212107719043098FDB10DFAAC5857AEBBF4EF48324F14C429D959A7245C778A944CFA4
                                                                                Function 0515BB78 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0515BBEE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 4ec6a18eaacf4ced9277f90c34f630cf098f564ef61364ef483c5b0cc6df813d
                                                                                • Instruction ID: db92518f38943a7c337bbefc5861f7d79afb3f0c1c0b3b83374b81fc662ccfa9
                                                                                • Opcode Fuzzy Hash: 4ec6a18eaacf4ced9277f90c34f630cf098f564ef61364ef483c5b0cc6df813d
                                                                                • Instruction Fuzzy Hash: 1B115671900259CFCB10DFAAC944BDEBBF5FF48320F208819E969A7254C7759944CFA0
                                                                                Function 0515BB80 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0515BBEE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 8d5ff9f65c7a6dc2dfe28a55aeff4c18239330ab9823ec8ca1b59d12635a6f00
                                                                                • Instruction ID: 712b0e702ac3006f14ef5edf17d0baaab6c564615276fecf926eb0944cde5cc9
                                                                                • Opcode Fuzzy Hash: 8d5ff9f65c7a6dc2dfe28a55aeff4c18239330ab9823ec8ca1b59d12635a6f00
                                                                                • Instruction Fuzzy Hash: 26112671900249DFCB10DFAAC945BDEBBF5EB48324F108819E955A7250C775A944CFA4
                                                                                Function 0515B9F8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: 33f3fe133dc692638cc49bcbcf6a7c9ea15c9775c2b937084a2116461c9e2e9f
                                                                                • Instruction ID: b5377689da0b12f63f2d60a1ef44503cebac536d828d90a5eae5bcdda511b3f0
                                                                                • Opcode Fuzzy Hash: 33f3fe133dc692638cc49bcbcf6a7c9ea15c9775c2b937084a2116461c9e2e9f
                                                                                • Instruction Fuzzy Hash: 46113AB1904348CFDB20DFAAC4457DEFBF4EB88324F208419D55AA7254C775A944CF94
                                                                                Function 00C1AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1AFDE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1768689341.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c10000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: dbed1fcdc9d5eb600466f0e0715e4d39375a72896c572939af105b59ec0164dd
                                                                                • Instruction ID: e4c2d8007b2c93003aed9f67ce65faf334b8443e701dfec9f90d3b6521e51b43
                                                                                • Opcode Fuzzy Hash: dbed1fcdc9d5eb600466f0e0715e4d39375a72896c572939af105b59ec0164dd
                                                                                • Instruction Fuzzy Hash: 1711E0B6C006498FCB10CF9AC444ADEFBF4EB89324F10846AD469A7614C379A586CFA5
                                                                                Function 05158870 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0515FC55
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost
                                                                                • String ID:
                                                                                • API String ID: 410705778-0
                                                                                • Opcode ID: a3fda2675649b8f77ce1e930ecd63ff7506ed8b2244ade638e23a448a2669e43
                                                                                • Instruction ID: a7d2809705719ab9684d554deef96012b08155e1a31a5b55dad36679335218f3
                                                                                • Opcode Fuzzy Hash: a3fda2675649b8f77ce1e930ecd63ff7506ed8b2244ade638e23a448a2669e43
                                                                                • Instruction Fuzzy Hash: E91106B5800349DFCB10DF99C589BDEBBF8FB48324F108419E969A7200C375A984CFA5
                                                                                Function 0515FBF0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0515FC55
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost
                                                                                • String ID:
                                                                                • API String ID: 410705778-0
                                                                                • Opcode ID: ab0e5e46dfb65c93f1bd1e4e759084016916668894f79a56e300874aca9e75a8
                                                                                • Instruction ID: fa91855a97fdee7dcf9e940300dd962a0c7db3726a1eab7babad18a0a3eb5898
                                                                                • Opcode Fuzzy Hash: ab0e5e46dfb65c93f1bd1e4e759084016916668894f79a56e300874aca9e75a8
                                                                                • Instruction Fuzzy Hash: CE11E3B58043489FCB10DF9AD589BDEFFF8EB48324F208859D998A7200C375A544CFA5
                                                                                Function 0A451F58 Relevance: .1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1780448658.000000000A450000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A450000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_a450000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1a0b785789ebc096d12de139a02857634f0573aca373ababe27b77d5b26da85c
                                                                                • Instruction ID: d3ae7bb00a8049836458301b94631ddfa8227658ce6710d7ac6ca80012d5c6a6
                                                                                • Opcode Fuzzy Hash: 1a0b785789ebc096d12de139a02857634f0573aca373ababe27b77d5b26da85c
                                                                                • Instruction Fuzzy Hash: BD319139A05258DFCB04DFA9D840EDEFBF5BF49300F1441AAE514AB262E7719845CB50
                                                                                Function 0082D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1767717130.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_82d000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4293eb0332f3e5fba04217c9b6a6bed6eb292f68086ab077f90d62cd0a609227
                                                                                • Instruction ID: 74f29fa3c6ffccbd829a1010979d314db54627bdee088843c5d3a2bafbe6004e
                                                                                • Opcode Fuzzy Hash: 4293eb0332f3e5fba04217c9b6a6bed6eb292f68086ab077f90d62cd0a609227
                                                                                • Instruction Fuzzy Hash: 8B213A71504304DFDB05EF14E9C4B16BF65FB94314F20C169D9098F256C336E896C7A1
                                                                                Function 0094D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1767931645.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_94d000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 881f1858a550317dc8ddda8be7261da76c9a1237192c4afa605c1a9ca2b71bad
                                                                                • Instruction ID: 0eeea2415a433739dfcd07d8ec02255ed8b45bcebb321d803790bfb4e2566788
                                                                                • Opcode Fuzzy Hash: 881f1858a550317dc8ddda8be7261da76c9a1237192c4afa605c1a9ca2b71bad
                                                                                • Instruction Fuzzy Hash: C4213B79604200DFDB05DF14D5C4F26BBA5FB84314F20CA6DE9094B355C3BAD846CB61
                                                                                Function 0094D01C Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1767931645.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_94d000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 274217d775a168a2e136345e961470c32a95637a3e10d2d6acf835a2d4a5ea2d
                                                                                • Instruction ID: 20d162db7593c837bcce71aaf1628a1f17254f1b7812b085bc46d39446cfc1ad
                                                                                • Opcode Fuzzy Hash: 274217d775a168a2e136345e961470c32a95637a3e10d2d6acf835a2d4a5ea2d
                                                                                • Instruction Fuzzy Hash: E021F279604200DFDB14DF14D984F26BBA5EB84314F20C96DD80A4B296C33AD847CA61
                                                                                Function 0094D006 Relevance: .1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1767931645.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_94d000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 13f8889264f563c373c58121073ca5916c4e4fd413b6f568be4a09ff12c5f7a8
                                                                                • Instruction ID: 18ea82734e243820873b90b25611466793a1e8717af1baf9143e5403ae2cf3c0
                                                                                • Opcode Fuzzy Hash: 13f8889264f563c373c58121073ca5916c4e4fd413b6f568be4a09ff12c5f7a8
                                                                                • Instruction Fuzzy Hash: 76215E755093808FDB16CF24D994B15BF71EB46314F28C5EAD8498F6A7C33A980ACB62
                                                                                Function 0082D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1767717130.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_82d000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                • Instruction ID: d4bbc839ced4ba48d8466fc276a6d7a660b54162676736ee90bb1b4b3b064a95
                                                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                • Instruction Fuzzy Hash: D911E172404380DFDB02DF00D9C4B16BF71FB94324F24C2A9D8094B256C33AE85ACBA1
                                                                                Function 0094D1CF Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1767931645.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_94d000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                • Instruction ID: e7e9729a33ecfbe1e89e7c88148092dcaf1059ba2e166721d38158f2a62a23fe
                                                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                • Instruction Fuzzy Hash: 36118B79504280DFDB16CF14D5C4B15BBA1FB84314F24C6AAD8494B696C37AD84ACB61
                                                                                Function 0082D759 Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1767717130.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_82d000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e73bc601ad0cc2dd1c42991497c94465815a6a1b075ee8bbe2f1421b95c60f72
                                                                                • Instruction ID: e36f0ac2f94560275c4fda89ce930a880608c84f9030f739a017760c637df16c
                                                                                • Opcode Fuzzy Hash: e73bc601ad0cc2dd1c42991497c94465815a6a1b075ee8bbe2f1421b95c60f72
                                                                                • Instruction Fuzzy Hash: A401A7710093549EE7108A25ED84767FFD8FF55324F18C56AED098A286C37D9880C6B1
                                                                                Function 0082D758 Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1767717130.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_82d000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 240905fb0c99c5d804e15beeffbe5789665c8b149aa1ccf62d7f10de3626fc3a
                                                                                • Instruction ID: 4c068c910441d2c0123edf5e92504ffccf1f5029124e5354ec1a08dc40e1d9f6
                                                                                • Opcode Fuzzy Hash: 240905fb0c99c5d804e15beeffbe5789665c8b149aa1ccf62d7f10de3626fc3a
                                                                                • Instruction Fuzzy Hash: 86F062714043549EE7108A16DCC4B62FFA8FF55724F18C45AED484B286C379AC84CAB1
                                                                                Function 0A4517C0 Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1780448658.000000000A450000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A450000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_a450000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8da9ab541e44fab7fa5dfe9c6efebcf4d67accbde887237f7f8dc0ca565e6b71
                                                                                • Instruction ID: 8b81877c7f45b07853e0ca1925989aab4cd8d26a4cdf9a74d5e071ff347e5cf2
                                                                                • Opcode Fuzzy Hash: 8da9ab541e44fab7fa5dfe9c6efebcf4d67accbde887237f7f8dc0ca565e6b71
                                                                                • Instruction Fuzzy Hash: 50F059A590E2849FC721EBB88D112A97FB0DB03100B0506EBD451C7072E9248B09D752
                                                                                Function 0A451779 Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1780448658.000000000A450000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A450000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_a450000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: af7964c39cdf36ee361957cd1e2a77f3889855644efe6ca0557031f16700d9f7
                                                                                • Instruction ID: 75f9221001fcc9b43293a038e9076b50056dda3f90cc7c2bcabc45d212405ec8
                                                                                • Opcode Fuzzy Hash: af7964c39cdf36ee361957cd1e2a77f3889855644efe6ca0557031f16700d9f7
                                                                                • Instruction Fuzzy Hash: 32E0922454A2889FCB119BB89D106AE7FB8DB47101F015AEBA414C7062D9394A089BA1
                                                                                Function 0A451F43 Relevance: .0, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1780448658.000000000A450000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A450000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_a450000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bcf9115708356bf8ba3d7f6edceb7b40457298d9ba62a07f26e12e02638573ff
                                                                                • Instruction ID: 8d1620be3b1dbe278b8c3cb5c9dc84343b90ca78a11cb0b4cf281df3a5ea1f72
                                                                                • Opcode Fuzzy Hash: bcf9115708356bf8ba3d7f6edceb7b40457298d9ba62a07f26e12e02638573ff
                                                                                • Instruction Fuzzy Hash: B0F0ED34105380AFC3029B74D805C853FB2AFA6240315C1A6E4448B237E732C8AACF10
                                                                                Function 0A451788 Relevance: .0, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1780448658.000000000A450000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A450000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_a450000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0ac636ba7a5d372ac4538e5b54cce3e2634225e9b81c693780852e662eebb26f
                                                                                • Instruction ID: b95691782ad4f3aef9711c0fd0112c9c65235729ed7f511678df221fa8700aab
                                                                                • Opcode Fuzzy Hash: 0ac636ba7a5d372ac4538e5b54cce3e2634225e9b81c693780852e662eebb26f
                                                                                • Instruction Fuzzy Hash: 6EE0C23495520CEFCB10EFBCD9006AEBBF9DB0A200F0065A6981583120EE314A009F91

                                                                                Non-executed Functions

                                                                                Function 02680040 Relevance: .3, Instructions: 315COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1769330965.0000000002680000.00000040.00000800.00020000.00000000.sdmp, Offset: 02680000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2680000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3b7ea03569de8726005f84043f60c9065d516ef0c2ecfc6bee2984a3cac5e49e
                                                                                • Instruction ID: 59c62f04c7ea25b7850d14c303d02efe961dba5052466b0706b939eff68ebd7a
                                                                                • Opcode Fuzzy Hash: 3b7ea03569de8726005f84043f60c9065d516ef0c2ecfc6bee2984a3cac5e49e
                                                                                • Instruction Fuzzy Hash: 371272F0921F468AE710CF65FE4C38D7BB1BB85318B905609D2616B2F5DBB8158ACF84
                                                                                Function 05159668 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8aaa78e4b4d2176a67c6c5a66fcaf049a58acff337e39d2274b322a6ecf9b59f
                                                                                • Instruction ID: d7d0865b4fbe6329da8fde47e99f65944b76b508c1374bba61ecddbcbd1052ad
                                                                                • Opcode Fuzzy Hash: 8aaa78e4b4d2176a67c6c5a66fcaf049a58acff337e39d2274b322a6ecf9b59f
                                                                                • Instruction Fuzzy Hash: B3E1FA74E04119CFCB14DFA9C5809AEFBB2FF89314F24916AD815AB35ADB30A941CF61
                                                                                Function 0515B178 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 37cce7f128d42cc0ef6746fbc077d078a9bec7b4842cd97123606be2b55430c0
                                                                                • Instruction ID: dc47906dd00ae670a279a6d3a8ab0064d34706308d55b809af7f2d2a73ae6ace
                                                                                • Opcode Fuzzy Hash: 37cce7f128d42cc0ef6746fbc077d078a9bec7b4842cd97123606be2b55430c0
                                                                                • Instruction Fuzzy Hash: 47E1E974E04119CFCB14DFA9C5809AEFBB2BF89314F249169E815AB35ADB30A941CF60
                                                                                Function 05159230 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e4bf8edf8bd351ebe1b0f2d9958cadf43a93bf3bc7a0009fca33427a97787cac
                                                                                • Instruction ID: e5eb9473e32c61d8c89503e7004ab9bec50a1dcc836499bd471fd215d571d035
                                                                                • Opcode Fuzzy Hash: e4bf8edf8bd351ebe1b0f2d9958cadf43a93bf3bc7a0009fca33427a97787cac
                                                                                • Instruction Fuzzy Hash: 3DE1E974E04119CFCB14DFA9C5809AEFBB2BF89314F249169E819AB35AD730AD41CF61
                                                                                Function 05159ED8 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4eeb0d95f6c2a7d0441e99dab1e1ddf6dc7e4ecd79ca3ff43b6b571a70aaa639
                                                                                • Instruction ID: d5047996e3d06839146251b522f7d052e246654eabc3408579b92572f187d42a
                                                                                • Opcode Fuzzy Hash: 4eeb0d95f6c2a7d0441e99dab1e1ddf6dc7e4ecd79ca3ff43b6b571a70aaa639
                                                                                • Instruction Fuzzy Hash: 7CE11A74E04119CFCB14DFA9C5809AEFBB2BF88315F24D159E814AB35AD731A981CF61
                                                                                Function 05159AA0 Relevance: .3, Instructions: 312COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dd1c708d1fbaa646186ef7e8a60351750567b1765d47524d60cf515c456a7060
                                                                                • Instruction ID: edade81e220489f598ed9e7aeea5274edba68900e0ce960213ac215b6975124b
                                                                                • Opcode Fuzzy Hash: dd1c708d1fbaa646186ef7e8a60351750567b1765d47524d60cf515c456a7060
                                                                                • Instruction Fuzzy Hash: 72E1E974E00119CFCB14DFA9C5809AEFBB2FF89314F249169E815AB35AD731A981CF61
                                                                                Function 05150559 Relevance: .3, Instructions: 266COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1c09fdab501c913d9bd904db627b4699a78d6e41482400767d69e8fe39722cba
                                                                                • Instruction ID: e5eb326d73dbdbc9105968b5d7a2df44eaef089d319dc0fe5cdcec8fc875412c
                                                                                • Opcode Fuzzy Hash: 1c09fdab501c913d9bd904db627b4699a78d6e41482400767d69e8fe39722cba
                                                                                • Instruction Fuzzy Hash: C3D1053192065A8ADB10EBA4D99069DF7B1FF95300F10D79AE40937225FF70AAC5CF91
                                                                                Function 00C1D344 Relevance: .3, Instructions: 264COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1768689341.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_c10000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 13b1badbac7f087f300446310ffbb35cbb04e7b4a2b6d6b5d2e0be8257b9684d
                                                                                • Instruction ID: 1c380b054be268c51f57b300068df3b8d8de5bb40f561732567c148694063a21
                                                                                • Opcode Fuzzy Hash: 13b1badbac7f087f300446310ffbb35cbb04e7b4a2b6d6b5d2e0be8257b9684d
                                                                                • Instruction Fuzzy Hash: C0A14E32A102098FCF05DFA5C8405DEB7B2FF8A300B15857EE915AB265DB71EA96DB40
                                                                                Function 05150560 Relevance: .3, Instructions: 264COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9417022942c39654000562fb74c967cbd3be73e3fc49266681674cd4af377e2b
                                                                                • Instruction ID: c2f45c45fe0f6ac8bd00d1b8d7a9c9171ed5e6544c339a82582b3f7f0f12209f
                                                                                • Opcode Fuzzy Hash: 9417022942c39654000562fb74c967cbd3be73e3fc49266681674cd4af377e2b
                                                                                • Instruction Fuzzy Hash: 2CD1053192065A8ADB10EBA4D99069DF7B1FF95300F10D79AE40937225FF70AAC5CF91
                                                                                Function 02680006 Relevance: .2, Instructions: 240COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1769330965.0000000002680000.00000040.00000800.00020000.00000000.sdmp, Offset: 02680000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2680000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ec5721dda60576edc8e08fb7c30f910d1e3fb9b8a3a858277a44635041f7b4ee
                                                                                • Instruction ID: e2b431bf9dc30e1aecfe974a04f153f18b5c385cfc1960416f915128e4511da6
                                                                                • Opcode Fuzzy Hash: ec5721dda60576edc8e08fb7c30f910d1e3fb9b8a3a858277a44635041f7b4ee
                                                                                • Instruction Fuzzy Hash: 56C114B0821B468FD711CF69FE4838D7BB1BB89328B545609D1616F2F5EBB8148ACF44
                                                                                Function 0515B169 Relevance: .1, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 36989962023d1974b16dad77850b1296d0f17899f3bf78e562ac54737d598710
                                                                                • Instruction ID: c2357ea97c49cef82c86ba3c84a45f061e464d3fb8728bbfae500882ac44461e
                                                                                • Opcode Fuzzy Hash: 36989962023d1974b16dad77850b1296d0f17899f3bf78e562ac54737d598710
                                                                                • Instruction Fuzzy Hash: CB510D70E04219CBCB14CFA9C5809AEFBF2FF89314F24D16AD819A7256D730A941CFA1
                                                                                Function 05159EC8 Relevance: .1, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1775929352.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5150000_DHL AWB_NO_9078538809.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2531906ce07f29d5f22501891151b5ff105f480051e5970abbe635b130a04ef2
                                                                                • Instruction ID: b68735784ae4dc8ddda1d023bdd0105680923e314f2758a070fdc90babf90458
                                                                                • Opcode Fuzzy Hash: 2531906ce07f29d5f22501891151b5ff105f480051e5970abbe635b130a04ef2
                                                                                • Instruction Fuzzy Hash: 75510A70E04219CFDB14CFA9C9805AEFBB2FF89305F24D16AD418AB256D7359941CF61

                                                                                Execution Graph

                                                                                Execution Coverage:10%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:166
                                                                                Total number of Limit Nodes:15
                                                                                execution_graph 26308 6d5c596 26309 6d5c2e1 26308->26309 26310 6d5c3d6 26309->26310 26314 6d5d640 26309->26314 26329 6d5d69e 26309->26329 26345 6d5d630 26309->26345 26315 6d5d65a 26314->26315 26320 6d5d67e 26315->26320 26360 6d5dfdb 26315->26360 26365 6d5ddfd 26315->26365 26369 6d5de16 26315->26369 26374 6d5dc77 26315->26374 26378 6d5dbf5 26315->26378 26383 6d5df0b 26315->26383 26388 6d5da69 26315->26388 26394 6d5dc40 26315->26394 26399 6d5dfa6 26315->26399 26404 6d5dcc7 26315->26404 26412 6d5e0e4 26315->26412 26416 6d5e17a 26315->26416 26320->26309 26330 6d5d62c 26329->26330 26332 6d5d6a1 26329->26332 26331 6d5d67e 26330->26331 26333 6d5dbf5 2 API calls 26330->26333 26334 6d5dc77 2 API calls 26330->26334 26335 6d5de16 2 API calls 26330->26335 26336 6d5ddfd ResumeThread 26330->26336 26337 6d5dfdb 2 API calls 26330->26337 26338 6d5e17a 2 API calls 26330->26338 26339 6d5e0e4 ResumeThread 26330->26339 26340 6d5dcc7 4 API calls 26330->26340 26341 6d5dfa6 2 API calls 26330->26341 26342 6d5dc40 2 API calls 26330->26342 26343 6d5da69 2 API calls 26330->26343 26344 6d5df0b 2 API calls 26330->26344 26331->26309 26333->26331 26334->26331 26335->26331 26336->26331 26337->26331 26338->26331 26339->26331 26340->26331 26341->26331 26342->26331 26343->26331 26344->26331 26346 6d5d65a 26345->26346 26347 6d5d67e 26346->26347 26348 6d5dbf5 2 API calls 26346->26348 26349 6d5dc77 2 API calls 26346->26349 26350 6d5de16 2 API calls 26346->26350 26351 6d5ddfd ResumeThread 26346->26351 26352 6d5dfdb 2 API calls 26346->26352 26353 6d5e17a 2 API calls 26346->26353 26354 6d5e0e4 ResumeThread 26346->26354 26355 6d5dcc7 4 API calls 26346->26355 26356 6d5dfa6 2 API calls 26346->26356 26357 6d5dc40 2 API calls 26346->26357 26358 6d5da69 2 API calls 26346->26358 26359 6d5df0b 2 API calls 26346->26359 26347->26309 26348->26347 26349->26347 26350->26347 26351->26347 26352->26347 26353->26347 26354->26347 26355->26347 26356->26347 26357->26347 26358->26347 26359->26347 26420 6d5bb80 26360->26420 26424 6d5bb78 26360->26424 26361 6d5dbeb 26361->26360 26362 6d5dbfd 26361->26362 26362->26320 26366 6d5de04 26365->26366 26428 6d5b9f8 26366->26428 26370 6d5de23 26369->26370 26432 6d5bc40 26370->26432 26436 6d5bc38 26370->26436 26371 6d5e370 26376 6d5bc40 WriteProcessMemory 26374->26376 26377 6d5bc38 WriteProcessMemory 26374->26377 26375 6d5dca8 26375->26320 26376->26375 26377->26375 26379 6d5dbeb 26378->26379 26380 6d5dbfd 26379->26380 26381 6d5bb80 VirtualAllocEx 26379->26381 26382 6d5bb78 VirtualAllocEx 26379->26382 26380->26320 26381->26379 26382->26379 26384 6d5dbeb 26383->26384 26385 6d5dbfd 26384->26385 26386 6d5bb80 VirtualAllocEx 26384->26386 26387 6d5bb78 VirtualAllocEx 26384->26387 26385->26320 26386->26384 26387->26384 26390 6d5da75 26388->26390 26389 6d5da97 26389->26320 26390->26389 26440 6d5bec7 26390->26440 26444 6d5bec8 26390->26444 26395 6d5df57 26394->26395 26448 6d5bd30 26395->26448 26452 6d5bd28 26395->26452 26396 6d5dd91 26396->26320 26400 6d5e2d2 26399->26400 26456 6d5baa1 26400->26456 26460 6d5baa8 26400->26460 26401 6d5e0ae 26401->26320 26405 6d5dcd0 26404->26405 26410 6d5bc40 WriteProcessMemory 26405->26410 26411 6d5bc38 WriteProcessMemory 26405->26411 26406 6d5dbeb 26407 6d5dbfd 26406->26407 26408 6d5bb80 VirtualAllocEx 26406->26408 26409 6d5bb78 VirtualAllocEx 26406->26409 26407->26320 26408->26406 26409->26406 26410->26406 26411->26406 26413 6d5e0ea 26412->26413 26415 6d5b9f8 ResumeThread 26413->26415 26414 6d5e271 26415->26414 26418 6d5baa1 Wow64SetThreadContext 26416->26418 26419 6d5baa8 Wow64SetThreadContext 26416->26419 26417 6d5e197 26418->26417 26419->26417 26421 6d5bbc0 VirtualAllocEx 26420->26421 26423 6d5bbfd 26421->26423 26423->26361 26425 6d5bbc0 VirtualAllocEx 26424->26425 26427 6d5bbfd 26425->26427 26427->26361 26429 6d5ba38 ResumeThread 26428->26429 26431 6d5ba69 26429->26431 26433 6d5bc88 WriteProcessMemory 26432->26433 26435 6d5bcdf 26433->26435 26435->26371 26437 6d5bc88 WriteProcessMemory 26436->26437 26439 6d5bcdf 26437->26439 26439->26371 26441 6d5bec8 CreateProcessA 26440->26441 26443 6d5c113 26441->26443 26445 6d5bf51 CreateProcessA 26444->26445 26447 6d5c113 26445->26447 26447->26447 26449 6d5bd7b ReadProcessMemory 26448->26449 26451 6d5bdbf 26449->26451 26451->26396 26453 6d5bd30 ReadProcessMemory 26452->26453 26455 6d5bdbf 26453->26455 26455->26396 26457 6d5baa8 Wow64SetThreadContext 26456->26457 26459 6d5bb35 26457->26459 26459->26401 26461 6d5baed Wow64SetThreadContext 26460->26461 26463 6d5bb35 26461->26463 26463->26401 26470 6d5e840 26471 6d5e9cb 26470->26471 26472 6d5e866 26470->26472 26472->26471 26474 6d58870 26472->26474 26475 6d5eac0 PostMessageW 26474->26475 26476 6d5eb2c 26475->26476 26476->26472 26477 c7ac90 26478 c7ac9f 26477->26478 26481 c7ad88 26477->26481 26486 c7ad79 26477->26486 26482 c7adbc 26481->26482 26484 c7ad99 26481->26484 26482->26478 26483 c7afc0 GetModuleHandleW 26485 c7afed 26483->26485 26484->26482 26484->26483 26485->26478 26487 c7adbc 26486->26487 26488 c7ad99 26486->26488 26487->26478 26488->26487 26489 c7afc0 GetModuleHandleW 26488->26489 26490 c7afed 26489->26490 26490->26478 26501 c7d660 DuplicateHandle 26502 c7d6f6 26501->26502 26464 6d5c3dd 26465 6d5c3e7 26464->26465 26466 6d5c3d6 26465->26466 26467 6d5d640 11 API calls 26465->26467 26468 6d5d630 11 API calls 26465->26468 26469 6d5d69e 11 API calls 26465->26469 26467->26465 26468->26465 26469->26465 26491 c7d418 26492 c7d45e GetCurrentProcess 26491->26492 26494 c7d4b0 GetCurrentThread 26492->26494 26495 c7d4a9 26492->26495 26496 c7d4e6 26494->26496 26497 c7d4ed GetCurrentProcess 26494->26497 26495->26494 26496->26497 26498 c7d523 GetCurrentThreadId 26497->26498 26500 c7d57c 26498->26500 26503 c74668 26504 c7467a 26503->26504 26505 c74686 26504->26505 26507 c74778 26504->26507 26508 c7479d 26507->26508 26512 c74879 26508->26512 26516 c74888 26508->26516 26513 c74888 26512->26513 26514 c7498c 26513->26514 26520 c744b4 26513->26520 26518 c748af 26516->26518 26517 c7498c 26517->26517 26518->26517 26519 c744b4 CreateActCtxA 26518->26519 26519->26517 26521 c75918 CreateActCtxA 26520->26521 26523 c759db 26521->26523

                                                                                Executed Functions

                                                                                Function 00C7D418 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 793 c7d418-c7d4a7 GetCurrentProcess 797 c7d4b0-c7d4e4 GetCurrentThread 793->797 798 c7d4a9-c7d4af 793->798 799 c7d4e6-c7d4ec 797->799 800 c7d4ed-c7d521 GetCurrentProcess 797->800 798->797 799->800 802 c7d523-c7d529 800->802 803 c7d52a-c7d542 800->803 802->803 806 c7d54b-c7d57a GetCurrentThreadId 803->806 807 c7d583-c7d5e5 806->807 808 c7d57c-c7d582 806->808 808->807
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 00C7D496
                                                                                • GetCurrentThread.KERNEL32 ref: 00C7D4D3
                                                                                • GetCurrentProcess.KERNEL32 ref: 00C7D510
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00C7D569
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1801225938.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_c70000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: d5bc082657a635c0e3a00df00362ca7d09ff91b796a57bdf61ffef27b5cd0207
                                                                                • Instruction ID: 483f7e481814aa119588158dd2c615446b19beed3a9c534fe035c6bf25482648
                                                                                • Opcode Fuzzy Hash: d5bc082657a635c0e3a00df00362ca7d09ff91b796a57bdf61ffef27b5cd0207
                                                                                • Instruction Fuzzy Hash: 455147B0900209CFDB14DFAAD548B9EBBF1EF48314F24C469E019A73A0D775A988CF65
                                                                                Function 06D5BEC7 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 836 6d5bec7-6d5bf5d 839 6d5bf96-6d5bfb6 836->839 840 6d5bf5f-6d5bf69 836->840 847 6d5bfef-6d5c01e 839->847 848 6d5bfb8-6d5bfc2 839->848 840->839 841 6d5bf6b-6d5bf6d 840->841 842 6d5bf90-6d5bf93 841->842 843 6d5bf6f-6d5bf79 841->843 842->839 845 6d5bf7d-6d5bf8c 843->845 846 6d5bf7b 843->846 845->845 849 6d5bf8e 845->849 846->845 856 6d5c057-6d5c111 CreateProcessA 847->856 857 6d5c020-6d5c02a 847->857 848->847 850 6d5bfc4-6d5bfc6 848->850 849->842 851 6d5bfe9-6d5bfec 850->851 852 6d5bfc8-6d5bfd2 850->852 851->847 854 6d5bfd4 852->854 855 6d5bfd6-6d5bfe5 852->855 854->855 855->855 858 6d5bfe7 855->858 868 6d5c113-6d5c119 856->868 869 6d5c11a-6d5c1a0 856->869 857->856 859 6d5c02c-6d5c02e 857->859 858->851 861 6d5c051-6d5c054 859->861 862 6d5c030-6d5c03a 859->862 861->856 863 6d5c03c 862->863 864 6d5c03e-6d5c04d 862->864 863->864 864->864 866 6d5c04f 864->866 866->861 868->869 879 6d5c1b0-6d5c1b4 869->879 880 6d5c1a2-6d5c1a6 869->880 881 6d5c1c4-6d5c1c8 879->881 882 6d5c1b6-6d5c1ba 879->882 880->879 883 6d5c1a8 880->883 885 6d5c1d8-6d5c1dc 881->885 886 6d5c1ca-6d5c1ce 881->886 882->881 884 6d5c1bc 882->884 883->879 884->881 888 6d5c1ee-6d5c1f5 885->888 889 6d5c1de-6d5c1e4 885->889 886->885 887 6d5c1d0 886->887 887->885 890 6d5c1f7-6d5c206 888->890 891 6d5c20c 888->891 889->888 890->891 892 6d5c20d 891->892 892->892
                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D5C0FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: 3ae44d49db74e59c0cb7b24e58b33edde2cae8a08bbb124b755bd799c987f863
                                                                                • Instruction ID: 7ec1868f3e4f4f956a386773885dccf4cdc38d3e77c7ee3daa0de4202355e746
                                                                                • Opcode Fuzzy Hash: 3ae44d49db74e59c0cb7b24e58b33edde2cae8a08bbb124b755bd799c987f863
                                                                                • Instruction Fuzzy Hash: DB915871D103199FDF60CFA8C841BADBBB2BF48314F1585AAE808A7290DB759985CF91
                                                                                Function 06D5BEC8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 894 6d5bec8-6d5bf5d 896 6d5bf96-6d5bfb6 894->896 897 6d5bf5f-6d5bf69 894->897 904 6d5bfef-6d5c01e 896->904 905 6d5bfb8-6d5bfc2 896->905 897->896 898 6d5bf6b-6d5bf6d 897->898 899 6d5bf90-6d5bf93 898->899 900 6d5bf6f-6d5bf79 898->900 899->896 902 6d5bf7d-6d5bf8c 900->902 903 6d5bf7b 900->903 902->902 906 6d5bf8e 902->906 903->902 913 6d5c057-6d5c111 CreateProcessA 904->913 914 6d5c020-6d5c02a 904->914 905->904 907 6d5bfc4-6d5bfc6 905->907 906->899 908 6d5bfe9-6d5bfec 907->908 909 6d5bfc8-6d5bfd2 907->909 908->904 911 6d5bfd4 909->911 912 6d5bfd6-6d5bfe5 909->912 911->912 912->912 915 6d5bfe7 912->915 925 6d5c113-6d5c119 913->925 926 6d5c11a-6d5c1a0 913->926 914->913 916 6d5c02c-6d5c02e 914->916 915->908 918 6d5c051-6d5c054 916->918 919 6d5c030-6d5c03a 916->919 918->913 920 6d5c03c 919->920 921 6d5c03e-6d5c04d 919->921 920->921 921->921 923 6d5c04f 921->923 923->918 925->926 936 6d5c1b0-6d5c1b4 926->936 937 6d5c1a2-6d5c1a6 926->937 938 6d5c1c4-6d5c1c8 936->938 939 6d5c1b6-6d5c1ba 936->939 937->936 940 6d5c1a8 937->940 942 6d5c1d8-6d5c1dc 938->942 943 6d5c1ca-6d5c1ce 938->943 939->938 941 6d5c1bc 939->941 940->936 941->938 945 6d5c1ee-6d5c1f5 942->945 946 6d5c1de-6d5c1e4 942->946 943->942 944 6d5c1d0 943->944 944->942 947 6d5c1f7-6d5c206 945->947 948 6d5c20c 945->948 946->945 947->948 949 6d5c20d 948->949 949->949
                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D5C0FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: 885a0ab29a931d8dfcbfbd536df72c4b3f1611722129e9b1e54c7793bfdefe8c
                                                                                • Instruction ID: 4d29fbda004c61a369e09109d9cd4e02d68a0a82ce3c6154d89901a01c6d8dda
                                                                                • Opcode Fuzzy Hash: 885a0ab29a931d8dfcbfbd536df72c4b3f1611722129e9b1e54c7793bfdefe8c
                                                                                • Instruction Fuzzy Hash: 6C915871D10319DFDF60CFA8C841BADBBB2BF48314F1585AAE808A7290DB759985CF91
