Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
preliminary drawing.pif.exe

Overview

General Information

Sample name:preliminary drawing.pif.exe
Analysis ID:1586798
MD5:164b1d640db37d9f5c95c23d816ffd69
SHA1:5fff09a87a47d38077a08aa917bab542e8317682
SHA256:425fae95f11030526dd3a7e8dd94e93a52146be446be6095a96f1af53b13deab
Tags:exeuser-lowmal3
Infos:

Detection

Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • preliminary drawing.pif.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\preliminary drawing.pif.exe" MD5: 164B1D640DB37D9F5C95C23D816FFD69)
    • powershell.exe (PID: 7436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • preliminary drawing.pif.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\preliminary drawing.pif.exe" MD5: 164B1D640DB37D9F5C95C23D816FFD69)
    • preliminary drawing.pif.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\preliminary drawing.pif.exe" MD5: 164B1D640DB37D9F5C95C23D816FFD69)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["31.13.224.237:2404:1"], "Assigned name": "RemcoHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VETI36", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3830999102.0000000001292000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000006.00000002.3830999102.0000000001277000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.1394103422.00000000071B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.1391353670.0000000003F79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 23 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.preliminary drawing.pif.exe.3fb88f8.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.preliminary drawing.pif.exe.71b0000.8.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.preliminary drawing.pif.exe.3f988d8.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.preliminary drawing.pif.exe.3f988d8.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.preliminary drawing.pif.exe.71b0000.8.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      Click to see the 40 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\preliminary drawing.pif.exe", ParentImage: C:\Users\user\Desktop\preliminary drawing.pif.exe, ParentProcessId: 7264, ParentProcessName: preliminary drawing.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", ProcessId: 7436, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\preliminary drawing.pif.exe", ParentImage: C:\Users\user\Desktop\preliminary drawing.pif.exe, ParentProcessId: 7264, ParentProcessName: preliminary drawing.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", ProcessId: 7436, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\preliminary drawing.pif.exe", ParentImage: C:\Users\user\Desktop\preliminary drawing.pif.exe, ParentProcessId: 7264, ParentProcessName: preliminary drawing.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", ProcessId: 7436, ProcessName: powershell.exe

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 8F 79 B3 11 76 A6 AB DB 1D 81 00 55 74 BB 49 EF BE 2A DE AA 1A 2E 53 F3 3D B8 93 7C F9 17 E8 35 A7 79 EB 56 45 53 D1 64 3D FA 76 75 08 6C 65 05 07 42 A7 AE 2D C0 BB D2 09 B6 3B A9 D4 9B 46 C7 51 C2 3A DD A7 48 BB E3 89 FA 80 DC 52 A9 36 0B F3 7D E5 FD 82 5F 2A 28 B1 86 7C 95 E9 1B B9 2B 31 A9 84 38 C9 FD 36 1D , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\preliminary drawing.pif.exe, ProcessId: 7500, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-VETI36\exepath

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-09T16:33:59.079186+010020365941Malware Command and Control Activity Detected192.168.2.84970831.13.224.2372404TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-09T16:34:00.927296+010028033043Unknown Traffic192.168.2.849710178.237.33.5080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: preliminary drawing.pif.exeAvira: detected
                      Found malware configuration
                      Source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["31.13.224.237:2404:1"], "Assigned name": "RemcoHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VETI36", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                      Multi AV Scanner detection for submitted file
                      Source: preliminary drawing.pif.exeReversingLabs: Detection: 50%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.3830999102.0000000001292000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3830999102.0000000001277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7264, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7500, type: MEMORYSTR
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: preliminary drawing.pif.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,6_2_0043294A
                      Source: preliminary drawing.pif.exe, 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_5c9dc35b-0

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7264, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7500, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00406764 _wcslen,CoGetObject,6_2_00406764
                      Source: preliminary drawing.pif.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: preliminary drawing.pif.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040B335
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0041B43F
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040B53A
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0044D5F9 FindFirstFileExA,6_2_0044D5F9
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_004089A9
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00406AC2 FindFirstFileW,FindNextFileW,6_2_00406AC2
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00407A8C
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00418C79
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_00408DA7
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00406F06

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49708 -> 31.13.224.237:2404
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 31.13.224.237
                      Source: global trafficTCP traffic: 192.168.2.8:49708 -> 31.13.224.237:2404
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: SARNICA-ASBG SARNICA-ASBG
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49710 -> 178.237.33.50:80
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownTCP traffic detected without corresponding DNS query: 31.13.224.237
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00426107 recv,6_2_00426107
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: preliminary drawing.pif.exe, preliminary drawing.pif.exe, 00000006.00000002.3830999102.00000000012AF000.00000004.00000020.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000006.00000002.3830999102.0000000001292000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                      Source: preliminary drawing.pif.exe, 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: preliminary drawing.pif.exe, 00000006.00000002.3830999102.0000000001292000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                      Source: preliminary drawing.pif.exe, 00000000.00000002.1390345573.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000006_2_004099E4
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_004159C6
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_004159C6
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_004159C6
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,6_2_00409B10
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7264, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7500, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.3830999102.0000000001292000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3830999102.0000000001277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7264, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7500, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0041BB87 SystemParametersInfoW,6_2_0041BB87