                                                                                Function 00C7AD88 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 951 c7ad88-c7ad97 952 c7adc3-c7adc7 951->952 953 c7ad99-c7ada6 call c7a0e0 951->953 955 c7addb-c7ae1c 952->955 956 c7adc9-c7add3 952->956 958 c7adbc 953->958 959 c7ada8 953->959 962 c7ae1e-c7ae26 955->962 963 c7ae29-c7ae37 955->963 956->955 958->952 1008 c7adae call c7b010 959->1008 1009 c7adae call c7b020 959->1009 962->963 964 c7ae5b-c7ae5d 963->964 965 c7ae39-c7ae3e 963->965 970 c7ae60-c7ae67 964->970 967 c7ae40-c7ae47 call c7a0ec 965->967 968 c7ae49 965->968 966 c7adb4-c7adb6 966->958 969 c7aef8-c7af76 966->969 972 c7ae4b-c7ae59 967->972 968->972 1001 c7af7a-c7afb8 969->1001 1002 c7af78-c7af79 969->1002 973 c7ae74-c7ae7b 970->973 974 c7ae69-c7ae71 970->974 972->970 976 c7ae7d-c7ae85 973->976 977 c7ae88-c7ae91 call c7a0fc 973->977 974->973 976->977 982 c7ae93-c7ae9b 977->982 983 c7ae9e-c7aea3 977->983 982->983 984 c7aea5-c7aeac 983->984 985 c7aec1-c7aece 983->985 984->985 987 c7aeae-c7aebe call c7a10c call c7a11c 984->987 992 c7aef1-c7aef7 985->992 993 c7aed0-c7aeee 985->993 987->985 993->992 1003 c7afc0-c7afeb GetModuleHandleW 1001->1003 1004 c7afba-c7afbd 1001->1004 1002->1001 1005 c7aff4-c7b008 1003->1005 1006 c7afed-c7aff3 1003->1006 1004->1003 1006->1005 1008->966 1009->966
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00C7AFDE
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1801225938.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_c70000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 513b8bcb9fa556e3ac85506aef952e53dff2d6243324a051f5e8abbe94260423
                                                                                • Instruction ID: cc0ab76f6f40ee5bd2ff581cfed78935fe2a2506b4583ad4858d3a475c19ce13
                                                                                • Opcode Fuzzy Hash: 513b8bcb9fa556e3ac85506aef952e53dff2d6243324a051f5e8abbe94260423
                                                                                • Instruction Fuzzy Hash: BB714470A00B058FDB24DF2AD44175ABBF5BF88300F008A2DE49AD7B50D734E949CB92
                                                                                Function 00C75A84 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1010 c75a84-c75b14
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1801225938.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_c70000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e606f14fc970be12364f06607ea42fcec59b9fd59b5b174224b5eeff8a149dbe
                                                                                • Instruction ID: bc83e79a7dc61af32b92613ec49e28c47b89292fbb0adeb2144ad3c2b46c3132
                                                                                • Opcode Fuzzy Hash: e606f14fc970be12364f06607ea42fcec59b9fd59b5b174224b5eeff8a149dbe
                                                                                • Instruction Fuzzy Hash: BC41FD71801A59CFDF10CFA9C8443EDBBB0EF52324F24C19AC059AB265D7B66A4BCB40
                                                                                Function 00C7590C Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1013 c7590c-c7598c 1015 c7598f-c759d9 CreateActCtxA 1013->1015 1017 c759e2-c75a3c 1015->1017 1018 c759db-c759e1 1015->1018 1025 c75a3e-c75a41 1017->1025 1026 c75a4b-c75a4f 1017->1026 1018->1017 1025->1026 1027 c75a51-c75a5d 1026->1027 1028 c75a60 1026->1028 1027->1028 1030 c75a61 1028->1030 1030->1030
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 00C759C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1801225938.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_c70000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: 593fe5e7e78bc078f253b616bc8f657771a6817f04b3d6866030ba6b539a8ebf
                                                                                • Instruction ID: 32dbdede27ca44ba0b9a5b023e4b55c97cc21f0c810c277dabfcd26cf6ea312d
                                                                                • Opcode Fuzzy Hash: 593fe5e7e78bc078f253b616bc8f657771a6817f04b3d6866030ba6b539a8ebf
                                                                                • Instruction Fuzzy Hash: C84103B0C0071DCFDB24CFAAC8446DDBBB5BF45304F20816AD408AB251DBB5694ACF90
                                                                                Function 00C744B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1031 c744b4-c759d9 CreateActCtxA 1035 c759e2-c75a3c 1031->1035 1036 c759db-c759e1 1031->1036 1043 c75a3e-c75a41 1035->1043 1044 c75a4b-c75a4f 1035->1044 1036->1035 1043->1044 1045 c75a51-c75a5d 1044->1045 1046 c75a60 1044->1046 1045->1046 1048 c75a61 1046->1048 1048->1048
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 00C759C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1801225938.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_c70000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: b00428ba96ed2630bfac7f921515da2cb45a8a7a4afe107ffc8025adb49165a8
                                                                                • Instruction ID: ad081453bd19fcb6e312d0b0591d61bcb5fb1d61ee4c4b8e31b3d1dffbd1fffb
                                                                                • Opcode Fuzzy Hash: b00428ba96ed2630bfac7f921515da2cb45a8a7a4afe107ffc8025adb49165a8
                                                                                • Instruction Fuzzy Hash: 4D41F4B0C0071DCBDB24CFAAC84479DBBB5FF44304F20816AD408AB255DBB56946CF90
                                                                                Function 06D5BC38 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1049 6d5bc38-6d5bc8e 1051 6d5bc90-6d5bc9c 1049->1051 1052 6d5bc9e-6d5bcdd WriteProcessMemory 1049->1052 1051->1052 1054 6d5bce6-6d5bd16 1052->1054 1055 6d5bcdf-6d5bce5 1052->1055 1055->1054
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D5BCD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: f6dda1077ebb061f8188d8d1eeb7af3b07af4a998f2ee35d971e3d80302c2b14
                                                                                • Instruction ID: fa7a52e854ab2534c62bf16dd7fb6c653e7934e3e9e8752131ef4d8bfe4f0c72
                                                                                • Opcode Fuzzy Hash: f6dda1077ebb061f8188d8d1eeb7af3b07af4a998f2ee35d971e3d80302c2b14
                                                                                • Instruction Fuzzy Hash: 922148B1900359DFCB10CFA9C985BEEBBF4FF48310F10842AE959A7250C7789944CBA4
                                                                                Function 06D5BC40 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1059 6d5bc40-6d5bc8e 1061 6d5bc90-6d5bc9c 1059->1061 1062 6d5bc9e-6d5bcdd WriteProcessMemory 1059->1062 1061->1062 1064 6d5bce6-6d5bd16 1062->1064 1065 6d5bcdf-6d5bce5 1062->1065 1065->1064
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D5BCD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: 21633aaa920554eee56ee7b965cd81af1f317b642459c8d6facbc573a2373bf1
                                                                                • Instruction ID: 818eb71c274d9927d27531b67ab4e896601f8069260723897bb203726cf26bd7
                                                                                • Opcode Fuzzy Hash: 21633aaa920554eee56ee7b965cd81af1f317b642459c8d6facbc573a2373bf1
                                                                                • Instruction Fuzzy Hash: 6E2126B19003599FCB10CFA9C985BEEBBF5FF48310F10842AE959A7250C7789954CBA4
                                                                                Function 06D5BD28 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1080 6d5bd28-6d5bdbd ReadProcessMemory 1084 6d5bdc6-6d5bdf6 1080->1084 1085 6d5bdbf-6d5bdc5 1080->1085 1085->1084
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D5BDB0
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: acfe52f0de14e138058e295611a5a17d8fc08c6235a2039479b92fce83356269
                                                                                • Instruction ID: c70edcae520c8312286ed037cf54a3e1465b10f431239754e1ac2e7fdb7bc249
                                                                                • Opcode Fuzzy Hash: acfe52f0de14e138058e295611a5a17d8fc08c6235a2039479b92fce83356269
                                                                                • Instruction Fuzzy Hash: 0F2107B18002599FCB10DFAAC944ADEFBF5FF48320F10842AE999A7250C7749945CFA4
                                                                                Function 06D5BAA1 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1069 6d5baa1-6d5baf3 1072 6d5baf5-6d5bb01 1069->1072 1073 6d5bb03-6d5bb33 Wow64SetThreadContext 1069->1073 1072->1073 1075 6d5bb35-6d5bb3b 1073->1075 1076 6d5bb3c-6d5bb6c 1073->1076 1075->1076
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D5BB26
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: f8a5fd31d7a6ed826ba5e6b727cfccb233f5f256d6a58595c500f43779268d47
                                                                                • Instruction ID: abaf80d8b842c0ded1b21182428eab059516fdae531d3f88d6f6493dc3c49b7e
                                                                                • Opcode Fuzzy Hash: f8a5fd31d7a6ed826ba5e6b727cfccb233f5f256d6a58595c500f43779268d47
                                                                                • Instruction Fuzzy Hash: C92128B1D003098FDB10DFAAC5857AEBBF4EF48324F10842AD899A7251C7789945CFA4
                                                                                Function 06D5BD30 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D5BDB0
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: 66e8178570be5ddf75b201611bceb3a18960daf82718deedd5308fae6b07a155
                                                                                • Instruction ID: df8a355ab10c510538ccf068fa66a69ab53c3b67eb26750e1132c9210006c1fe
                                                                                • Opcode Fuzzy Hash: 66e8178570be5ddf75b201611bceb3a18960daf82718deedd5308fae6b07a155
                                                                                • Instruction Fuzzy Hash: 6A2116B1C002599FCB10DFAAC980AEEBBF5FF48320F10842AE959A7250C7349944CBA4
                                                                                Function 06D5BAA8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D5BB26
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: 77ea7524cd86659e43f115a6d138053d60a572c6f7b296541c78003f76e9402c
                                                                                • Instruction ID: 4dca1e9384ffccd5ad0ee88c15bd4cd4b8bb3d2ac02ab768cfbc9634f12c67ff
                                                                                • Opcode Fuzzy Hash: 77ea7524cd86659e43f115a6d138053d60a572c6f7b296541c78003f76e9402c
                                                                                • Instruction Fuzzy Hash: CB213871D003098FDB10DFAAC585BEEBBF4EF48320F10842AD859A7241C7789944CFA4
                                                                                Function 00C7D660 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C7D6E7
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1801225938.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_c70000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 31d23b6358a517e5fc5168a809d7007b0e57cd9d0930f5b6bf490ec29e449ff0
                                                                                • Instruction ID: 107331dd796613d9808e3b5efaac1072ddbb8350943a798e7ce8d4a782002cb2
                                                                                • Opcode Fuzzy Hash: 31d23b6358a517e5fc5168a809d7007b0e57cd9d0930f5b6bf490ec29e449ff0
                                                                                • Instruction Fuzzy Hash: 2921C2B59002599FDB10CFAAD984ADEFBF8FF48320F14841AE958A7350D374A944CFA5
                                                                                Function 06D5BB78 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D5BBEE
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 789a699e8a16ae5d96426fe59766908c03fa261c8591f5fa6801a70eefde526b
                                                                                • Instruction ID: b03f156dd67720d35fdb0518b242f29acfa63fc1928cb0699b8c74eb7663b06f
                                                                                • Opcode Fuzzy Hash: 789a699e8a16ae5d96426fe59766908c03fa261c8591f5fa6801a70eefde526b
                                                                                • Instruction Fuzzy Hash: 201129759002499FCB10DFAAC944BDEBFF5EF48324F108819E955A7260C7759944CFA0
                                                                                Function 06D5BB80 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D5BBEE
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: d151a60dd93aa5ace8f0eac06f33df95e9ee9439689ca6a8991f5cf4a7cadb60
                                                                                • Instruction ID: 9c134f34378ae0b8120115e96f3855ef8788903a3c47bbeedd6b0b107129161d
                                                                                • Opcode Fuzzy Hash: d151a60dd93aa5ace8f0eac06f33df95e9ee9439689ca6a8991f5cf4a7cadb60
                                                                                • Instruction Fuzzy Hash: B41137719002499FCB10DFAAC944BDFBFF5EF48320F10841AE955A7260C775A944CFA4
                                                                                Function 06D5B9F8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: 41c59f9768d8be86a5567b4bca46c047c80d7ae83ed7c6fc198cbef7fca637a6
                                                                                • Instruction ID: 60ad15574facbe10691fe4e6b0d080f40675d1b7adc7d28f63fcfce65fab5be4
                                                                                • Opcode Fuzzy Hash: 41c59f9768d8be86a5567b4bca46c047c80d7ae83ed7c6fc198cbef7fca637a6
                                                                                • Instruction Fuzzy Hash: F21128B1D002488BDB20DFAAC545B9EFBF4EB88324F20841AD459A7250CA75A944CB94
                                                                                Function 06D5EAB8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 06D5EB1D
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost
                                                                                • String ID:
                                                                                • API String ID: 410705778-0
                                                                                • Opcode ID: caef90532af6ca8a931ddf9cbb600c245832e648daf4a863b2e67827c54bf41b
                                                                                • Instruction ID: 0128ae01caee7837047e2837a1906385d917c1bf7da75c84187a8caf22ef5516
                                                                                • Opcode Fuzzy Hash: caef90532af6ca8a931ddf9cbb600c245832e648daf4a863b2e67827c54bf41b
                                                                                • Instruction Fuzzy Hash: 501128B58003489FCB10DF9AD445BDEFBF4EB48320F108459D998A7651C375A944CFA1
                                                                                Function 00C7AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00C7AFDE
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1801225938.0000000000C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_c70000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 0da860323034689536b75fa0180b2b17836344aba12a01f450e79b77167a0220
                                                                                • Instruction ID: 01ede615aba46defbdec909a1d20324da4effa48e9844accac1ec91d7c06e4b8
                                                                                • Opcode Fuzzy Hash: 0da860323034689536b75fa0180b2b17836344aba12a01f450e79b77167a0220
                                                                                • Instruction Fuzzy Hash: AE11E0B5C002498FCB10DF9AC544ADEFBF4EB88324F10C46AD869A7650C379A545CFA5
                                                                                Function 06D58870 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 06D5EB1D
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1805919448.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_6d50000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost
                                                                                • String ID:
                                                                                • API String ID: 410705778-0
                                                                                • Opcode ID: 3c8fc3f995b0de0e28b2d2d402531427ea230612a40ce28ca1a45f7ef9ef4e96
                                                                                • Instruction ID: fbd5d54b1a5d226f49e253512953bbd0497e1b837d67acad5731c03cef86e3e2
                                                                                • Opcode Fuzzy Hash: 3c8fc3f995b0de0e28b2d2d402531427ea230612a40ce28ca1a45f7ef9ef4e96
                                                                                • Instruction Fuzzy Hash: 011136B5800308DFCB10DF99C445BDEFBF8EB48320F108419E959A7640C375AA44CFA5
                                                                                Function 00ADD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1800313800.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_add000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 01bc47fa013dff2b7d54bab5a05d6d14ee3d32f486c87ba85f94ce37291fbb3d
                                                                                • Instruction ID: 0851b1e90506577a8ecd98cbc5f593e2824baa7059d449e8db092d49f8cbaa96
                                                                                • Opcode Fuzzy Hash: 01bc47fa013dff2b7d54bab5a05d6d14ee3d32f486c87ba85f94ce37291fbb3d
                                                                                • Instruction Fuzzy Hash: 672125B1500204EFDB05DF14D9C4B2ABF75FB98324F20C56AE90A4F356C336E856CAA2
                                                                                Function 00AED01C Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1800391022.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_aed000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 759419290c2ea82595577763c9807474a62826f344ae28f33bf73e0506dc25fd
                                                                                • Instruction ID: 47947d66af06e3d4eabe9c17f48fedea2d06ca86ce88b78b2a7ca8c7e7256f07
                                                                                • Opcode Fuzzy Hash: 759419290c2ea82595577763c9807474a62826f344ae28f33bf73e0506dc25fd
                                                                                • Instruction Fuzzy Hash: 0B210171604280EFCB14DF25D9C4B26BFA5FB88314F28C56DE80A4B296C33BD847CA61
                                                                                Function 00AED1D4 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1800391022.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_aed000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4504f3633702e878678b6a582d974dbcf728af1f7879bf66e065490b6dfb894b
                                                                                • Instruction ID: a2546cb2418c0041a42925baf21e05580c6cdd531666cd615654f05796de8db5
                                                                                • Opcode Fuzzy Hash: 4504f3633702e878678b6a582d974dbcf728af1f7879bf66e065490b6dfb894b
                                                                                • Instruction Fuzzy Hash: 04212675504280EFDB05DF15DAC0B66BBB5FB84314F20C66DEA094F296C336D846CA61
                                                                                Function 00AED006 Relevance: .1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1800391022.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_aed000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 83cc771b1cef0d0fa63fb309ffd5cd421e6e4986815a9266cba00c1c6b08cbe7
                                                                                • Instruction ID: b5f4f8692c31ad5df00f62d82b811c8de593d9f43f58ae05c7c5a059b81d0b2f
                                                                                • Opcode Fuzzy Hash: 83cc771b1cef0d0fa63fb309ffd5cd421e6e4986815a9266cba00c1c6b08cbe7
                                                                                • Instruction Fuzzy Hash: 1F215E755093C08FDB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A980ACB62
                                                                                Function 0A1C0F1B Relevance: .1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1806877264.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_a1c0000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e498fec214d0bca7322c70ef867866db2cac0ae9e144f62eb70c050ebac8e3e5
                                                                                • Instruction ID: a9908011f8d2533f5847e11e1c85bd6cb9ae33e78aa9ce81300ed44f66aa69db
                                                                                • Opcode Fuzzy Hash: e498fec214d0bca7322c70ef867866db2cac0ae9e144f62eb70c050ebac8e3e5
                                                                                • Instruction Fuzzy Hash: A1110630518344DFCB129F68D810899BFB4AF56311B0185ABE5C4DB232D7319C5ACB51
                                                                                Function 00ADD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1800313800.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_add000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                • Instruction ID: aeaa552d8b3e9efcb0839fa664057d88822349d3a2b36e64df06b4a584ebf931
                                                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                • Instruction Fuzzy Hash: 5111D3B6504240DFDB16CF14D5C4B16BF71FB94324F24C6AAD90A0B756C33AE85ACBA1
                                                                                Function 00AED1CF Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1800391022.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_aed000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                • Instruction ID: b37f2a4e91eb8446d658cab8ed70baaa572a06e4e7c21c14873391fbd094dd84
                                                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                • Instruction Fuzzy Hash: B411BB75504280DFCB02CF10C5C4B55BBA1FB84314F24C6AAD9494B296C33AD80ACB61
                                                                                Function 00ADD759 Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1800313800.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_add000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 493717885008a95d0caa0134960615c755ede05047f0d92b822f3cfcf38db749
                                                                                • Instruction ID: 823a9d75c5e90ccfd71638ec2bd4e7f2c9fab9148d5ddfd44f836a67599ee190
                                                                                • Opcode Fuzzy Hash: 493717885008a95d0caa0134960615c755ede05047f0d92b822f3cfcf38db749
                                                                                • Instruction Fuzzy Hash: 6E01A7710093409AE7104B29CD84B67FFA8EF51324F18C5ABED0A4A396C2799840C671
                                                                                Function 00ADD758 Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1800313800.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_add000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c2f736dbdc8407ee5821a88c70adfdd68a79cc0b206ccaf340c5d97bf8a0c26c
                                                                                • Instruction ID: ba380ccc93429372d965ac0e528effb65e964b2e880e44b52236957bd7efb795
                                                                                • Opcode Fuzzy Hash: c2f736dbdc8407ee5821a88c70adfdd68a79cc0b206ccaf340c5d97bf8a0c26c
                                                                                • Instruction Fuzzy Hash: C5F062714053449EE7108B1ADD88B66FFA8EF51724F18C55AED094E396C2799844CAB1
                                                                                Function 0A1C0EB7 Relevance: .0, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1806877264.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_a1c0000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 46043e3fd6a01f62dd9b7b056394e23dff4f436899820b4e8a2301c5455ef083
                                                                                • Instruction ID: ffbffa5d3f30d2d105fb5f1a91a7be97b34e4dc20d54643f9486b648f4bc07b4
                                                                                • Opcode Fuzzy Hash: 46043e3fd6a01f62dd9b7b056394e23dff4f436899820b4e8a2301c5455ef083
                                                                                • Instruction Fuzzy Hash: 10F09A70D48319DFD760DF6E88046ABBFF4AF1C300F15882ED588E2200EB718500CBA1
                                                                                Function 0A1C0EC8 Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.1806877264.000000000A1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A1C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_a1c0000_GAmFKUIDBo.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ce8bf0d785b443bd950a5bc190b883383ebc22f8d104d9c972e55c804f6ba8ac
                                                                                • Instruction ID: 812ad1873e1bfc97cdeae2e12b01f17729149ea856158096a022e108a9477b6d
                                                                                • Opcode Fuzzy Hash: ce8bf0d785b443bd950a5bc190b883383ebc22f8d104d9c972e55c804f6ba8ac
                                                                                • Instruction Fuzzy Hash: 9EE039B0D4421ADFD760DF6E884566BBBF4AF0C200F11882ED509E6200EB7185408BA0

                                                                                Execution Graph

                                                                                Execution Coverage:1.8%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:3.7%
                                                                                Total number of Nodes:620
                                                                                Total number of Limit Nodes:9
                                                                                execution_graph 45145 404e06 WaitForSingleObject 45146 404e20 SetEvent CloseHandle 45145->45146 45147 404e37 closesocket 45145->45147 45148 404eb8 45146->45148 45149 404e44 45147->45149 45150 404e5a 45149->45150 45158 4050c4 83 API calls 45149->45158 45152 404e6c WaitForSingleObject 45150->45152 45153 404eae SetEvent CloseHandle 45150->45153 45159 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45152->45159 45153->45148 45155 404e7b SetEvent WaitForSingleObject 45160 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45155->45160 45157 404e93 SetEvent CloseHandle CloseHandle 45157->45153 45158->45150 45159->45155 45160->45157 45161 43263c 45162 432648 CallCatchBlock 45161->45162 45187 43234b 45162->45187 45164 43264f 45166 432678 45164->45166 45451 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 45164->45451 45174 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45166->45174 45452 441763 5 API calls CatchGuardHandler 45166->45452 45168 432691 45170 432697 CallCatchBlock 45168->45170 45453 441707 5 API calls CatchGuardHandler 45168->45453 45171 432717 45198 4328c9 45171->45198 45174->45171 45454 4408e7 35 API calls 6 library calls 45174->45454 45182 432743 45184 43274c 45182->45184 45455 4408c2 28 API calls _Atexit 45182->45455 45456 4324c2 13 API calls 2 library calls 45184->45456 45188 432354 45187->45188 45457 4329da IsProcessorFeaturePresent 45188->45457 45190 432360 45458 436cd1 10 API calls 4 library calls 45190->45458 45192 432365 45193 432369 45192->45193 45459 4415bf 45192->45459 45193->45164 45196 432380 45196->45164 45525 434c30 45198->45525 45201 43271d 45202 4416b4 45201->45202 45527 44c239 45202->45527 45204 432726 45207 40d3f0 45204->45207 45205 4416bd 45205->45204 45531 443d25 35 API calls 45205->45531 45533 41a8da LoadLibraryA GetProcAddress 45207->45533 45209 40d40c 45540 40dd83 45209->45540 45211 40d415 45555 4020d6 45211->45555 45214 4020d6 28 API calls 45215 40d433 45214->45215 45561 419d87 45215->45561 45219 40d445 45587 401e6d 45219->45587 45221 40d44e 45222 40d461 45221->45222 45223 40d4b8 45221->45223 45593 40e609 45222->45593 45225 401e45 22 API calls 45223->45225 45226 40d4c6 45225->45226 45230 401e45 22 API calls 45226->45230 45229 40d47f 45608 40f98d 45229->45608 45231 40d4e5 45230->45231 45624 4052fe 45231->45624 45234 40d4f4 45629 408209 45234->45629 45243 40d4a3 45245 401fb8 11 API calls 45243->45245 45247 40d4ac 45245->45247 45446 4407f6 GetModuleHandleW 45247->45446 45248 401fb8 11 API calls 45249 40d520 45248->45249 45250 401e45 22 API calls 45249->45250 45251 40d529 45250->45251 45646 401fa0 45251->45646 45253 40d534 45254 401e45 22 API calls 45253->45254 45255 40d54f 45254->45255 45256 401e45 22 API calls 45255->45256 45257 40d569 45256->45257 45258 40d5cf 45257->45258 45650 40822a 28 API calls 45257->45650 45259 401e45 22 API calls 45258->45259 45266 40d5dc 45259->45266 45261 40d594 45262 401fc2 28 API calls 45261->45262 45263 40d5a0 45262->45263 45264 401fb8 11 API calls 45263->45264 45267 40d5a9 45264->45267 45265 40d650 45269 40d660 CreateMutexA GetLastError 45265->45269 45266->45265 45268 401e45 22 API calls 45266->45268 45651 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45267->45651 45270 40d5f5 45268->45270 45271 40d987 45269->45271 45272 40d67f 45269->45272 45273 40d5fc OpenMutexA 45270->45273 45276 401fb8 11 API calls 45271->45276 45313 40d9ec 45271->45313 45274 40d688 45272->45274 45275 40d68a GetModuleFileNameW 45272->45275 45278 40d622 45273->45278 45279 40d60f WaitForSingleObject CloseHandle 45273->45279 45274->45275 45654 4192ae 33 API calls 45275->45654 45300 40d99a ___scrt_get_show_window_mode 45276->45300 45652 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45278->45652 45279->45278 45281 40d5c5 45281->45258 45283 40dd0f 45281->45283 45282 40d6a0 45285 40d6f5 45282->45285 45287 401e45 22 API calls 45282->45287 45691 41239a 30 API calls 45283->45691 45286 401e45 22 API calls 45285->45286 45295 40d720 45286->45295 45293 40d6bf 45287->45293 45289 40dd22 45692 410eda 65 API calls ___scrt_get_show_window_mode 45289->45692 45291 40dcfa 45322 40dd6a 45291->45322 45693 402073 28 API calls 45291->45693 45292 40d63b 45292->45265 45653 41239a 30 API calls 45292->45653 45293->45285 45301 40d6f7 45293->45301 45306 40d6db 45293->45306 45294 40d731 45299 401e45 22 API calls 45294->45299 45295->45294 45658 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 45295->45658 45309 40d73a 45299->45309 45666 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 45300->45666 45656 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 45301->45656 45302 40dd3a 45694 4052dd 28 API calls 45302->45694 45306->45285 45655 4067a0 36 API calls ___scrt_get_show_window_mode 45306->45655 45315 401e45 22 API calls 45309->45315 45312 40d70d 45312->45285 45657 4066a6 58 API calls 45312->45657 45316 401e45 22 API calls 45313->45316 45319 40d755 45315->45319 45320 40da10 45316->45320 45323 401e45 22 API calls 45319->45323 45667 402073 28 API calls 45320->45667 45695 413980 161 API calls 45322->45695 45325 40d76f 45323->45325 45329 401e45 22 API calls 45325->45329 45328 40da22 45668 41215f 14 API calls 45328->45668 45330 40d789 45329->45330 45335 401e45 22 API calls 45330->45335 45332 40da38 45333 401e45 22 API calls 45332->45333 45334 40da44 45333->45334 45669 439867 39 API calls _swprintf 45334->45669 45339 40d7a3 45335->45339 45337 40da51 45341 40da7e 45337->45341 45670 41aa4f 81 API calls ___scrt_get_show_window_mode 45337->45670 45338 40d810 45338->45300 45342 401e45 22 API calls 45338->45342 45376 40d89f ___scrt_get_show_window_mode 45338->45376 45339->45338 45340 401e45 22 API calls 45339->45340 45348 40d7b8 _wcslen 45340->45348 45671 402073 28 API calls 45341->45671 45345 40d831 45342->45345 45352 401e45 22 API calls 45345->45352 45346 40da70 CreateThread 45346->45341 45925 41b212 10 API calls 45346->45925 45347 40da8d 45672 402073 28 API calls 45347->45672 45348->45338 45354 401e45 22 API calls 45348->45354 45350 40da9c 45673 4194da 79 API calls 45350->45673 45355 40d843 45352->45355 45353 40daa1 45356 401e45 22 API calls 45353->45356 45357 40d7d3 45354->45357 45359 401e45 22 API calls 45355->45359 45358 40daad 45356->45358 45360 401e45 22 API calls 45357->45360 45362 401e45 22 API calls 45358->45362 45361 40d855 45359->45361 45363 40d7e8 45360->45363 45365 401e45 22 API calls 45361->45365 45364 40dabf 45362->45364 45659 40c5ed 31 API calls 45363->45659 45368 401e45 22 API calls 45364->45368 45366 40d87e 45365->45366 45373 401e45 22 API calls 45366->45373 45370 40dad5 45368->45370 45369 40d7fb 45660 401ef3 28 API calls 45369->45660 45377 401e45 22 API calls 45370->45377 45372 40d807 45661 401ee9 11 API calls 45372->45661 45375 40d88f 45373->45375 45662 40b871 46 API calls _wcslen 45375->45662 45663 412338 31 API calls 45376->45663 45378 40daf5 45377->45378 45674 439867 39 API calls _swprintf 45378->45674 45381 40d942 ctype 45385 401e45 22 API calls 45381->45385 45383 40db02 45384 401e45 22 API calls 45383->45384 45386 40db0d 45384->45386 45388 40d959 45385->45388 45387 401e45 22 API calls 45386->45387 45389 40db1e 45387->45389 45388->45313 45390 401e45 22 API calls 45388->45390 45675 408f1f 166 API calls _wcslen 45389->45675 45391 40d976 45390->45391 45664 419bca 28 API calls 45391->45664 45393 40d982 45665 40de34 88 API calls 45393->45665 45396 40db33 45397 401e45 22 API calls 45396->45397 45399 40db3c 45397->45399 45398 40db83 45401 401e45 22 API calls 45398->45401 45399->45398 45676 43229f 45399->45676 45406 40db91 45401->45406 45403 401e45 22 API calls 45404 40db65 45403->45404 45409 40db6c CreateThread 45404->45409 45405 40dbd9 45408 401e45 22 API calls 45405->45408 45406->45405 45407 43229f new 22 API calls 45406->45407 45410 40dba5 45407->45410 45414 40dbe2 45408->45414 45409->45398 45923 417f6a 100 API calls __EH_prolog 45409->45923 45411 401e45 22 API calls 45410->45411 45412 40dbb6 45411->45412 45415 40dbbd CreateThread 45412->45415 45413 40dc4c 45416 401e45 22 API calls 45413->45416 45414->45413 45417 401e45 22 API calls 45414->45417 45415->45405 45927 417f6a 100 API calls __EH_prolog 45415->45927 45420 40dc55 45416->45420 45418 40dbfc 45417->45418 45419 401e45 22 API calls 45418->45419 45423 40dc11 45419->45423 45421 40dc99 45420->45421 45422 401e45 22 API calls 45420->45422 45688 4195f8 79 API calls 45421->45688 45425 40dc69 45422->45425 45683 40c5a1 31 API calls 45423->45683 45431 401e45 22 API calls 45425->45431 45426 40dca2 45689 401ef3 28 API calls 45426->45689 45429 40dcad 45690 401ee9 11 API calls 45429->45690 45434 40dc7e 45431->45434 45432 40dc24 45684 401ef3 28 API calls 45432->45684 45433 40dcb6 CreateThread 45438 40dce5 45433->45438 45439 40dcd9 CreateThread 45433->45439 45928 40e18d 122 API calls 45433->45928 45686 439867 39 API calls _swprintf 45434->45686 45437 40dc30 45685 401ee9 11 API calls 45437->45685 45438->45291 45441 40dcee CreateThread 45438->45441 45439->45438 45929 410b5c 137 API calls 45439->45929 45441->45291 45924 411140 38 API calls ___scrt_get_show_window_mode 45441->45924 45443 40dc39 CreateThread 45443->45413 45926 401bc9 49 API calls 45443->45926 45444 40dc8b 45687 40b0a3 7 API calls 45444->45687 45447 432739 45446->45447 45447->45182 45448 44091f 45447->45448 45931 44069c 45448->45931 45451->45164 45452->45168 45453->45174 45454->45171 45455->45184 45456->45170 45457->45190 45458->45192 45463 44cd48 45459->45463 45462 436cfa 8 API calls 3 library calls 45462->45193 45464 44cd65 45463->45464 45467 44cd61 45463->45467 45464->45467 45469 4475a6 45464->45469 45466 432372 45466->45196 45466->45462 45481 432d4b 45467->45481 45470 4475b2 CallCatchBlock 45469->45470 45488 442d9a EnterCriticalSection 45470->45488 45472 4475b9 45489 44d363 45472->45489 45474 4475c8 45479 4475d7 45474->45479 45500 44743a 23 API calls 45474->45500 45477 4475d2 45501 4474f0 GetStdHandle GetFileType 45477->45501 45502 4475f3 LeaveCriticalSection std::_Lockit::~_Lockit 45479->45502 45480 4475e8 CallCatchBlock 45480->45464 45482 432d56 IsProcessorFeaturePresent 45481->45482 45483 432d54 45481->45483 45485 432d98 45482->45485 45483->45466 45524 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45485->45524 45487 432e7b 45487->45466 45488->45472 45490 44d36f CallCatchBlock 45489->45490 45491 44d393 45490->45491 45492 44d37c 45490->45492 45503 442d9a EnterCriticalSection 45491->45503 45511 43ad91 20 API calls _free 45492->45511 45495 44d3cb 45512 44d3f2 LeaveCriticalSection std::_Lockit::~_Lockit 45495->45512 45497 44d381 _strftime CallCatchBlock 45497->45474 45498 44d39f 45498->45495 45504 44d2b4 45498->45504 45500->45477 45501->45479 45502->45480 45503->45498 45513 443005 45504->45513 45506 44d2c6 45510 44d2d3 45506->45510 45520 445fb3 11 API calls 2 library calls 45506->45520 45509 44d325 45509->45498 45521 443c92 20 API calls _free 45510->45521 45511->45497 45512->45497 45518 443012 __Getctype 45513->45518 45514 443052 45523 43ad91 20 API calls _free 45514->45523 45515 44303d RtlAllocateHeap 45516 443050 45515->45516 45515->45518 45516->45506 45518->45514 45518->45515 45522 440480 7 API calls 2 library calls 45518->45522 45520->45506 45521->45509 45522->45518 45523->45516 45524->45487 45526 4328dc GetStartupInfoW 45525->45526 45526->45201 45528 44c24b 45527->45528 45529 44c242 45527->45529 45528->45205 45532 44c138 48 API calls 4 library calls 45529->45532 45531->45205 45532->45528 45534 41a919 LoadLibraryA GetProcAddress 45533->45534 45535 41a909 GetModuleHandleA GetProcAddress 45533->45535 45536 41a947 GetModuleHandleA GetProcAddress 45534->45536 45537 41a937 GetModuleHandleA GetProcAddress 45534->45537 45535->45534 45538 41a973 24 API calls 45536->45538 45539 41a95f GetModuleHandleA GetProcAddress 45536->45539 45537->45536 45538->45209 45539->45538 45696 419493 FindResourceA 45540->45696 45544 40ddad ctype 45706 402097 45544->45706 45547 401fc2 28 API calls 45548 40ddd3 45547->45548 45549 401fb8 11 API calls 45548->45549 45550 40dddc 45549->45550 45551 439adb new 21 API calls 45550->45551 45552 40dded ctype 45551->45552 45712 4062ee 45552->45712 45554 40de20 45554->45211 45556 4020ec 45555->45556 45557 4023ae 11 API calls 45556->45557 45558 402106 45557->45558 45559 402549 28 API calls 45558->45559 45560 402114 45559->45560 45560->45214 45749 4020bf 45561->45749 45563 401fb8 11 API calls 45564 419e3c 45563->45564 45565 401fb8 11 API calls 45564->45565 45567 419e44 45565->45567 45566 419e0c 45755 404182 28 API calls 45566->45755 45570 401fb8 11 API calls 45567->45570 45573 40d43c 45570->45573 45571 419e18 45574 401fc2 28 API calls 45571->45574 45572 419d9a 45572->45566 45575 401fc2 28 API calls 45572->45575 45577 401fb8 11 API calls 45572->45577 45582 419e0a 45572->45582 45753 404182 28 API calls 45572->45753 45754 41ab9a 28 API calls 45572->45754 45583 40e563 45573->45583 45576 419e21 45574->45576 45575->45572 45578 401fb8 11 API calls 