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.preliminary drawing.pif.exe.4097268.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.preliminary drawing.pif.exe.4097268.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: preliminary drawing.pif.exe PID: 7264, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: preliminary drawing.pif.exe PID: 7500, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,6_2_004158B9
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 0_2_074700400_2_07470040
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 0_2_073186B80_2_073186B8
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 0_2_073113E40_2_073113E4
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 0_2_0731ABF00_2_0731ABF0
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 0_2_073186B70_2_073186B7
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 0_2_073183D00_2_073183D0
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 0_2_073113D70_2_073113D7
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 0_2_073183C10_2_073183C1
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 0_2_07311A280_2_07311A28
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004520E26_2_004520E2
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0041D0816_2_0041D081
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0043D0A86_2_0043D0A8
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004371606_2_00437160
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004361BA6_2_004361BA
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004262646_2_00426264
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004313876_2_00431387
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0043652C6_2_0043652C
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0041E5EF6_2_0041E5EF
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0044C7496_2_0044C749
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004367D66_2_004367D6
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004267DB6_2_004267DB
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0043C9ED6_2_0043C9ED
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00432A596_2_00432A59
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00436A9D6_2_00436A9D
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0043CC1C6_2_0043CC1C
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00436D586_2_00436D58
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00434D326_2_00434D32
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0043CE4B6_2_0043CE4B
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00440E306_2_00440E30
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00426E836_2_00426E83
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00412F456_2_00412F45
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00452F106_2_00452F10
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00426FBD6_2_00426FBD
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: String function: 00401F66 appears 50 times
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: String function: 004020E7 appears 40 times
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: String function: 004338B5 appears 41 times
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: String function: 00433FC0 appears 55 times
                      Source: preliminary drawing.pif.exeBinary or memory string: OriginalFilename vs preliminary drawing.pif.exe
                      Source: preliminary drawing.pif.exe, 00000000.00000000.1371952069.0000000000C76000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSmqm.exe@ vs preliminary drawing.pif.exe
                      Source: preliminary drawing.pif.exe, 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs preliminary drawing.pif.exe
                      Source: preliminary drawing.pif.exe, 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs preliminary drawing.pif.exe
                      Source: preliminary drawing.pif.exe, 00000000.00000002.1394103422.00000000071B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs preliminary drawing.pif.exe
                      Source: preliminary drawing.pif.exe, 00000000.00000002.1395186391.00000000073B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs preliminary drawing.pif.exe
                      Source: preliminary drawing.pif.exe, 00000000.00000002.1391353670.0000000003F79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs preliminary drawing.pif.exe
                      Source: preliminary drawing.pif.exe, 00000000.00000002.1388462003.000000000139E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs preliminary drawing.pif.exe
                      Source: preliminary drawing.pif.exeBinary or memory string: OriginalFilenameSmqm.exe@ vs preliminary drawing.pif.exe
                      Source: preliminary drawing.pif.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.preliminary drawing.pif.exe.4097268.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.preliminary drawing.pif.exe.4097268.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: preliminary drawing.pif.exe PID: 7264, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: preliminary drawing.pif.exe PID: 7500, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: preliminary drawing.pif.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@8/7@1/2
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_2_00416AB7
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,6_2_0040E219
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,6_2_0041A64F
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_00419BD4
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\preliminary drawing.pif.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-VETI36
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rp34tchz.vv4.ps1Jump to behavior
                      Source: preliminary drawing.pif.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: preliminary drawing.pif.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: preliminary drawing.pif.exeReversingLabs: Detection: 50%
                      Source: unknownProcess created: C:\Users\user\Desktop\preliminary drawing.pif.exe "C:\Users\user\Desktop\preliminary drawing.pif.exe"
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess created: C:\Users\user\Desktop\preliminary drawing.pif.exe "C:\Users\user\Desktop\preliminary drawing.pif.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess created: C:\Users\user\Desktop\preliminary drawing.pif.exe "C:\Users\user\Desktop\preliminary drawing.pif.exe"
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess created: C:\Users\user\Desktop\preliminary drawing.pif.exe "C:\Users\user\Desktop\preliminary drawing.pif.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess created: C:\Users\user\Desktop\preliminary drawing.pif.exe "C:\Users\user\Desktop\preliminary drawing.pif.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: iconcodecservice.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: preliminary drawing.pif.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: preliminary drawing.pif.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041BCF3
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 0_2_073132F8 pushad ; iretd 0_2_07313301
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00434006 push ecx; ret 6_2_00434019
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004567F0 push eax; ret 6_2_0045680E
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0045B9DD push esi; ret 6_2_0045B9E6
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00463EF3 push ds; retf 6_2_00463EEC
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00455EBF push ecx; ret 6_2_00455ED2
                      Source: preliminary drawing.pif.exeStatic PE information: section name: .text entropy: 7.953043080627408
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00406128 ShellExecuteW,URLDownloadToFileW,6_2_00406128
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_00419BD4