45576->45578 45577->45572 45579 419e29 45578->45579 45756 41ab9a 28 API calls 45579->45756 45582->45563 45584 40e56f 45583->45584 45586 40e576 45583->45586 45757 402143 11 API calls 45584->45757 45586->45219 45588 402143 45587->45588 45592 40217f 45588->45592 45758 402710 11 API calls 45588->45758 45590 402164 45759 4026f2 11 API calls std::_Deallocate 45590->45759 45592->45221 45594 40e624 45593->45594 45760 40f57c 45594->45760 45600 40e663 45601 40d473 45600->45601 45776 40f663 45600->45776 45603 401e45 45601->45603 45604 401e4d 45603->45604 45605 401e55 45604->45605 45871 402138 22 API calls 45604->45871 45605->45229 45610 40f997 __EH_prolog 45608->45610 45872 40fcfb 45610->45872 45611 40f663 36 API calls 45612 40fb90 45611->45612 45876 40fce0 45612->45876 45614 40d491 45616 40e5ba 45614->45616 45615 40fa1a 45615->45611 45882 40f4c6 45616->45882 45619 40d49a 45621 40dd70 45619->45621 45620 40f663 36 API calls 45620->45619 45892 40e5da 70 API calls 45621->45892 45623 40dd7b 45625 4020bf 11 API calls 45624->45625 45626 40530a 45625->45626 45893 403280 45626->45893 45628 405326 45628->45234 45898 4051cf 45629->45898 45631 408217 45902 402035 45631->45902 45634 401fc2 45635 401fd1 45634->45635 45642 402019 45634->45642 45636 4023ae 11 API calls 45635->45636 45637 401fda 45636->45637 45638 40201c 45637->45638 45639 401ff5 45637->45639 45640 40265a 11 API calls 45638->45640 45917 403078 28 API calls 45639->45917 45640->45642 45643 401fb8 45642->45643 45644 4023ae 11 API calls 45643->45644 45645 401fc1 45644->45645 45645->45248 45647 401fb2 45646->45647 45648 401fa9 45646->45648 45647->45253 45918 4025c0 28 API calls 45648->45918 45650->45261 45651->45281 45652->45292 45653->45265 45654->45282 45655->45285 45656->45312 45657->45285 45658->45294 45659->45369 45660->45372 45661->45338 45662->45376 45663->45381 45664->45393 45665->45271 45666->45313 45667->45328 45668->45332 45669->45337 45670->45346 45671->45347 45672->45350 45673->45353 45674->45383 45675->45396 45678 4322a4 45676->45678 45677 439adb new 21 API calls 45677->45678 45678->45677 45679 40db53 45678->45679 45919 440480 7 API calls 2 library calls 45678->45919 45920 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45678->45920 45921 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45678->45921 45679->45403 45683->45432 45684->45437 45685->45443 45686->45444 45687->45421 45688->45426 45689->45429 45690->45433 45691->45289 45693->45302 45922 418ccd 104 API calls 45695->45922 45697 4194b0 LoadResource LockResource SizeofResource 45696->45697 45698 40dd9e 45696->45698 45697->45698 45699 439adb 45698->45699 45704 443649 __Getctype 45699->45704 45700 443687 45716 43ad91 20 API calls _free 45700->45716 45701 443672 RtlAllocateHeap 45703 443685 45701->45703 45701->45704 45703->45544 45704->45700 45704->45701 45715 440480 7 API calls 2 library calls 45704->45715 45707 40209f 45706->45707 45717 4023ae 45707->45717 45709 4020aa 45721 4024ea 45709->45721 45711 4020b9 45711->45547 45713 402097 28 API calls 45712->45713 45714 406302 45713->45714 45714->45554 45715->45704 45716->45703 45718 402408 45717->45718 45719 4023b8 45717->45719 45718->45709 45719->45718 45728 402787 11 API calls std::_Deallocate 45719->45728 45722 4024fa 45721->45722 45723 402500 45722->45723 45724 402515 45722->45724 45729 402549 45723->45729 45739 4028c8 28 API calls 45724->45739 45727 402513 45727->45711 45728->45718 45740 402868 45729->45740 45731 40255d 45732 402572 45731->45732 45733 402587 45731->45733 45745 402a14 22 API calls 45732->45745 45747 4028c8 28 API calls 45733->45747 45736 40257b 45746 4029ba 22 API calls 45736->45746 45738 402585 45738->45727 45739->45727 45741 402870 45740->45741 45742 402878 45741->45742 45748 402c83 22 API calls 45741->45748 45742->45731 45745->45736 45746->45738 45747->45738 45750 4020c7 45749->45750 45751 4023ae 11 API calls 45750->45751 45752 4020d2 45751->45752 45752->45572 45753->45572 45754->45572 45755->45571 45756->45582 45757->45586 45758->45590 45759->45592 45780 40f821 45760->45780 45763 40f55d 45858 40f7fb 45763->45858 45765 40f565 45863 40f44c 45765->45863 45767 40e651 45768 40f502 45767->45768 45769 40f510 45768->45769 45775 40f53f std::ios_base::_Ios_base_dtor 45768->45775 45868 4335cb 65 API calls 45769->45868 45771 40f51d 45772 40f44c 20 API calls 45771->45772 45771->45775 45773 40f52e 45772->45773 45869 40fbc8 56 API calls 6 library calls 45773->45869 45775->45600 45777 40f66b 45776->45777 45778 40f67e 45776->45778 45870 40f854 36 API calls 45777->45870 45778->45601 45787 40d2ce 45780->45787 45784 40f83c 45785 40e631 45784->45785 45786 40f663 36 API calls 45784->45786 45785->45763 45786->45785 45788 40d2ff 45787->45788 45789 43229f new 22 API calls 45788->45789 45790 40d306 45789->45790 45797 40cb7a 45790->45797 45793 40f887 45794 40f896 45793->45794 45832 40f8b7 45794->45832 45796 40f89c std::ios_base::_Ios_base_dtor 45796->45784 45800 4332ea 45797->45800 45799 40cb84 45799->45793 45801 4332f6 __EH_prolog3 45800->45801 45812 4330a5 45801->45812 45806 433314 45826 43347f 37 API calls _Atexit 45806->45826 45807 433370 std::locale::_Init 45807->45799 45809 43331c 45827 433240 21 API calls 2 library calls 45809->45827 45811 433332 45818 4330fd 45811->45818 45813 4330b4 45812->45813 45815 4330bb 45812->45815 45828 442df9 EnterCriticalSection std::_Lockit::_Lockit 45813->45828 45816 4330b9 45815->45816 45829 43393c EnterCriticalSection 45815->45829 45816->45811 45825 43345a 22 API calls 2 library calls 45816->45825 45819 433107 45818->45819 45820 442e02 45818->45820 45821 43311a 45819->45821 45830 43394a LeaveCriticalSection 45819->45830 45831 442de2 LeaveCriticalSection 45820->45831 45821->45807 45824 442e09 45824->45807 45825->45806 45826->45809 45827->45811 45828->45816 45829->45816 45830->45821 45831->45824 45833 4330a5 std::_Lockit::_Lockit 2 API calls 45832->45833 45834 40f8c9 45833->45834 45853 40cae9 4 API calls 2 library calls 45834->45853 45836 40f8dc 45837 40f8ef 45836->45837 45854 40ccd4 56 API calls new 45836->45854 45838 4330fd std::_Lockit::~_Lockit 2 API calls 45837->45838 45839 40f925 45838->45839 45839->45796 45841 40f8ff 45842 40f906 45841->45842 45843 40f92d 45841->45843 45855 4332b6 22 API calls new 45842->45855 45856 436ec6 RaiseException 45843->45856 45846 40f943 45847 40f984 45846->45847 45857 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 45846->45857 45847->45796 45853->45836 45854->45841 45855->45837 45856->45846 45859 43229f new 22 API calls 45858->45859 45860 40f80b 45859->45860 45861 40cb7a 41 API calls 45860->45861 45862 40f813 45861->45862 45862->45765 45864 40f469 45863->45864 45866 40f48b 45864->45866 45867 43aa1a 20 API calls 2 library calls 45864->45867 45866->45767 45867->45866 45868->45771 45869->45775 45870->45778 45874 40fd0e 45872->45874 45873 40fd3c 45873->45615 45874->45873 45880 40fe14 36 API calls 45874->45880 45877 40fce8 45876->45877 45879 40fcf3 45877->45879 45881 40fe79 36 API calls __EH_prolog 45877->45881 45879->45614 45880->45873 45881->45879 45883 40f4d0 45882->45883 45884 40f4d4 45882->45884 45887 40f44c 20 API calls 45883->45887 45890 40f30b 67 API calls 45884->45890 45886 40f4d9 45891 43a716 64 API calls 3 library calls 45886->45891 45889 40e5c5 45887->45889 45889->45619 45889->45620 45890->45886 45891->45883 45892->45623 45895 40328a 45893->45895 45894 4032a9 45894->45628 45895->45894 45897 4028c8 28 API calls 45895->45897 45897->45894 45899 4051db 45898->45899 45908 405254 45899->45908 45901 4051e8 45901->45631 45903 402041 45902->45903 45904 4023ae 11 API calls 45903->45904 45905 40205b 45904->45905 45913 40265a 45905->45913 45909 405262 45908->45909 45912 402884 22 API calls 45909->45912 45914 40266b 45913->45914 45915 4023ae 11 API calls 45914->45915 45916 40206d 45915->45916 45916->45634 45917->45642 45918->45647 45919->45678 45930 411253 61 API calls 45929->45930 45932 4406a8 IsInExceptionSpec 45931->45932 45933 4406c0 45932->45933 45934 4407f6 _Atexit GetModuleHandleW 45932->45934 45953 442d9a EnterCriticalSection 45933->45953 45936 4406b4 45934->45936 45936->45933 45965 44083a GetModuleHandleExW 45936->45965 45937 440766 45954 4407a6 45937->45954 45940 4406c8 45940->45937 45942 44073d 45940->45942 45973 441450 20 API calls _Atexit 45940->45973 45945 440755 45942->45945 45974 441707 5 API calls CatchGuardHandler 45942->45974 45943 440783 45957 4407b5 45943->45957 45944 4407af 45976 454909 5 API calls CatchGuardHandler 45944->45976 45975 441707 5 API calls CatchGuardHandler 45945->45975 45953->45940 45977 442de2 LeaveCriticalSection 45954->45977 45956 44077f 45956->45943 45956->45944 45978 4461f8 45957->45978 45960 4407e3 45963 44083a _Atexit 8 API calls 45960->45963 45961 4407c3 GetPEB 45961->45960 45962 4407d3 GetCurrentProcess TerminateProcess 45961->45962 45962->45960 45964 4407eb ExitProcess 45963->45964 45966 440864 GetProcAddress 45965->45966 45967 440887 45965->45967 45968 440879 45966->45968 45969 440896 45967->45969 45970 44088d FreeLibrary 45967->45970 45968->45967 45971 432d4b CatchGuardHandler 5 API calls 45969->45971 45970->45969 45972 4408a0 45971->45972 45972->45933 45973->45942 45974->45945 45975->45937 45977->45956 45979 44621d 45978->45979 45981 446213 45978->45981 45984 4459f9 45979->45984 45982 432d4b CatchGuardHandler 5 API calls 45981->45982 45983 4407bf 45982->45983 45983->45960 45983->45961 45985 445a29 45984->45985 45989 445a25 45984->45989 45985->45981 45986 445a49 45986->45985 45988 445a55 GetProcAddress 45986->45988 45990 445a65 __crt_fast_encode_pointer 45988->45990 45989->45985 45989->45986 45991 445a95 45989->45991 45990->45985 45992 445ab6 LoadLibraryExW 45991->45992 45993 445aab 45991->45993 45994 445ad3 GetLastError 45992->45994 45995 445aeb 45992->45995 45993->45989 45994->45995 45996 445ade LoadLibraryExW 45994->45996 45995->45993 45997 445b02 FreeLibrary 45995->45997 45996->45995 45997->45993

                                                                                Executed Functions

                                                                                Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                                                                • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                                                                • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                                                                • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                                                                • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                                                                • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                                                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                                                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule$LibraryLoad
                                                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                                                                                • API String ID: 551388010-2474455403
                                                                                • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                                                                • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                                                                                • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                                                                • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                                                                                Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 450 4407b5-4407c1 call 4461f8 453 4407e3-4407ef call 44083a ExitProcess 450->453 454 4407c3-4407d1 GetPEB 450->454 454->453 455 4407d3-4407dd GetCurrentProcess TerminateProcess 454->455 455->453
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                                                                                • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                                                                                • ExitProcess.KERNEL32 ref: 004407EF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CurrentExitTerminate
                                                                                • String ID:
                                                                                • API String ID: 1703294689-0
                                                                                • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                                                                • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                                                                                • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                                                                • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                                                                                Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 81 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->81 82 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->82 90 40d991-40d99a call 401fb8 81->90 91 40d67f-40d686 81->91 98 40d622-40d63f call 401f8b call 411f34 82->98 99 40d60f-40d61c WaitForSingleObject CloseHandle 82->99 109 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->109 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 107 40d6b0-40d6b4 95->107 108 40d6a9-40d6ab 95->108 123 40d651 98->123 124 40d641-40d650 call 401f8b call 41239a 98->124 99->98 133 40dd2c 105->133 113 40d6b6-40d6c9 call 401e45 call 401f8b 107->113 114 40d717-40d72a call 401e45 call 401f8b 107->114 108->107 175 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 109->175 113->114 138 40d6cb-40d6d1 113->138 140 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 114->140 141 40d72c call 40e501 114->141 123->81 124->123 139 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 133->139 138->114 144 40d6d3-40d6d9 138->144 189 40dd6a-40dd6f call 413980 139->189 217 40d815-40d819 140->217 218 40d7af-40d7c8 call 401e45 call 401f8b call 439891 140->218 141->140 151 40d6f7-40d710 call 401f8b call 411eea 144->151 152 40d6db-40d6ee call 4060ea 144->152 151->114 178 40d712 call 4066a6 151->178 152->114 166 40d6f0-40d6f5 call 4067a0 152->166 166->114 220 40da61-40da63 175->220 221 40da65-40da67 175->221 178->114 217->109 219 40d81f-40d826 217->219 218->217 249 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 218->249 223 40d8a7-40d8b1 call 408093 219->223 224 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 219->224 225 40da6b-40da7c call 41aa4f CreateThread 220->225 226 40da69 221->226 227 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 221->227 237 40d8b6-40d8de call 40245c call 43254d 223->237 224->237 225->227 226->225 349 40db83-40db9a call 401e45 call 401f8b 227->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 227->350 255 40d8f0 237->255 256 40d8e0-40d8ee call 434c30 237->256 249->217 262 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 255->262 256->262 262->175 332 40d96d-40d98c call 401e45 call 419bca call 40de34 262->332 332->175 346 40d98e-40d990 332->346 346->90 360 40dbd9-40dbeb call 401e45 call 401f8b 349->360 361 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->361 350->349 372 40dc4c-40dc5e call 401e45 call 401f8b 360->372 373 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 360->373 361->360 384 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 372->384 385 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 372->385 373->372 384->385 404 40dcc1 385->404 405 40dcc4-40dcd7 CreateThread 385->405 404->405 408 40dce5-40dcec 405->408 409 40dcd9-40dce3 CreateThread 405->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->133 416 40dd03-40dd06 412->416 413->412 416->189 418 40dd08-40dd0d 416->418 418->139
                                                                                APIs
                                                                                  • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                                                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                                                                  • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                                                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                                                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                                                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                                                                  • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                                                                  • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                                                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                                                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                                                                  • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                                                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                                                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                                                                  • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                                                                  • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                                                                                  • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                                                                                • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                                                                                • API String ID: 1529173511-1365410817
                                                                                • Opcode ID: 41e97e648275280d3dddb753ada466f004951c110e7e909b6851935f8b62d148
                                                                                • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                                                                                • Opcode Fuzzy Hash: 41e97e648275280d3dddb753ada466f004951c110e7e909b6851935f8b62d148
                                                                                • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                                                                                Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                                                                • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                                                                • CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                                                                • closesocket.WS2_32(?), ref: 00404E3A
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                                                                                • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                                                                                • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                                                                                • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                                                                                • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                                                                                • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                                                                                • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                • String ID:
                                                                                • API String ID: 3658366068-0
                                                                                • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                                                                • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                                                                                • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                                                                • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                                                                                Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 437 445a95-445aa9 438 445ab6-445ad1 LoadLibraryExW 437->438 439 445aab-445ab4 437->439 441 445ad3-445adc GetLastError 438->441 442 445afa-445b00 438->442 440 445b0d-445b0f 439->440 443 445ade-445ae9 LoadLibraryExW 441->443 444 445aeb 441->444 445 445b02-445b03 FreeLibrary 442->445 446 445b09 442->446 447 445aed-445aef 443->447 444->447 445->446 448 445b0b-445b0c 446->448 447->442 449 445af1-445af8 447->449 448->440 449->448
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                                                                                • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 3177248105-0
                                                                                • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                                                                • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                                                                                • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                                                                • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                                                                                Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 458 4459f9-445a23 459 445a25-445a27 458->459 460 445a8e 458->460 461 445a2d-445a33 459->461 462 445a29-445a2b 459->462 463 445a90-445a94 460->463 464 445a35-445a37 call 445a95 461->464 465 445a4f 461->465 462->463 470 445a3c-445a3f 464->470 466 445a51-445a53 465->466 468 445a55-445a63 GetProcAddress 466->468 469 445a7e-445a8c 466->469 471 445a65-445a6e call 432123 468->471 472 445a78 468->472 469->460 473 445a70-445a76 470->473 474 445a41-445a47 470->474 471->462 472->469 473->466 474->464 475 445a49 474->475 475->465
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                                                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc__crt_fast_encode_pointer
                                                                                • String ID:
                                                                                • API String ID: 2279764990-0
                                                                                • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                                                                • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                                                                                • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                                                                                • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                                                                                Function 0044D2B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 478 44d2b4-44d2c1 call 443005 480 44d2c6-44d2d1 478->480 481 44d2d7-44d2df 480->481 482 44d2d3-44d2d5 480->482 483 44d31f-44d32d call 443c92 481->483 484 44d2e1-44d2e5 481->484 482->483 485 44d2e7-44d319 call 445fb3 484->485 490 44d31b-44d31e 485->490 490->483
                                                                                APIs
                                                                                  • Part of subcall function 00443005: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                                                                                • _free.LIBCMT ref: 0044D320
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap_free
                                                                                • String ID:
                                                                                • API String ID: 614378929-0
                                                                                • Opcode ID: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                                                                                • Instruction ID: 6435cefd8bbe106a332e767b8e47ea9a619cae55f612b2c95de9f127ac4edb1d
                                                                                • Opcode Fuzzy Hash: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                                                                                • Instruction Fuzzy Hash: 260149736003056BF321CF69D885E5AFBE8FB89374F25061EE585832C0EA34A905C738
                                                                                Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 491 443005-443010 492 443012-44301c 491->492 493 44301e-443024 491->493 492->493 494 443052-44305d call 43ad91 492->494 495 443026-443027 493->495 496 44303d-44304e RtlAllocateHeap 493->496 501 44305f-443061 494->501 495->496 497 443050 496->497 498 443029-443030 call 442a57 496->498 497->501 498->494 504 443032-44303b call 440480 498->504 504->494 504->496
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                                                                • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                                                                                • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                                                                                • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                                                                                Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 507 443649-443655 508 443687-443692 call 43ad91 507->508 509 443657-443659 507->509 516 443694-443696 508->516 510 443672-443683 RtlAllocateHeap 509->510 511 44365b-44365c 509->511 513 443685 510->513 514 44365e-443665 call 442a57 510->514 511->510 513->516 514->508 519 443667-443670 call 440480 514->519 519->508 519->510
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                                                                • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                                                                                • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                                                                • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                                                                                Non-executed Functions

                                                                                Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                                                                                  • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                                                                  • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                                                                  • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                                                                                • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                                                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                                                                                • API String ID: 3018269243-1736093966
                                                                                • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                                                                • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                                                                                • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                                                                                • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                                                                                Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,?), ref: 00406D4A
                                                                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                                                                                  • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                                                                  • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                                                                  • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                                                                  • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                                                                  • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                  • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                                                                  • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                                                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                                                                                • DeleteFileA.KERNEL32(?), ref: 0040768E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                                                                                • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                                                                • API String ID: 1385304114-1507758755
                                                                                • Opcode ID: ed344af3b2e5fd50c32de0d2071b22cf1c649447e88408241c6b1e9951d97ab2
                                                                                • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                                                                                • Opcode Fuzzy Hash: ed344af3b2e5fd50c32de0d2071b22cf1c649447e88408241c6b1e9951d97ab2
                                                                                • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                                                                                Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 004056C6
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                • __Init_thread_footer.LIBCMT ref: 00405703
                                                                                • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                                                                                • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                                                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                                                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                                                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                                                                                  • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                                                                                • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                                                                                • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                                                                                • CloseHandle.KERNEL32 ref: 00405A03
                                                                                • CloseHandle.KERNEL32 ref: 00405A0B
                                                                                • CloseHandle.KERNEL32 ref: 00405A1D
                                                                                • CloseHandle.KERNEL32 ref: 00405A25
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                • String ID: SystemDrive$cmd.exe
                                                                                • API String ID: 2994406822-3633465311
                                                                                • Opcode ID: 5c021f3089125aba88f796f846ebe2e25829f8f8e5088e6daf6fa1a592d288d8
                                                                                • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                                                                                • Opcode Fuzzy Hash: 5c021f3089125aba88f796f846ebe2e25829f8f8e5088e6daf6fa1a592d288d8
                                                                                • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                                                                                Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                                                                                • FindClose.KERNEL32(00000000), ref: 0040AB0A
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                                                                                • FindClose.KERNEL32(00000000), ref: 0040AC53
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                • API String ID: 1164774033-3681987949
                                                                                • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                                                                • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                                                                                • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                                                                • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                                                                                Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                                                                                • FindClose.KERNEL32(00000000), ref: 0040AD0A
                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                                                                                • FindClose.KERNEL32(00000000), ref: 0040ADF0
                                                                                • FindClose.KERNEL32(00000000), ref: 0040AE11
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$Close$File$FirstNext
                                                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                • API String ID: 3527384056-432212279
                                                                                • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                                                                • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                                                                                • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                                                                • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                                                                                Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32 ref: 00414EC2
                                                                                • EmptyClipboard.USER32 ref: 00414ED0
                                                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                                                                                • CloseClipboard.USER32 ref: 00414F55
                                                                                • OpenClipboard.USER32 ref: 00414F5C
                                                                                • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                                                                • CloseClipboard.USER32 ref: 00414F84
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                • String ID:
                                                                                • API String ID: 3520204547-0
                                                                                • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                                                                • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                                                                                • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                                                                • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                                                                                Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0$1$2$3$4$5$6$7
                                                                                • API String ID: 0-3177665633
                                                                                • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                                                                • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                                                                                • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                                                                • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                                                                                Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                                                                                • GetLastError.KERNEL32 ref: 00418771
                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                • String ID:
                                                                                • API String ID: 3587775597-0
                                                                                • Opcode ID: 34024fdfa8a713f0afce5fe9f0c97afca5efcb225a30f11e8eb811eac3c6f7a9
                                                                                • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                                                                                • Opcode Fuzzy Hash: 34024fdfa8a713f0afce5fe9f0c97afca5efcb225a30f11e8eb811eac3c6f7a9
                                                                                • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                                                                                Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                                                                                • FindClose.KERNEL32(00000000), ref: 0040B3BE
                                                                                • FindClose.KERNEL32(00000000), ref: 0040B3E9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                • API String ID: 1164774033-405221262
                                                                                • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                                                                • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                                                                                • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                                                                                • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                                                                                Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                                                                                  • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                • String ID:
                                                                                • API String ID: 2341273852-0
                                                                                • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                                                                • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                                                                                • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                                                                • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                                                                                Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                                                                                • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                                                                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                                                                                • SetLastError.KERNEL32(0000000E), ref: 0041082E
                                                                                  • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                                                                                • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                                                                                • SetLastError.KERNEL32(0000045A), ref: 0041098F
                                                                                  • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                                                                                  • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                • String ID: $.F
                                                                                • API String ID: 3950776272-1421728423
                                                                                • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                                                                • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                                                                                • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                                                                • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                                                                                Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                                                                                • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                                                                                • GetLastError.KERNEL32 ref: 00409375
                                                                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                                                                                • TranslateMessage.USER32(?), ref: 004093D2
                                                                                • DispatchMessageA.USER32(?), ref: 004093DD
                                                                                Strings
                                                                                • Keylogger initialization failure: error , xrefs: 00409389
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                • String ID: Keylogger initialization failure: error
                                                                                • API String ID: 3219506041-952744263
                                                                                • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                                                                • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                                                                                • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                                                                • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                                                                                Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                • API String ID: 2127411465-314212984
                                                                                • Opcode ID: 4d1b54bdb48d1e71edff6421ab1f1888d78c8ca568d6030425719987dfaca1a1
                                                                                • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                                                                                • Opcode Fuzzy Hash: 4d1b54bdb48d1e71edff6421ab1f1888d78c8ca568d6030425719987dfaca1a1
                                                                                • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                                                                                Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                                                                                  • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                                                                                  • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                                                                                • Sleep.KERNEL32(00000BB8), ref: 0040E243
                                                                                • ExitProcess.KERNEL32 ref: 0040E2B4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                • String ID: 3.8.0 Pro$override$pth_unenc$!G
                                                                                • API String ID: 2281282204-1386060931
                                                                                • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                                                                • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                                                                                • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                                                                                • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                                                                                Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                                                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                                                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00419407
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041940A
                                                                                Strings
                                                                                • http://geoplugin.net/json.gp, xrefs: 004193A2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                                                • String ID: http://geoplugin.net/json.gp
                                                                                • API String ID: 3121278467-91888290
                                                                                • Opcode ID: b466771ac383747d783c9c0387e188c30a2c1ba47fa958ec68d45e884e15b8a9
                                                                                • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                                                                                • Opcode Fuzzy Hash: b466771ac383747d783c9c0387e188c30a2c1ba47fa958ec68d45e884e15b8a9
                                                                                • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                                                                                Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                                                                                • GetLastError.KERNEL32 ref: 0040A999
                                                                                Strings
                                                                                • UserProfile, xrefs: 0040A95F
                                                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                                                                                • [Chrome StoredLogins not found], xrefs: 0040A9B3
                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteErrorFileLast
                                                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                • API String ID: 2018770650-1062637481
                                                                                • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                                                                • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                                                                                • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                                                                • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                                                                                Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                                                                • GetLastError.KERNEL32 ref: 00415CDB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                • String ID: SeShutdownPrivilege
                                                                                • API String ID: 3534403312-3733053543
                                                                                • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                                                                • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                                                                                • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                                                                • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                                                                                Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00408393
                                                                                  • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                                                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                                                                                  • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                                                                  • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                                                                  • Part of subcall function 00404E06: CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                                                                • FindClose.KERNEL32(00000000), ref: 004086F4
                                                                                  • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                                                                  • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                • String ID:
                                                                                • API String ID: 1824512719-0
                                                                                • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                                                                • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                                                                                • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                                                                • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                                                                                Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32 ref: 0040949C
                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                                                                • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                                                                • GetKeyState.USER32(00000010), ref: 004094B8
                                                                                • GetKeyboardState.USER32(?), ref: 004094C5
                                                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                                                                • String ID:
                                                                                • API String ID: 3566172867-0
                                                                                • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                                                                • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                                                                                • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                                                                • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                                                                                Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                • String ID:
                                                                                • API String ID: 276877138-0
                                                                                • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                                                                • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                                                                                • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                                                                • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                                                                                Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                                                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                                                                                  • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Find$CreateFirstNext
                                                                                • String ID: H"G$`'G$`'G
                                                                                • API String ID: 341183262-2774397156
                                                                                • Opcode ID: 1c2414021da6440835d49ac6102ffa63c6d14a47ce5d9061cc695da813b91b5c
                                                                                • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                                                                                • Opcode Fuzzy Hash: 1c2414021da6440835d49ac6102ffa63c6d14a47ce5d9061cc695da813b91b5c
                                                                                • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                                                                                Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                                                                  • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                                                                  • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                                                                  • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                                                                  • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                                                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                                                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                • String ID: PowrProf.dll$SetSuspendState
                                                                                • API String ID: 1589313981-1420736420
                                                                                • Opcode ID: 485f73e636cde54b00929bf3910efae957862298eb284d08d9347c6df5f92bed
                                                                                • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                                                                                • Opcode Fuzzy Hash: 485f73e636cde54b00929bf3910efae957862298eb284d08d9347c6df5f92bed
                                                                                • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                                                                                Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0044F6B5
                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0044F6DE
                                                                                • GetACP.KERNEL32 ref: 0044F6F3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID: ACP$OCP
                                                                                • API String ID: 2299586839-711371036
                                                                                • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                                                                • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                                                                                • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                                                                • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                                                                                Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                                                • wsprintfW.USER32 ref: 0040A13F
                                                                                  • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EventLocalTimewsprintf
                                                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                • API String ID: 1497725170-248792730
                                                                                • Opcode ID: fba235103b278867a94ac01b4008561b91da21cc19b5b0712c91af747e02a924
                                                                                • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                                                                                • Opcode Fuzzy Hash: fba235103b278867a94ac01b4008561b91da21cc19b5b0712c91af747e02a924
                                                                                • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                                                                                Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                                                                                • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                                                                                • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                                                                                • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID: SETTINGS
                                                                                • API String ID: 3473537107-594951305
                                                                                • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                                                                • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                                                                                • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                                                                • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                                                                                Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 004087A5
                                                                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                                                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstH_prologNext
                                                                                • String ID:
                                                                                • API String ID: 1157919129-0
                                                                                • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                                                                • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                                                                                • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                                                                • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                                                                                Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                                                • GetUserDefaultLCID.KERNEL32 ref: 0044F8FC
                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0044F9CD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                • String ID:
                                                                                • API String ID: 745075371-0
                                                                                • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                                                                • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                                                                                • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                                                                • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                                                                                Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 0040784D
                                                                                • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                • String ID:
                                                                                • API String ID: 1771804793-0
                                                                                • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                                                                • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                                                                                • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                                                                                • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                                                                                Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                                                                                  • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                                                                                  • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                • String ID:
                                                                                • API String ID: 1735047541-0
                                                                                • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                                                                • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                                                                                • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                                                                • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                                                                                Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: A%E$A%E
                                                                                • API String ID: 0-137320553
                                                                                • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                                                                • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                                                                                • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                                                                • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                                                                                Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                                                                                  • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                                                                                  • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                                                                                  • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                • API String ID: 4127273184-3576401099
                                                                                • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                                                                • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                                                                                • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                                                                • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                                                                                Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 0044EF9A
                                                                                • _wcschr.LIBVCRUNTIME ref: 0044F02A
                                                                                • _wcschr.LIBVCRUNTIME ref: 0044F038
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 0044F0DB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                • String ID:
                                                                                • API String ID: 4212172061-0
                                                                                • Opcode ID: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
                                                                                • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                                                                                • Opcode Fuzzy Hash: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
                                                                                • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                                                                                Function 004468DC Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 004468EC
                                                                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                • GetTimeZoneInformation.KERNEL32 ref: 004468FE
                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,0046F754,000000FF,?,0000003F,?,?), ref: 00446976
                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,0046F7A8,000000FF,?,0000003F,?,?,?,0046F754,000000FF,?,0000003F,?,?), ref: 004469A3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                • String ID:
                                                                                • API String ID: 806657224-0
                                                                                • Opcode ID: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
                                                                                • Instruction ID: 2b7d8a9ac893eb444b3138181a21c3719d458e34cf104297cae44ef8c21a1482
                                                                                • Opcode Fuzzy Hash: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
                                                                                • Instruction Fuzzy Hash: 4F31A5B1904245EFDB11DF69DC80469BBB8FF0671171602BFE090972A1D7B49D04DB5A
                                                                                Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DownloadExecuteFileShell
                                                                                • String ID: open
                                                                                • API String ID: 2825088817-2758837156
                                                                                • Opcode ID: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                                                                                • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                                                                                • Opcode Fuzzy Hash: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                                                                                • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                                                                                Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                • String ID:
                                                                                • API String ID: 2829624132-0
                                                                                • Opcode ID: c08902af5a4ebae337e65d4f4913ac80c8ce7fcb5dd297238357898b4052817f
                                                                                • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                                                                                • Opcode Fuzzy Hash: c08902af5a4ebae337e65d4f4913ac80c8ce7fcb5dd297238357898b4052817f
                                                                                • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                                                                                Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsDebuggerPresent.KERNEL32 ref: 004399A4
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                • String ID:
                                                                                • API String ID: 3906539128-0
                                                                                • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                                                                • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                                                                                • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                                                                • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                                                                                Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                                                                                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                                                                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                • String ID:
                                                                                • API String ID: 1815803762-0
                                                                                • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                                                                • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                                                                                • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                                                                • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                                                                                Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32(00000000), ref: 0040A65D
                                                                                • GetClipboardData.USER32(0000000D), ref: 0040A669
                                                                                • CloseClipboard.USER32 ref: 0040A671
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$CloseDataOpen
                                                                                • String ID:
                                                                                • API String ID: 2058664381-0
                                                                                • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                                                                • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                                                                                • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                                                                • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                                                                                Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FeaturePresentProcessor
                                                                                • String ID:
                                                                                • API String ID: 2325560087-3916222277
                                                                                • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                                                                • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                                                                                • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                                                                • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                                                                                Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID: GetLocaleInfoEx
                                                                                • API String ID: 2299586839-2904428671
                                                                                • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                                                                • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                                                                                • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                                                                                • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                                                                                Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFind$FirstNextsend
                                                                                • String ID:
                                                                                • API String ID: 4113138495-0
                                                                                • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                                                                • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                                                                                • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                                                                                • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                                                                                Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                • String ID:
                                                                                • API String ID: 1663032902-0
                                                                                • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                                                                • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                                                                                • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                                                                • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                                                                                Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001), ref: 0044F1ED
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                • String ID:
                                                                                • API String ID: 1084509184-0
                                                                                • Opcode ID: 673455fbabca7124b3ca300a5bad4779d617d2069552d52611791679d418f519
                                                                                • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                                                                                • Opcode Fuzzy Hash: 673455fbabca7124b3ca300a5bad4779d617d2069552d52611791679d418f519
                                                                                • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                                                                                Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                                • String ID:
                                                                                • API String ID: 2692324296-0
                                                                                • Opcode ID: e8e40a4c1e4a1452f322ea5d58aa65e712e874c7af3971ed527245fc130c3ff5