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041BCF3
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7264, type: MEMORYSTR
                      Delayed program exit found
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0040E54F Sleep,ExitProcess,6_2_0040E54F
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeMemory allocated: 1590000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeMemory allocated: 4F70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeMemory allocated: 8090000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeMemory allocated: 9090000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeMemory allocated: 9250000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeMemory allocated: A250000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,6_2_004198D2
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6390Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3361Jump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeWindow / User API: threadDelayed 4111Jump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeWindow / User API: threadDelayed 5880Jump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeAPI coverage: 10.0 %
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exe TID: 7284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exe TID: 7544Thread sleep count: 4111 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exe TID: 7544Thread sleep time: -12333000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exe TID: 7544Thread sleep count: 5880 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exe TID: 7544Thread sleep time: -17640000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040B335
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,6_2_0041B43F
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040B53A
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0044D5F9 FindFirstFileExA,6_2_0044D5F9
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,6_2_004089A9
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00406AC2 FindFirstFileW,FindNextFileW,6_2_00406AC2
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,6_2_00407A8C
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00418C79
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,6_2_00408DA7
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00406F06
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: preliminary drawing.pif.exe, 00000000.00000002.1395186391.00000000073B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: A6vmCI2BDk
                      Source: preliminary drawing.pif.exe, 00000006.00000002.3830999102.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000006.00000002.3830999102.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000006.00000002.3830999102.0000000001292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeAPI call chain: ExitProcess graph end nodegraph_6-48259
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0043A66D
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041BCF3
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00442564 mov eax, dword ptr fs:[00000030h]6_2_00442564
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0044E93E GetProcessHeap,6_2_0044E93E
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00434178
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0043A66D
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00433B54
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00433CE7 SetUnhandledExceptionFilter,6_2_00433CE7
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeMemory written: C:\Users\user\Desktop\preliminary drawing.pif.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe6_2_00410F36
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00418764 mouse_event,6_2_00418764
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess created: C:\Users\user\Desktop\preliminary drawing.pif.exe "C:\Users\user\Desktop\preliminary drawing.pif.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeProcess created: C:\Users\user\Desktop\preliminary drawing.pif.exe "C:\Users\user\Desktop\preliminary drawing.pif.exe"Jump to behavior
                      Source: preliminary drawing.pif.exe, 00000006.00000002.3830999102.00000000012D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: preliminary drawing.pif.exe, 00000006.00000002.3830999102.00000000012AF000.00000004.00000020.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000006.00000002.3830999102.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000006.00000002.3830999102.0000000001292000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00433E1A cpuid 6_2_00433E1A
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: GetLocaleInfoA,6_2_0040E679
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: GetLocaleInfoW,6_2_004510CA
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: EnumSystemLocalesW,6_2_004470BE
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_004511F3
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: GetLocaleInfoW,6_2_004512FA
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_004513C7
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: GetLocaleInfoW,6_2_004475A7
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_00450A8F
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: EnumSystemLocalesW,6_2_00450D52
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: EnumSystemLocalesW,6_2_00450D07
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: EnumSystemLocalesW,6_2_00450DED
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_00450E7A
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeQueries volume information: C:\Users\user\Desktop\preliminary drawing.pif.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_00404915 GetLocalTime,CreateEventA,CreateThread,6_2_00404915
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0041A7B2 GetComputerNameExW,GetUserNameW,6_2_0041A7B2
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: 6_2_0044801F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,6_2_0044801F
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.71b0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3f988d8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3f988d8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.71b0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1394103422.00000000071B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.3830999102.0000000001292000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3830999102.0000000001277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7264, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7500, type: MEMORYSTR
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data6_2_0040B21B
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\6_2_0040B335
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: \key3.db6_2_0040B335

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VETI36Jump to behavior
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.71b0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3f988d8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3f988d8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.71b0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1394103422.00000000071B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4ad8f18.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.4097268.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.preliminary drawing.pif.exe.3fb88f8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.3830999102.0000000001292000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3830999102.0000000001277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7264, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: preliminary drawing.pif.exe PID: 7500, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\preliminary drawing.pif.exeCode function: cmd.exe6_2_00405042