                                                                                • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                                                                                • Opcode Fuzzy Hash: e8e40a4c1e4a1452f322ea5d58aa65e712e874c7af3971ed527245fc130c3ff5
                                                                                • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                                                                                Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001), ref: 0044F262
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                • String ID:
                                                                                • API String ID: 1084509184-0
                                                                                • Opcode ID: e9707e75e047b008c80f6bc881a45fe398cc0546891e27ca4c894483a9e1b79d
                                                                                • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                                                                                • Opcode Fuzzy Hash: e9707e75e047b008c80f6bc881a45fe398cc0546891e27ca4c894483a9e1b79d
                                                                                • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                                                                                Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: NameUser
                                                                                • String ID:
                                                                                • API String ID: 2645101109-0
                                                                                • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                                                                • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                                                                                • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                                                                • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                                                                                Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                                                                                • EnumSystemLocalesW.KERNEL32(Function_000458CE,00000001,0046B680,0000000C), ref: 0044594C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                • String ID:
                                                                                • API String ID: 1272433827-0
                                                                                • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                                                                • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                                                                                • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                                                                • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                                                                                Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                • EnumSystemLocalesW.KERNEL32(0044F087,00000001), ref: 0044F167
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                • String ID:
                                                                                • API String ID: 1084509184-0
                                                                                • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                                                                • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                                                                                • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                                                                • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                                                                                Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                                                                • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                                                                                • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                                                                • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                                                                                Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                                                                • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                                                                                • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                                                                                  • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                                                                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                                                                                • DeleteDC.GDI32(00000000), ref: 00416F32
                                                                                • DeleteDC.GDI32(00000000), ref: 00416F35
                                                                                • DeleteObject.GDI32(00000000), ref: 00416F38
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                                                                                • DeleteDC.GDI32(00000000), ref: 00416F6A
                                                                                • DeleteDC.GDI32(00000000), ref: 00416F6D
                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                                                                                • GetIconInfo.USER32(?,?), ref: 00416FC5
                                                                                • DeleteObject.GDI32(?), ref: 00416FF4
                                                                                • DeleteObject.GDI32(?), ref: 00417001
                                                                                • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                                                                                • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                                                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                                                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                                                                                • DeleteDC.GDI32(?), ref: 0041713C
                                                                                • DeleteDC.GDI32(00000000), ref: 0041713F
                                                                                • DeleteObject.GDI32(00000000), ref: 00417142
                                                                                • GlobalFree.KERNEL32(?), ref: 0041714D
                                                                                • DeleteObject.GDI32(00000000), ref: 00417201
                                                                                • GlobalFree.KERNEL32(?), ref: 00417208
                                                                                • DeleteDC.GDI32(?), ref: 00417218
                                                                                • DeleteDC.GDI32(00000000), ref: 00417223
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                                                • String ID: DISPLAY
                                                                                • API String ID: 479521175-865373369
                                                                                • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                                                                • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                                                                                • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                                                                • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                                                                                Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00416477
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                                                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                                                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                                                                                • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                                                                                • ResumeThread.KERNEL32(?), ref: 00416773
                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00416795
                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                                                                                • GetLastError.KERNEL32 ref: 004167B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                • API String ID: 4188446516-3035715614
                                                                                • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                                                                • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                                                                                • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                                                                • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                                                                                Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                                                  • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                                                                                • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                                                                                  • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                                                                  • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                                                                  • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                                                                  • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                                                                                • ExitProcess.KERNEL32 ref: 0040C389
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                                                                                • API String ID: 1861856835-1953526029
                                                                                • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                                                                • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                                                                                • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                                                                                • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                                                                                Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                                                                                • ExitProcess.KERNEL32(00000000), ref: 00410F05
                                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                                                                                • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                                                                                • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                                                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                                                                                • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                                                                                  • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                                                                                • Sleep.KERNEL32(000001F4), ref: 004110E7
                                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041110E
                                                                                • GetCurrentProcessId.KERNEL32 ref: 00411114
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                                                                                • API String ID: 2649220323-71629269
                                                                                • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                                                                • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                                                                                • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                                                                • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                                                                                Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 0040B882
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                                                                                • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                                                                                • _wcslen.LIBCMT ref: 0040B968
                                                                                • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                                                                                • _wcslen.LIBCMT ref: 0040BA25
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                                                                                • ExitProcess.KERNEL32 ref: 0040BC36
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                                                                                • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                                                                                • API String ID: 2743683619-2376316431
                                                                                • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                                                                • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                                                                                • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                                                                                • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                                                                                Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                                                  • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                                                                                  • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                                                                  • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                                                                  • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                                                                  • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                                                                                • ExitProcess.KERNEL32 ref: 0040BFD7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                • String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                • API String ID: 3797177996-2974882535
                                                                                • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                                                                • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                                                                                • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                                                                                • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                                                                                Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                                                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                                                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                                                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                                                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                                                                                • SetEvent.KERNEL32 ref: 004191CF
                                                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                                                                                • CloseHandle.KERNEL32 ref: 004191F0
                                                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                                                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                • API String ID: 738084811-1354618412
                                                                                • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                                                                • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                                                                                • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                                                                                • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                                                                                Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                                                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                                                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                                                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                                                                                • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                                                                                • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                                                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                                                                                • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                                                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Write$Create
                                                                                • String ID: RIFF$WAVE$data$fmt
                                                                                • API String ID: 1602526932-4212202414
                                                                                • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                                                                • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                                                                                • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                                                                • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                                                                                Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                                                                                • LoadLibraryA.KERNEL32(?), ref: 0041386D
                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413894
                                                                                • LoadLibraryA.KERNEL32(?), ref: 004138CC
                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                • API String ID: 2490988753-3443138237
                                                                                • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                                                                • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                                                                                • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                                                                • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                                                                                Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$EnvironmentVariable$_wcschr
                                                                                • String ID:
                                                                                • API String ID: 3899193279-0
                                                                                • Opcode ID: e8749b76f597a155e18fa5931e632074e5d8f81c8079bfff8d3a4cc01f534222
                                                                                • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                                                                                • Opcode Fuzzy Hash: e8749b76f597a155e18fa5931e632074e5d8f81c8079bfff8d3a4cc01f534222
                                                                                • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                                                                                Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                                                                                  • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                                                                                • _free.LIBCMT ref: 0044E4DF
                                                                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                • _free.LIBCMT ref: 0044E501
                                                                                • _free.LIBCMT ref: 0044E516
                                                                                • _free.LIBCMT ref: 0044E521
                                                                                • _free.LIBCMT ref: 0044E543
                                                                                • _free.LIBCMT ref: 0044E556
                                                                                • _free.LIBCMT ref: 0044E564
                                                                                • _free.LIBCMT ref: 0044E56F
                                                                                • _free.LIBCMT ref: 0044E5A7
                                                                                • _free.LIBCMT ref: 0044E5AE
                                                                                • _free.LIBCMT ref: 0044E5CB
                                                                                • _free.LIBCMT ref: 0044E5E3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                • String ID: pF
                                                                                • API String ID: 161543041-2973420481
                                                                                • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                                                                • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                                                                                • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                                                                • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                                                                                Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                                                                                  • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                                                                  • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                                                                  • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                                                                • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                                                                                • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                                                                                • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                                                                                • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                                                                                • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                                                                                • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                                                                                • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                                                                                • Sleep.KERNEL32(00000064), ref: 00411C63
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                • String ID: /stext "$$.F$@#G$@#G
                                                                                • API String ID: 1223786279-2596709126
                                                                                • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                                                                • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                                                                                • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                                                                • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                                                                                Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID: pF
                                                                                • API String ID: 269201875-2973420481
                                                                                • Opcode ID: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                                                                                • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                                                                                • Opcode Fuzzy Hash: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                                                                                • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                                                                                Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
                                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                                                                                  • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                                                                                • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                                                                • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                                                                                • API String ID: 193334293-3226144251
                                                                                • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                                                                • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                                                                                • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                                                                • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                                                                                Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                                                                                • GetCursorPos.USER32(?), ref: 0041B39E
                                                                                • SetForegroundWindow.USER32(?), ref: 0041B3A7
                                                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                                                                                • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                                                                                • ExitProcess.KERNEL32 ref: 0041B41A
                                                                                • CreatePopupMenu.USER32 ref: 0041B420
                                                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                • String ID: Close
                                                                                • API String ID: 1657328048-3535843008
                                                                                • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                                                                • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                                                                                • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                                                                • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                                                                                Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$Info
                                                                                • String ID:
                                                                                • API String ID: 2509303402-0
                                                                                • Opcode ID: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
                                                                                • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                                                                                • Opcode Fuzzy Hash: 543c517478803d648db1551973bdeb7e45e3e7bd29ee356e71c77ae2fe33fa89
                                                                                • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                                                                                Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                                                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                                                                                • __aulldiv.LIBCMT ref: 00407D89
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                                                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                                                                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408038
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                                                • API String ID: 3086580692-2596673759
                                                                                • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                                                                • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                                                                                • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                                                                • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                                                                                Function 0041A47D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegEnumKeyExA.ADVAPI32 ref: 0041A47F
                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041A4B0
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0041A749
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEnumOpen
                                                                                • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$UninstallString
                                                                                • API String ID: 1332880857-3730529168
                                                                                • Opcode ID: 990104b7cba7af691029d385b930f1776e062702f879198157bcb1f4d53fc8db
                                                                                • Instruction ID: 4431336161eaad6e2d2aa402c01db4654b3b7c935e82bf046b55a61e03329e01
                                                                                • Opcode Fuzzy Hash: 990104b7cba7af691029d385b930f1776e062702f879198157bcb1f4d53fc8db
                                                                                • Instruction Fuzzy Hash: 966132311182419BC328EB51D891EEFB3E8EF94348F50493FF586921E2EF749949CA5A
                                                                                Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                                                  • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                                                                  • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                                                                  • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                                                                  • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                                                                                • ExitProcess.KERNEL32 ref: 0040C57D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                                                                                • API String ID: 1913171305-2600661426
                                                                                • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                                                                • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                                                                                • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                                                                                • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                                                                                Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • connect.WS2_32(?,?,?), ref: 004048C0
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                                                                                • WSAGetLastError.WS2_32 ref: 00404A01
                                                                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                • API String ID: 994465650-2151626615
                                                                                • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                                                                • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                                                                                • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                                                                • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                                                                                Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                                                                                • __dosmaperr.LIBCMT ref: 00452ED6
                                                                                • GetFileType.KERNEL32(00000000), ref: 00452EE2
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                                                                                • __dosmaperr.LIBCMT ref: 00452EF5
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00452F15
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0045305F
                                                                                • GetLastError.KERNEL32 ref: 00453091
                                                                                • __dosmaperr.LIBCMT ref: 00453098
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                • String ID: H
                                                                                • API String ID: 4237864984-2852464175
                                                                                • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                                                                • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                                                                                • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                                                                • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                                                                                Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 65535$udp
                                                                                • API String ID: 0-1267037602
                                                                                • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                                                                • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                                                                                • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                                                                • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                                                                                Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 00409C81
                                                                                • Sleep.KERNEL32(000001F4), ref: 00409C8C
                                                                                • GetForegroundWindow.USER32 ref: 00409C92
                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                                                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                                                                                • Sleep.KERNEL32(000003E8), ref: 00409D9D
                                                                                  • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                • String ID: [${ User has been idle for $ minutes }$]
                                                                                • API String ID: 911427763-3954389425
                                                                                • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                                                                • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                                                                                • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                                                                • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                                                                                Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LongNamePath
                                                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                • API String ID: 82841172-425784914
                                                                                • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                                                                • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                                                                                • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                                                                                • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                                                                                Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                                                                                • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                                                                                • __dosmaperr.LIBCMT ref: 00438646
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                                                                                • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                                                                                • __dosmaperr.LIBCMT ref: 00438683
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                                                                                • __dosmaperr.LIBCMT ref: 004386D7
                                                                                • _free.LIBCMT ref: 004386E3
                                                                                • _free.LIBCMT ref: 004386EA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                • String ID:
                                                                                • API String ID: 2441525078-0
                                                                                • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                                                                • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                                                                                • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                                                                • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                                                                                Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID: pF$tF
                                                                                • API String ID: 269201875-2954683558
                                                                                • Opcode ID: fb15eab2332ee79fe3b6269c7a6798f30c580aa4b0380318a35312f844840a90
                                                                                • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                                                                                • Opcode Fuzzy Hash: fb15eab2332ee79fe3b6269c7a6798f30c580aa4b0380318a35312f844840a90
                                                                                • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                                                                                Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetEvent.KERNEL32(?,?), ref: 0040549F
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                                                                                • TranslateMessage.USER32(?), ref: 0040555E
                                                                                • DispatchMessageA.USER32(?), ref: 00405569
                                                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                                                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                • API String ID: 2956720200-749203953
                                                                                • Opcode ID: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                                                                                • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                                                                                • Opcode Fuzzy Hash: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                                                                                • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                                                                                Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00416123
                                                                                • DeleteFileA.KERNEL32(00000000), ref: 00416132
                                                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                • String ID: <$@$@%G$@%G$Temp
                                                                                • API String ID: 1704390241-4139030828
                                                                                • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                                                                • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                                                                                • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                                                                • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                                                                                Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                                                                • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                                                                                • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                                                                • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                                                                                Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00445645
                                                                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                • _free.LIBCMT ref: 00445651
                                                                                • _free.LIBCMT ref: 0044565C
                                                                                • _free.LIBCMT ref: 00445667
                                                                                • _free.LIBCMT ref: 00445672
                                                                                • _free.LIBCMT ref: 0044567D
                                                                                • _free.LIBCMT ref: 00445688
                                                                                • _free.LIBCMT ref: 00445693
                                                                                • _free.LIBCMT ref: 0044569E
                                                                                • _free.LIBCMT ref: 004456AC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                                                                • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                                                                                • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                                                                • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                                                                                Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __EH_prolog.LIBCMT ref: 00417F6F
                                                                                • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                                                                                • Sleep.KERNEL32(000003E8), ref: 004180B3
                                                                                • GetLocalTime.KERNEL32(?), ref: 004180BB
                                                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                • API String ID: 489098229-3790400642
                                                                                • Opcode ID: e53bd955e1239445be9f05899463632c52afdf35a26c57d2f447966bafceb32c
                                                                                • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                                                                                • Opcode Fuzzy Hash: e53bd955e1239445be9f05899463632c52afdf35a26c57d2f447966bafceb32c
                                                                                • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                                                                                Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00001388), ref: 00409738
                                                                                  • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                                                                  • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                                                                  • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                                                                  • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                                                                                  • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                • String ID: H"G$H"G
                                                                                • API String ID: 3795512280-1424798214
                                                                                • Opcode ID: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                                                                                • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                                                                                • Opcode Fuzzy Hash: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                                                                                • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                                                                                Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DecodePointer
                                                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                • API String ID: 3527080286-3064271455
                                                                                • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                                                                • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                                                                                • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                                                                • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                                                                                Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                                                                                  • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                                                • Sleep.KERNEL32(00000064), ref: 00415A46
                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                • API String ID: 1462127192-2001430897
                                                                                • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                                                                • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                                                                                • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                                                                                • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                                                                                Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                                                                                • ExitProcess.KERNEL32 ref: 00406782
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteExitProcessShell
                                                                                • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                                                                • API String ID: 1124553745-1488154373
                                                                                • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                                                                • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                                                                                • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                                                                                • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                                                                                Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                                                                                • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocConsoleShowWindow
                                                                                • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                                                                                • API String ID: 4118500197-4025029772
                                                                                • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                                                                • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                                                                                • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                                                                • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                                                                                Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                                                                                  • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                                                                                  • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                                                                  • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                                                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                                                                                • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                                                                                • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                                                                                • TranslateMessage.USER32(?), ref: 0041B29E
                                                                                • DispatchMessageA.USER32(?), ref: 0041B2A8
                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                • String ID: Remcos
                                                                                • API String ID: 1970332568-165870891
                                                                                • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                                                                • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                                                                                • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                                                                • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                                                                                Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                                                                • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                                                                                • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                                                                • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                                                                                Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(?,?), ref: 0045100F
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00451092
                                                                                • __alloca_probe_16.LIBCMT ref: 004510CA
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451125
                                                                                • __alloca_probe_16.LIBCMT ref: 00451174
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0045113C
                                                                                  • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004511B8
                                                                                • __freea.LIBCMT ref: 004511E3
                                                                                • __freea.LIBCMT ref: 004511EF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                • String ID:
                                                                                • API String ID: 201697637-0
                                                                                • Opcode ID: 6ebe38f30125ab260d7bf90636684c5f617b7255880676fca2bd247c862c4a42
                                                                                • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                                                                                • Opcode Fuzzy Hash: 6ebe38f30125ab260d7bf90636684c5f617b7255880676fca2bd247c862c4a42
                                                                                • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                                                                                Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                  • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                                                  • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                  • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                                                • _memcmp.LIBVCRUNTIME ref: 00442935
                                                                                • _free.LIBCMT ref: 004429A6
                                                                                • _free.LIBCMT ref: 004429BF
                                                                                • _free.LIBCMT ref: 004429F1
                                                                                • _free.LIBCMT ref: 004429FA
                                                                                • _free.LIBCMT ref: 00442A06
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                • String ID: C
                                                                                • API String ID: 1679612858-1037565863
                                                                                • Opcode ID: 3cd607daeafeb172cd12d40b3ef98e411c3f82b6d125e495381489309ccb8190
                                                                                • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                                                                                • Opcode Fuzzy Hash: 3cd607daeafeb172cd12d40b3ef98e411c3f82b6d125e495381489309ccb8190
                                                                                • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                                                                                Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: tcp$udp
                                                                                • API String ID: 0-3725065008
                                                                                • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                                                                • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                                                                                • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                                                                • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                                                                                Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Eventinet_ntoa
                                                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                • API String ID: 3578746661-168337528
                                                                                • Opcode ID: e2fddcd864f1b862c8bd6a30b96e8862d45d519ccfdedf39a86f43d26816717a
                                                                                • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                                                                                • Opcode Fuzzy Hash: e2fddcd864f1b862c8bd6a30b96e8862d45d519ccfdedf39a86f43d26816717a
                                                                                • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                                                                                Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                                                                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                                                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                                                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                                                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                                                                                  • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                                                                                  • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                • String ID: .part
                                                                                • API String ID: 1303771098-3499674018
                                                                                • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                                                                • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                                                                                • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                                                                • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                                                                                Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                                                                                • __alloca_probe_16.LIBCMT ref: 00447056
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                                                                                • __alloca_probe_16.LIBCMT ref: 0044713B
                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                                                                                • __freea.LIBCMT ref: 004471AB
                                                                                  • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                • __freea.LIBCMT ref: 004471B4
                                                                                • __freea.LIBCMT ref: 004471D9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 3864826663-0
                                                                                • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                                                                • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                                                                                • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                                                                • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                                                                                Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                                                                                • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InputSend
                                                                                • String ID:
                                                                                • API String ID: 3431551938-0
                                                                                • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                                                                • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                                                                                • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                                                                • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                                                                                Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32 ref: 00414F41
                                                                                • EmptyClipboard.USER32 ref: 00414F4F
                                                                                • CloseClipboard.USER32 ref: 00414F55
                                                                                • OpenClipboard.USER32 ref: 00414F5C
                                                                                • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                                                                • CloseClipboard.USER32 ref: 00414F84
                                                                                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                • String ID:
                                                                                • API String ID: 2172192267-0
                                                                                • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                                                                • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                                                                                • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                                                                • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                                                                                Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                                                                                • __fassign.LIBCMT ref: 00447814
                                                                                • __fassign.LIBCMT ref: 0044782F
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                                                                                • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                                                                                • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                • String ID:
                                                                                • API String ID: 1324828854-0
                                                                                • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                                                                • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                                                                                • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                                                                • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                                                                                Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID: $-E$$-E
                                                                                • API String ID: 269201875-3140958853
                                                                                • Opcode ID: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
                                                                                • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                                                                                • Opcode Fuzzy Hash: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
                                                                                • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                                                                                Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _strftime.LIBCMT ref: 00401D30
                                                                                  • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                                                                • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                                                                                • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                                                                                • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                • String ID: %Y-%m-%d %H.%M$.wav
                                                                                • API String ID: 3809562944-3597965672
                                                                                • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                                                                • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                                                                                • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                                                                • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                                                                                Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                                                                  • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                                                                  • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                                                                                • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                • API String ID: 1133728706-4073444585
                                                                                • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                                                                • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                                                                                • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                                                                                • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                                                                                Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                                                                • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                                                                                • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                                                                • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                                                                                Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                                                                                • _free.LIBCMT ref: 0044E128
                                                                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                • _free.LIBCMT ref: 0044E133
                                                                                • _free.LIBCMT ref: 0044E13E
                                                                                • _free.LIBCMT ref: 0044E192
                                                                                • _free.LIBCMT ref: 0044E19D
                                                                                • _free.LIBCMT ref: 0044E1A8
                                                                                • _free.LIBCMT ref: 0044E1B3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                                                                • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                                                                                • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                                                                • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                                                                                Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                                                                  • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                                                                  • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                                                                  • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                                                                                • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCurrentOpenProcessQueryValue
                                                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                • API String ID: 1866151309-2070987746
                                                                                • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                                                                • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                                                                                • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                                                                                • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                                                                                Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                                                                                • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                • String ID:
                                                                                • API String ID: 3852720340-0
                                                                                • Opcode ID: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                                                                                • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                                                                                • Opcode Fuzzy Hash: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                                                                                • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                                                                                Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                                                                                • GetLastError.KERNEL32 ref: 0040AA28
                                                                                Strings
                                                                                • UserProfile, xrefs: 0040A9EE
                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                                                                                • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                                                                                • [Chrome Cookies not found], xrefs: 0040AA42
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteErrorFileLast
                                                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                • API String ID: 2018770650-304995407
                                                                                • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                                                                • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                                                                                • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                                                                • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                                                                                Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __allrem.LIBCMT ref: 00438A09