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		1
                      Deobfuscate/Decode Files or Information                      		111
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol111
                      Input Capture                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution                      		Logon Script (Windows)1
                      Access Token Manipulation                      		3
                      Obfuscated Files or Information                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares3
                      Clipboard Data                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Windows Service                      		2
                      Software Packing                      		NTDS3
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script122
                      Process Injection                      		1
                      DLL Side-Loading                      		LSA Secrets33
                      System Information Discovery                      		SSHKeylogging2
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Bypass User Account Control                      		Cached Domain Credentials21
                      Security Software Discovery                      		VNCGUI Input Capture12
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                      Virtualization/Sandbox Evasion                      		Proc Filesystem3
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Access Token Manipulation                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron122
                      Process Injection                      		Network Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      preliminary drawing.pif.exe50%ReversingLabsWin32.Trojan.Generic
                      preliminary drawing.pif.exe100%AviraHEUR/AGEN.1310026
                      preliminary drawing.pif.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gp/Cpreliminary drawing.pif.exe, 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepreliminary drawing.pif.exe, 00000000.00000002.1390345573.0000000002F71000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gpSystem32preliminary drawing.pif.exe, 00000006.00000002.3830999102.0000000001292000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                31.13.224.237
                                		unknownBulgaria
                                		48584SARNICA-ASBGtrue
                                178.237.33.50
                                		geoplugin.netNetherlands
                                		8455ATOM86-ASATOM86NLfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1586798
                                Start date and time:2025-01-09 16:33:05 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 41s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:12
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:preliminary drawing.pif.exe
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@8/7@1/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 48
                                • Number of non-executed functions: 184
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 23.56.254.164, 172.202.163.200, 20.12.23.50
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: preliminary drawing.pif.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:33:57API Interceptor4629096x Sleep call for process: preliminary drawing.pif.exe modified
                                10:33:58API Interceptor9x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                178.237.33.50DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                • geoplugin.net/json.gp
                                z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • geoplugin.net/json.gp
                                173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • geoplugin.net/json.gp
                                1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • geoplugin.net/json.gp
                                17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • geoplugin.net/json.gp
                                1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • geoplugin.net/json.gp
                                1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • geoplugin.net/json.gp
                                17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • geoplugin.net/json.gp
                                DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • geoplugin.net/json.gp
                                c2.htaGet hashmaliciousRemcosBrowse
                                • geoplugin.net/json.gp

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                geoplugin.netDHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • 178.237.33.50
                                173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • 178.237.33.50
                                c2.htaGet hashmaliciousRemcosBrowse
                                • 178.237.33.50

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                SARNICA-ASBGarm61.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 31.13.224.110
                                sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 31.13.224.110
                                co.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 31.13.224.110
                                ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 31.13.224.110
                                m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 31.13.224.110
                                dc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 31.13.224.110
                                dss.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 31.13.224.110
                                586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 31.13.224.110
                                mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 31.13.224.110
                                mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 31.13.224.110
                                ATOM86-ASATOM86NLDHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • 178.237.33.50
                                173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                • 178.237.33.50
                                DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • 178.237.33.50
                                c2.htaGet hashmaliciousRemcosBrowse
                                • 178.237.33.50

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\preliminary drawing.pif.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\preliminary drawing.pif.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\json[1].json

                                Download File
                                Process:C:\Users\user\Desktop\preliminary drawing.pif.exe
                                File Type:JSON data
                                Category:dropped
                                Size (bytes):963
                                Entropy (8bit):5.019506780280991
                                Encrypted:false
                                SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzd:qlupdRNuKyGX85jvXhNlT3/7AcV9Wro
                                MD5:7459F6DA71CD5EAF9DBE2D20CA9434AC
                                SHA1:4F60E33E15277F7A632D8CD058EC7DF4728B40BC
                                SHA-256:364A445C3A222EE10A8816F78283BBD0503A5E5824B2A7F5DCD8E6DA9148AF6A
                                SHA-512:3A862711D78F6F97F07E01ACC0DCB54F595A23AACEA9F2BB9606382805E1E92C1ACE09E1446F312F3B6D4EE63435ABEF46F0C16F015BD505347A1BCF2E149841
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1172
                                Entropy (8bit):5.356731422178564
                                Encrypted:false
                                SSDEEP:24:3CytZWSKco4KmZjKbmOIKod6emZ9tYs4RPQoUEJ0gt/NKIl9iagu:yyjWSU4xympjmZ9tz4RIoUl8NDv
                                MD5:36204EC3BBBDD36D0ADB61D77F70AFA6
                                SHA1:2F7D16D4F9510B3787284ACE833A441F322521BB
                                SHA-256:AFF976F94D625B8CF86B65471B6751F22C9956A017CD785E7258006D02506FB5
                                SHA-512:E7B1591C6ECDCFD4CCAF971AEF50FA8E610A92AC98C65B362E8F9CCCB604426BE229C6C2D4CF2E48F134039EDBAC2FBF8CE95EC9C03CBD0E353E869B6CC49E6C
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vdf1oyo.lur.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rp34tchz.vv4.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgby0yws.u4n.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvw04afu.pgz.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.948661870819783
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:preliminary drawing.pif.exe
                                File size:1'005'056 bytes
                                MD5:164b1d640db37d9f5c95c23d816ffd69
                                SHA1:5fff09a87a47d38077a08aa917bab542e8317682
                                SHA256:425fae95f11030526dd3a7e8dd94e93a52146be446be6095a96f1af53b13deab
                                SHA512:067bb44a7871b2ea63780cc2a3ea01000d742490b1e65e3211fbd9f3c004d03002689a4575077cc6a34ff36af073897afad0d526f5fc9aecb05b491143370df6
                                SSDEEP:24576:ubmYZg5hIgJsKsVWArhOX79ObyTUk9GgnAn1bij:w9JgEWymbTU1gk0j
                                TLSH:3725232FBD65EA21CB690F7EDD62540042378C82E623F7B93AC81D611DA4F4CD10B967
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`.g.................*...*......NH... ........@.. ....................................`................................

                                File Icon

                                Icon Hash:33362c2d36335470

                                Static PE Info

                                General

                                Entrypoint:0x4f484e
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x677F6089 [Thu Jan 9 05:37:13 2025 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xf47f80x53.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xf60000x2800.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xf28540xf2a00a54adac104f30b39e476bb996627d0d8False0.9622707769835136data7.953043080627408IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0xf60000x28000x2800c1199f285acfed1c1863d574f3e9b862False0.879296875data7.615541264071157IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xfa0000xc0x200b2bf475fa616c1701a66cfd1ca995186False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xf60c80x2356PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9427371213796153
                                RT_GROUP_ICON0xf84300x14data1.05
                                RT_VERSION0xf84540x378data0.393018018018018

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2025-01-09T16:33:59.079186+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.84970831.13.224.2372404TCP
                                2025-01-09T16:34:00.927296+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.849710178.237.33.5080TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 9, 2025 16:33:58.403950930 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:33:58.408809900 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:33:58.409101963 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:33:58.414133072 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:33:58.418968916 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:33:59.023606062 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:33:59.079185963 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:33:59.158787966 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:33:59.168128967 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:33:59.172966003 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:33:59.173093081 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:33:59.177862883 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:33:59.468405008 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:33:59.470438004 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:33:59.475260019 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:33:59.587198973 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:33:59.641743898 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:34:00.098340988 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:34:00.307550907 CET8049710178.237.33.50192.168.2.8
                                Jan 9, 2025 16:34:00.310022116 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:34:00.310174942 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:34:00.321376085 CET8049710178.237.33.50192.168.2.8
                                Jan 9, 2025 16:34:00.926242113 CET8049710178.237.33.50192.168.2.8
                                Jan 9, 2025 16:34:00.927295923 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:34:00.995336056 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:34:01.000128031 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:34:01.926122904 CET8049710178.237.33.50192.168.2.8
                                Jan 9, 2025 16:34:01.926179886 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:34:17.352967024 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:34:17.386709929 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:34:17.391520977 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:34:47.403455019 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:34:47.405204058 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:34:47.410074949 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:35:17.378963947 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:35:17.380819082 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:35:17.385813951 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:35:47.416977882 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:35:47.418656111 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:35:47.423504114 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:35:50.063786983 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:35:50.766832113 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:35:52.157426119 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:35:54.923063040 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:36:00.454659939 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:36:11.501271009 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:36:17.440550089 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:36:17.442281961 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:36:17.447124004 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:36:33.595026970 CET4971080192.168.2.8178.237.33.50
                                Jan 9, 2025 16:36:47.456254005 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:36:47.458802938 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:36:47.463690996 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:37:17.477644920 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:37:17.479738951 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:37:17.484503984 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:37:47.511533022 CET24044970831.13.224.237192.168.2.8
                                Jan 9, 2025 16:37:47.512996912 CET497082404192.168.2.831.13.224.237
                                Jan 9, 2025 16:37:47.518243074 CET24044970831.13.224.237192.168.2.8

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 9, 2025 16:34:00.085454941 CET6408153192.168.2.81.1.1.1
                                Jan 9, 2025 16:34:00.092577934 CET53640811.1.1.1192.168.2.8