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                                                                                • __allrem.LIBCMT ref: 00438A3C
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                                                                                • __allrem.LIBCMT ref: 00438A71
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                • String ID:
                                                                                • API String ID: 1992179935-0
                                                                                • Opcode ID: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
                                                                                • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                                                                                • Opcode Fuzzy Hash: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
                                                                                • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                                                                                Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __cftoe
                                                                                • String ID:
                                                                                • API String ID: 4189289331-0
                                                                                • Opcode ID: 6721aee484eec6af142a787e0ccbed3fea0baaedfcb9b8799baac12631cf5e23
                                                                                • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                                                                                • Opcode Fuzzy Hash: 6721aee484eec6af142a787e0ccbed3fea0baaedfcb9b8799baac12631cf5e23
                                                                                • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                                                                                Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __freea$__alloca_probe_16_free
                                                                                • String ID: a/p$am/pm
                                                                                • API String ID: 2936374016-3206640213
                                                                                • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                                                                • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                                                                                • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                                                                • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                                                                                Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                                                                                • int.LIBCPMT ref: 0040F8D7
                                                                                  • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                                                                  • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                                                                • std::_Facet_Register.LIBCPMT ref: 0040F917
                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                                                                                • __Init_thread_footer.LIBCMT ref: 0040F97F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                • String ID:
                                                                                • API String ID: 3815856325-0
                                                                                • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                                                                • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                                                                                • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                                                                • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                                                                                Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                                                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                • String ID:
                                                                                • API String ID: 493672254-0
                                                                                • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                                                                • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                                                                                • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                                                                • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                                                                                Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                                                • _free.LIBCMT ref: 0044575C
                                                                                • _free.LIBCMT ref: 00445784
                                                                                • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                                                                • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                                                • _abort.LIBCMT ref: 004457A3
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free$_abort
                                                                                • String ID:
                                                                                • API String ID: 3160817290-0
                                                                                • Opcode ID: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                                                                                • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                                                                                • Opcode Fuzzy Hash: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                                                                                • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                                                                                Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                                                                • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                                                                                • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                                                                • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                                                                                Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                                                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                                                                • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                                                                                • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                                                                • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                                                                                Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                                                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                • String ID:
                                                                                • API String ID: 221034970-0
                                                                                • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                                                                • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                                                                                • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                                                                • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                                                                                Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                                                                • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleSizeSleep
                                                                                • String ID: h G
                                                                                • API String ID: 1958988193-3300504347
                                                                                • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                                                                • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                                                                                • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                                                                • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                                                                                Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegisterClassExA.USER32(00000030), ref: 0041B310
                                                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                                                                • GetLastError.KERNEL32 ref: 0041B335
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                                                • String ID: 0$MsgWindowClass
                                                                                • API String ID: 2877667751-2410386613
                                                                                • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                                                                • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                                                                                • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                                                                • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                                                                                Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                                                                                  • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                                                                                • _UnwindNestedFrames.LIBCMT ref: 00437631
                                                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                • String ID: /zC
                                                                                • API String ID: 2633735394-4132788633
                                                                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                                                                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                                                                                Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                                                                                • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                                                                                • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                                                                                • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MetricsSystem
                                                                                • String ID: ]tA
                                                                                • API String ID: 4116985748-3517819141
                                                                                • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                                                                • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                                                                                • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                                                                • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                                                                                Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                                                                                Strings
                                                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                                                                                • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CreateProcess
                                                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                • API String ID: 2922976086-4183131282
                                                                                • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                                                                • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                                                                                • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                                                                • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                                                                                Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                                                                • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                                                                                • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                                                                • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                                                                                Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                                                                                • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                                                                                • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                                                                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                Strings
                                                                                • Connection KeepAlive | Disabled, xrefs: 004050D9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                • String ID: Connection KeepAlive | Disabled
                                                                                • API String ID: 2993684571-3818284553
                                                                                • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                                                                • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                                                                                • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                                                                • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                                                                                Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                                                                                • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                                                                                • Sleep.KERNEL32(00002710), ref: 00418DBD
                                                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                • String ID: Alarm triggered
                                                                                • API String ID: 614609389-2816303416
                                                                                • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                                                                • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                                                                                • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                                                                • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                                                                                Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                                                                • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                                                                                • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                                                                • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                                                                                Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000,?), ref: 004044A4
                                                                                  • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: H_prologSleep
                                                                                • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                                • API String ID: 3469354165-3547787478
                                                                                • Opcode ID: cf4fac54dc614f6b24d057e9d973ce543428a8baf8f9bf4efbfe368f6e52cd5d
                                                                                • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                                                                                • Opcode Fuzzy Hash: cf4fac54dc614f6b24d057e9d973ce543428a8baf8f9bf4efbfe368f6e52cd5d
                                                                                • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                                                                                Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                • _free.LIBCMT ref: 00442318
                                                                                • _free.LIBCMT ref: 0044232F
                                                                                • _free.LIBCMT ref: 0044234E
                                                                                • _free.LIBCMT ref: 00442369
                                                                                • _free.LIBCMT ref: 00442380
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 3033488037-0
                                                                                • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                                                                • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                                                                                • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                                                                • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                                                                                Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                                                                • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                                                                                • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                                                                • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                                                                                Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                                                                                • __alloca_probe_16.LIBCMT ref: 0044E391
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                                                                                • __freea.LIBCMT ref: 0044E3FD
                                                                                  • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                • String ID:
                                                                                • API String ID: 313313983-0
                                                                                • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                                                                • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                                                                                • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                                                                • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                                                                                Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                                                                                • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                                                                                • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                                                                                • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                                                                                • waveInStart.WINMM ref: 00401CDE
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                • String ID:
                                                                                • API String ID: 1356121797-0
                                                                                • Opcode ID: 3b58d0c680de98a2238f286cb7f614a66765342de8d6d8e6ba78ff9c64c57b7c
                                                                                • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                                                                                • Opcode Fuzzy Hash: 3b58d0c680de98a2238f286cb7f614a66765342de8d6d8e6ba78ff9c64c57b7c
                                                                                • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                                                                                Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                                                                                  • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                                                                                • _free.LIBCMT ref: 0044C59F
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                • String ID:
                                                                                • API String ID: 336800556-0
                                                                                • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                                                                • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                                                                                • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                                                                • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                                                                                Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                                                                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                                                                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$CreatePointerWrite
                                                                                • String ID:
                                                                                • API String ID: 1852769593-0
                                                                                • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                                                                • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                                                                                • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                                                                • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                                                                                Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                                                                                • int.LIBCPMT ref: 0040FBE8
                                                                                  • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                                                                  • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                                                                • std::_Facet_Register.LIBCPMT ref: 0040FC28
                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                • String ID:
                                                                                • API String ID: 2536120697-0
                                                                                • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                                                                • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                                                                                • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                                                                • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                                                                                Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                                                                                • _free.LIBCMT ref: 004457E3
                                                                                • _free.LIBCMT ref: 0044580A
                                                                                • SetLastError.KERNEL32(00000000), ref: 00445817
                                                                                • SetLastError.KERNEL32(00000000), ref: 00445820
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free
                                                                                • String ID:
                                                                                • API String ID: 3170660625-0
                                                                                • Opcode ID: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                                                                                • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                                                                                • Opcode Fuzzy Hash: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                                                                                • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                                                                                Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 0044DBB4
                                                                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                • _free.LIBCMT ref: 0044DBC6
                                                                                • _free.LIBCMT ref: 0044DBD8
                                                                                • _free.LIBCMT ref: 0044DBEA
                                                                                • _free.LIBCMT ref: 0044DBFC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                                                                • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                                                                                • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                                                                • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                                                                                Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00441566
                                                                                  • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                                                  • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                                                                • _free.LIBCMT ref: 00441578
                                                                                • _free.LIBCMT ref: 0044158B
                                                                                • _free.LIBCMT ref: 0044159C
                                                                                • _free.LIBCMT ref: 004415AD
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                                                                • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                                                                                • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                                                                • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                                                                                Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Enum$InfoQueryValue
                                                                                • String ID: [regsplt]
                                                                                • API String ID: 3554306468-4262303796
                                                                                • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                                                                • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                                                                                • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                                                                • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                                                                                Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __alloca_probe_16__freea
                                                                                • String ID: H"G$H"GH"G
                                                                                • API String ID: 1635606685-3036711414
                                                                                • Opcode ID: b6807b3a581d2ea95bf3fa3bb4dc482b4bbdf0069e2f44a64f4a5d22043e6a4b
                                                                                • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                                                                                • Opcode Fuzzy Hash: b6807b3a581d2ea95bf3fa3bb4dc482b4bbdf0069e2f44a64f4a5d22043e6a4b
                                                                                • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                                                                                Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 0040189E
                                                                                • ExitThread.KERNEL32 ref: 004018D6
                                                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                                                                                  • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                • String ID: 8:G
                                                                                • API String ID: 1649129571-405301104
                                                                                • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                                                                • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                                                                                • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                                                                                • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                                                                                Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe,00000104), ref: 00440975
                                                                                • _free.LIBCMT ref: 00440A40
                                                                                • _free.LIBCMT ref: 00440A4A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: _free$FileModuleName
                                                                                • String ID: C:\Users\user\AppData\Roaming\GAmFKUIDBo.exe
                                                                                • API String ID: 2506810119-3594761942
                                                                                • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                                                                • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                                                                                • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                                                                • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                                                                                Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                                                                  • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                                                                  • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                                                                  • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                                                                • _wcslen.LIBCMT ref: 00419744
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                • String ID: .exe$program files (x86)\$program files\
                                                                                • API String ID: 37874593-1203593143
                                                                                • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                                                                • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                                                                                • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                                                                • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                                                                                Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                                                                                • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                                                                                • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                                                                                  • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                                                  • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread$LocalTimewsprintf
                                                                                • String ID: Offline Keylogger Started
                                                                                • API String ID: 465354869-4114347211
                                                                                • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                                                                • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                                                                                • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                                                                • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                                                                                Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                                                  • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                                                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                                                                                • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                                                                                • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread$LocalTime$wsprintf
                                                                                • String ID: Online Keylogger Started
                                                                                • API String ID: 112202259-1258561607
                                                                                • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                                                                • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                                                                                • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                                                                • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                                                                                Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 00404F61
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                                                                                • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                                                                                Strings
                                                                                • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$EventLocalThreadTime