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jan 9, 2025 16:34:00.085454941 CET192.168.2.81.1.1.10xe2c6Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jan 9, 2025 16:34:00.092577934 CET1.1.1.1192.168.2.80xe2c6No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • geoplugin.net

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.849710178.237.33.50807500C:\Users\user\Desktop\preliminary drawing.pif.exe
                                TimestampBytes transferredDirectionData
                                Jan 9, 2025 16:34:00.310174942 CET71OUTGET /json.gp HTTP/1.1
                                Host: geoplugin.net
                                Cache-Control: no-cache
                                Jan 9, 2025 16:34:00.926242113 CET1171INHTTP/1.1 200 OK
                                date: Thu, 09 Jan 2025 15:34:00 GMT
                                server: Apache
                                content-length: 963
                                content-type: application/json; charset=utf-8
                                cache-control: public, max-age=300
                                access-control-allow-origin: *
                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:10:33:56
                                Start date:09/01/2025
                                Path:C:\Users\user\Desktop\preliminary drawing.pif.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\preliminary drawing.pif.exe"
                                Imagebase:0xb80000
                                File size:1'005'056 bytes
                                MD5 hash:164B1D640DB37D9F5C95C23D816FFD69
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1394103422.00000000071B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1391353670.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1391353670.0000000004AD8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1391353670.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:10:33:57
                                Start date:09/01/2025
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"
                                Imagebase:0xdc0000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:10:33:57
                                Start date:09/01/2025
                                Path:C:\Users\user\Desktop\preliminary drawing.pif.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\Desktop\preliminary drawing.pif.exe"
                                Imagebase:0x290000
                                File size:1'005'056 bytes
                                MD5 hash:164B1D640DB37D9F5C95C23D816FFD69
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:5
                                Start time:10:33:57
                                Start date:09/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6ee680000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:10:33:57
                                Start date:09/01/2025
                                Path:C:\Users\user\Desktop\preliminary drawing.pif.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\preliminary drawing.pif.exe"
                                Imagebase:0xac0000
                                File size:1'005'056 bytes
                                MD5 hash:164B1D640DB37D9F5C95C23D816FFD69
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3830999102.0000000001292000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3830999102.0000000001277000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:10.6%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:13%
                                  Total number of Nodes:23
                                  Total number of Limit Nodes:3
                                  execution_graph 13034 7311940 13035 731197a 13034->13035 13036 73119f6 13035->13036 13037 7311a0b 13035->13037 13042 73113e4 13036->13042 13038 73113e4 3 API calls 13037->13038 13040 7311a1a 13038->13040 13044 73113ef 13042->13044 13043 7311a01 13044->13043 13047 7312400 13044->13047 13053 73123ef 13044->13053 13060 731143c 13047->13060 13050 7312427 13050->13043 13051 7312450 CreateIconFromResourceEx 13052 73124ce 13051->13052 13052->13043 13054 7312400 13053->13054 13055 731143c CreateIconFromResourceEx 13054->13055 13056 731241a 13055->13056 13057 7312427 13056->13057 13058 7312450 CreateIconFromResourceEx 13056->13058 13057->13043 13059 73124ce 13058->13059 13059->13043 13061 7312450 CreateIconFromResourceEx 13060->13061 13062 731241a 13061->13062 13062->13050 13062->13051

                                  Executed Functions

                                  Function 073186B8 Relevance: 2.3, Strings: 1, Instructions: 1029COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 73186b8-73186d9 1 73186e0-73187cc 0->1 2 73186db 0->2 4 73187d2-7318926 1->4 5 7318ff9-7319021 1->5 2->1 49 7318fc7-7318ff7 4->49 50 731892c-7318987 4->50 8 7319703-731970c 5->8 9 7319712-7319729 8->9 10 731902f-7319038 8->10 12 731903a 10->12 13 731903f-7319118 10->13 12->13 172 731911e call 7319968 13->172 173 731911e call 7319958 13->173 30 7319124-7319131 31 7319133-731913f 30->31 32 731915b 30->32 34 7319141-7319147 31->34 35 7319149-731914f 31->35 36 7319161-7319180 32->36 37 7319159 34->37 35->37 41 73191e0-7319258 36->41 42 7319182-73191db 36->42 37->36 61 731925a-73192ad 41->61 62 73192af-73192f2 41->62 53 7319700 42->53 49->5 56 7318989 50->56 57 731898c-7318997 50->57 53->8 56->57 60 7318edb-7318ee1 57->60 63 7318ee7-7318f64 60->63 64 731899c-73189ba 60->64 91 73192fd-7319303 61->91 62->91 105 7318fb1-7318fb7 63->105 68 7318a11-7318a26 64->68 69 73189bc-73189c0 64->69 70 7318a28 68->70 71 7318a2d-7318a43 68->71 69->68 72 73189c2-73189cd 69->72 70->71 76 7318a45 71->76 77 7318a4a-7318a61 71->77 79 7318a03-7318a09 72->79 76->77 82 7318a63 77->82 83 7318a68-7318a7e 77->83 80 7318a0b-7318a0c 79->80 81 73189cf-73189d3 79->81 85 7318a8f-7318b00 80->85 87 73189d5 81->87 88 73189d9-73189f1 81->88 82->83 89 7318a80 83->89 90 7318a85-7318a8c 83->90 92 7318b02 85->92 93 7318b16-7318c8e 85->93 87->88 95 73189f3 88->95 96 73189f8-7318a00 88->96 89->90 90->85 97 731935a-7319366 91->97 92->93 98 7318b04-7318b10 92->98 106 7318c90 93->106 107 7318ca4-7318ddf 93->107 95->96 96->79 99 7319305-7319327 97->99 100 7319368-73193ef 97->100 98->93 103 7319329 99->103 104 731932e-7319357 99->104 130 7319574-731957d 100->130 103->104 104->97 110 7318f66-7318fae 105->110 111 7318fb9-7318fbf 105->111 106->107 112 7318c92-7318c9e 106->112 120 7318de1-7318de5 107->120 121 7318e43-7318e58 107->121 110->105 111->49 112->107 120->121 124 7318de7-7318df6 120->124 122 7318e5a 121->122 123 7318e5f-7318e80 121->123 122->123 127 7318e82 123->127 128 7318e87-7318ea6 123->128 129 7318e35-7318e3b 124->129 127->128 135 7318ea8 128->135 136 7318ead-7318ecd 128->136 131 7318df8-7318dfc 129->131 132 7318e3d-7318e3e 129->132 133 7319583-73195de 130->133 134 73193f4-7319409 130->134 142 7318e06-7318e27 131->142 143 7318dfe-7318e02 131->143 141 7318ed8 132->141 158 73195e0-7319613 133->158 159 7319615-731963f 133->159 137 7319412-7319568 134->137 138 731940b 134->138 135->136 139 7318ed4 136->139 140 7318ecf 136->140 163 731956e 137->163 138->137 144 73194a2-73194e2 138->144 145 73194e7-7319527 138->145 146 7319418-7319458 138->146 147 731945d-731949d 138->147 139->141 140->139 141->60 148 7318e29 142->148 149 7318e2e-7318e32 142->149 143->142 144->163 145->163 146->163 147->163 148->149 149->129 167 7319648-73196f4 158->167 159->167 163->130 167->53 172->30 173->30
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395128898.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7310000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: \ lw
                                  • API String ID: 0-2684086738
                                  • Opcode ID: 257cc63973d9b11b8507a84c7b04cd5de6f754339399ae46d91a1925eb52a709
                                  • Instruction ID: 20fcee36fdf16951192c7e4469168919703c51d60bb8e31f9a33031e9b1c58ee
                                  • Opcode Fuzzy Hash: 257cc63973d9b11b8507a84c7b04cd5de6f754339399ae46d91a1925eb52a709
                                  • Instruction Fuzzy Hash: A1B2A275E00228CFDB65CF69C984AD9BBB2BF89304F1581E9D50DAB225DB319E81CF40