                                                                                • String ID: Connection KeepAlive | Enabled | Timeout:
                                                                                • API String ID: 2532271599-507513762
                                                                                • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                                                                • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                                                                                • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                                                                • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                                                                                Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406097
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: CryptUnprotectData$crypt32
                                                                                • API String ID: 2574300362-2380590389
                                                                                • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                                                                • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                                                                                • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                                                                • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                                                                                Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                                                                                • CloseHandle.KERNEL32(?), ref: 004051AA
                                                                                • SetEvent.KERNEL32(?), ref: 004051B9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEventHandleObjectSingleWait
                                                                                • String ID: Connection Timeout
                                                                                • API String ID: 2055531096-499159329
                                                                                • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                                                                • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                                                                                • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                                                                • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                                                                                Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Exception@8Throw
                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                • API String ID: 2005118841-1866435925
                                                                                • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                                                                • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                                                                                • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                                                                • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                                                                                Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                                                                • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: origmsc
                                                                                • API String ID: 3677997916-68016026
                                                                                • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                                                                • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                                                                                • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                                                                • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                                                                                Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShell
                                                                                • String ID: /C $cmd.exe$open
                                                                                • API String ID: 587946157-3896048727
                                                                                • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                                                                • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                                                                                • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                                                                • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                                                                                Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                                                                • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                                                                Strings
                                                                                • http\shell\open\command, xrefs: 00412026
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: http\shell\open\command
                                                                                • API String ID: 3677997916-1487954565
                                                                                • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                                                                • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                                                                                • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                                                                • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                                                                                Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                                                                                • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                                                                                • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                                                                                Strings
                                                                                • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateValue
                                                                                • String ID: Software\Classes\mscfile\shell\open\command
                                                                                • API String ID: 1818849710-505396733
                                                                                • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                                                                • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                                                                                • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                                                                • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                                                                                Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                                                                                  • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                                                                                  • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                • String ID: bad locale name
                                                                                • API String ID: 3628047217-1405518554
                                                                                • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                                                                • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                                                                                • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                                                                • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                                                                                Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                                                                • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateValue
                                                                                • String ID: P0F
                                                                                • API String ID: 1818849710-3540264436
                                                                                • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                                                                • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                                                                                • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                                                                • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                                                                                Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401403
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: GetCursorInfo$User32.dll
                                                                                • API String ID: 1646373207-2714051624
                                                                                • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                                                                • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                                                                                • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                                                                • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                                                                                Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetLastInputInfo$User32.dll
                                                                                • API String ID: 2574300362-1519888992
                                                                                • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                                                                • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                                                                                • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                                                                • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                                                                                Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: __alldvrm$_strrchr
                                                                                • String ID:
                                                                                • API String ID: 1036877536-0
                                                                                • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                                                                • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                                                                                • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                                                                • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                                                                                Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                                                                • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                                                                                • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                                                                • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                                                                                Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                                                                                • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                                                                                • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 3360349984-0
                                                                                • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                                                                • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                                                                                • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                                                                                • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                                                                                Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • Cleared browsers logins and cookies., xrefs: 0040B036
                                                                                • [Cleared browsers logins and cookies.], xrefs: 0040B025
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                • API String ID: 3472027048-1236744412
                                                                                • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                                                                • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                                                                                • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                                                                • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                                                                                Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                                                                  • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                                                                  • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                                                                • Sleep.KERNEL32(00000BB8), ref: 004111DF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpenQuerySleepValue
                                                                                • String ID: H"G$exepath$!G
                                                                                • API String ID: 4119054056-2148977334
                                                                                • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                                                                • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                                                                                • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                                                                • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                                                                                Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                                                                                  • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                                                                                  • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                                                                                • Sleep.KERNEL32(000001F4), ref: 0040955A
                                                                                • Sleep.KERNEL32(00000064), ref: 004095F5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$SleepText$ForegroundLength
                                                                                • String ID: [ $ ]
                                                                                • API String ID: 3309952895-93608704
                                                                                • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                                                                • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                                                                                • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                                                                • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                                                                                Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
                                                                                • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                                                                                • Opcode Fuzzy Hash: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
                                                                                • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                                                                                Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
                                                                                • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                                                                                • Opcode Fuzzy Hash: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
                                                                                • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                                                                                Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleReadSize
                                                                                • String ID:
                                                                                • API String ID: 3919263394-0
                                                                                • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                                                                • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                                                                                • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                                                                • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                                                                                Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                                                                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                                                                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                                                                                  • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                                                                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                • String ID:
                                                                                • API String ID: 1761009282-0
                                                                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                                                                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                                                                                Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorHandling__start
                                                                                • String ID: pow
                                                                                • API String ID: 3213639722-2276729525
                                                                                • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                                                                • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                                                                                • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                                                                • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                                                                                Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                                                                                  • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                                                                  • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                                                                  • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                                                                  • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                                                                • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                                                                                Strings
                                                                                • /sort "Visit Time" /stext ", xrefs: 00404092
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                • String ID: /sort "Visit Time" /stext "
                                                                                • API String ID: 368326130-1573945896
                                                                                • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                                                                • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                                                                                • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                                                                                • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                                                                                Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                                                                • __Init_thread_footer.LIBCMT ref: 0040A6E3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Init_thread_footer__onexit
                                                                                • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                • API String ID: 1881088180-3686566968
                                                                                • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                                                                • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                                                                                • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                                                                • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                                                                                Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 0044EDF2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ACP$OCP
                                                                                • API String ID: 0-711371036
                                                                                • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                                                                • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                                                                                • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                                                                • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                                                                                Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                                                                                • IsWindowVisible.USER32(?), ref: 00415B37
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Window$TextVisible
                                                                                • String ID: (%G
                                                                                • API String ID: 1670992164-3377777310
                                                                                • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                                                                • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                                                                                • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                                                                • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                                                                                Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                                                                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                                                                                Strings
                                                                                • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime
                                                                                • String ID: Connection KeepAlive | Enabled | Timeout:
                                                                                • API String ID: 481472006-507513762
                                                                                • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                                                                • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                                                                                • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                                                                • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                                                                                Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                                                                                • ___raise_securityfailure.LIBCMT ref: 00432E76
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                • String ID: (F
                                                                                • API String ID: 3761405300-3109638091
                                                                                • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                                                                • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                                                                                • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                                                                • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                                                                                Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime
                                                                                • String ID: | $%02i:%02i:%02i:%03i
                                                                                • API String ID: 481472006-2430845779
                                                                                • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                                                                • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                                                                                • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                                                                • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                                                                                Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: alarm.wav$x(G
                                                                                • API String ID: 1174141254-2413638199
                                                                                • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                                                                • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                                                                                • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                                                                • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                                                                                Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                                                  • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                                                                  • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                                                • CloseHandle.KERNEL32(?), ref: 00409FFD
                                                                                • UnhookWindowsHookEx.USER32 ref: 0040A010
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                • String ID: Online Keylogger Stopped
                                                                                • API String ID: 1623830855-1496645233
                                                                                • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                                                                • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                                                                                • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                                                                • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                                                                                Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                • API String ID: 1174141254-2800177040
                                                                                • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                                                                • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                                                                                • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                                                                                • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                                                                                Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                • API String ID: 1174141254-4188645398
                                                                                • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                                                                • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                                                                                • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                                                                                • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                                                                                Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExistsFilePath
                                                                                • String ID: AppData$\Opera Software\Opera Stable\
                                                                                • API String ID: 1174141254-1629609700
                                                                                • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                                                                • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                                                                                • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                                                                                • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                                                                                Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyState.USER32(00000011), ref: 0040A597
                                                                                  • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                                                                                  • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                                                                  • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                                                                  • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                                                                                  • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                                                                                  • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                                                                  • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                                                                • String ID: [AltL]$[AltR]
                                                                                • API String ID: 3195419117-2658077756
                                                                                • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                                                                • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                                                                                • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                                                                • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                                                                                Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyState.USER32(00000012), ref: 0040A5F1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: State
                                                                                • String ID: [CtrlL]$[CtrlR]
                                                                                • API String ID: 1649606143-2446555240
                                                                                • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                                                                • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                                                                                • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                                                                • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                                                                                Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                                                                                • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteOpenValue
                                                                                • String ID: 6h@
                                                                                • API String ID: 2654517830-73392143
                                                                                • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                                                                • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                                                                                • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                                                                • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                                                                                Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                                                                                • GetLastError.KERNEL32 ref: 0043B4E9
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1717984340-0
                                                                                • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                                                                • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                                                                                • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                                                                • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                                                                                Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                                                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                                                                                • SetLastError.KERNEL32(0000007F), ref: 004106DF
                                                                                • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.1799679882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_GAmFKUIDBo.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastRead
                                                                                • String ID:
                                                                                • API String ID: 4100373531-0
                                                                                • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                                                                • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                                                                                • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                                                                • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19