                                  Function 073113E4 Relevance: .6, Instructions: 649COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 197 73113e4-7311a60 200 7311f43-7311fac 197->200 201 7311a66-7311a6b 197->201 208 7311fb3-731203b 200->208 201->200 202 7311a71-7311a8e 201->202 202->208 209 7311a94-7311a98 202->209 254 7312046-73120c6 208->254 210 7311aa7-7311aab 209->210 211 7311a9a-7311aa4 call 73113f4 209->211 215 7311aba-7311ac1 210->215 216 7311aad-7311ab7 call 73113f4 210->216 211->210 218 7311ac7-7311af7 215->218 219 7311bdc-7311be1 215->219 216->215 229 73122c6-7312346 218->229 232 7311afd-7311bd0 call 7311400 * 2 218->232 222 7311be3-7311be7 219->222 223 7311be9-7311bee 219->223 222->223 226 7311bf0-7311bf4 222->226 227 7311c00-7311c30 call 731140c * 3 223->227 226->229 230 7311bfa-7311bfd 226->230 227->254 255 7311c36-7311c39 227->255 245 7312348-731234e 229->245 246 731234f-731236c 229->246 230->227 232->219 263 7311bd2 232->263 245->246 271 73120cd-731214f 254->271 255->254 258 7311c3f-7311c41 255->258 258->254 261 7311c47-7311c7c 258->261 270 7311c82-7311c8b 261->270 261->271 263->219 272 7311c91-7311ceb call 731140c * 2 call 731141c * 2 270->272 273 7311dee-7311df2 270->273 275 7312157-73121d9 271->275 319 7311cfd 272->319 320 7311ced-7311cf6 272->320 273->275 276 7311df8-7311dfc 273->276 280 73121e1-731220e 275->280 276->280 281 7311e02-7311e08 276->281 292 7312215-7312295 280->292 284 7311e0a 281->284 285 7311e0c-7311e41 281->285 290 7311e48-7311e4e 284->290 285->290 290->292 293 7311e54-7311e5c 290->293 354 731229c-73122be 292->354 298 7311e63-7311e65 293->298 299 7311e5e-7311e62 293->299 304 7311ec7-7311ecd 298->304 305 7311e67-7311e8b 298->305 299->298 313 7311eec-7311f1a 304->313 314 7311ecf-7311eea 304->314 338 7311e94-7311e98 305->338 339 7311e8d-7311e92 305->339 330 7311f22-7311f2e 313->330 314->330 322 7311d01-7311d03 319->322 320->322 326 7311cf8-7311cfb 320->326 328 7311d05 322->328 329 7311d0a-7311d0e 322->329 326->322 328->329 335 7311d10-7311d17 329->335 336 7311d1c-7311d22 329->336 353 7311f34-7311f40 330->353 330->354 341 7311db9-7311dbd 335->341 342 7311d24-7311d2a 336->342 343 7311d2c-7311d31 336->343 338->229 346 7311e9e-7311ea1 338->346 345 7311ea4-7311eb5 339->345 351 7311ddc-7311de8 341->351 352 7311dbf-7311dd9 341->352 349 7311d37-7311d3d 342->349 343->349 388 7311eb7 call 7312400 345->388 389 7311eb7 call 73123ef 345->389 346->345 357 7311d43-7311d48 349->357 358 7311d3f-7311d41 349->358 351->272 351->273 352->351 354->229 364 7311d4a-7311d5c 357->364 358->364 361 7311ebd-7311ec5 361->330 369 7311d66-7311d6b 364->369 370 7311d5e-7311d64 364->370 371 7311d71-7311d78 369->371 370->371 375 7311d7a-7311d7c 371->375 376 7311d7e 371->376 379 7311d83-7311d8e 375->379 376->379 380 7311d90-7311d93 379->380 381 7311db2 379->381 380->341 383 7311d95-7311d9b 380->383 381->341 384 7311da2-7311dab 383->384 385 7311d9d-7311da0 383->385 384->341 387 7311dad-7311db0 384->387 385->381 385->384 387->341 387->381 388->361 389->361
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395128898.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7310000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5784a932d611f0cb744967113114aec82c4507d09f1018be7c19e95dd7ee886a
                                  • Instruction ID: 26f30a756b74703edd31fa9dc42223b970145d50e076f6ff3c1e671596b94864
                                  • Opcode Fuzzy Hash: 5784a932d611f0cb744967113114aec82c4507d09f1018be7c19e95dd7ee886a
                                  • Instruction Fuzzy Hash: 124240B0A002188FEB58DFA9C8547AEBBF6BF88300F14C569D509AB345DB349D45CF95
                                  Function 073113D7 Relevance: .3, Instructions: 284COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 571 73113d7-7311a60 574 7311f43-7311fac 571->574 575 7311a66-7311a6b 571->575 582 7311fb3-731203b 574->582 575->574 576 7311a71-7311a8e 575->576 576->582 583 7311a94-7311a98 576->583 628 7312046-73120c6 582->628 584 7311aa7-7311aab 583->584 585 7311a9a-7311aa4 call 73113f4 583->585 589 7311aba-7311ac1 584->589 590 7311aad-7311ab7 call 73113f4 584->590 585->584 592 7311ac7-7311af7 589->592 593 7311bdc-7311be1 589->593 590->589 603 73122c6-7312346 592->603 606 7311afd-7311bd0 call 7311400 * 2 592->606 596 7311be3-7311be7 593->596 597 7311be9-7311bee 593->597 596->597 600 7311bf0-7311bf4 596->600 601 7311c00-7311c30 call 731140c * 3 597->601 600->603 604 7311bfa-7311bfd 600->604 601->628 629 7311c36-7311c39 601->629 619 7312348-731234e 603->619 620 731234f-731236c 603->620 604->601 606->593 637 7311bd2 606->637 619->620 645 73120cd-731214f 628->645 629->628 632 7311c3f-7311c41 629->632 632->628 635 7311c47-7311c7c 632->635 644 7311c82-7311c8b 635->644 635->645 637->593 646 7311c91-7311ceb call 731140c * 2 call 731141c * 2 644->646 647 7311dee-7311df2 644->647 649 7312157-73121d9 645->649 693 7311cfd 646->693 694 7311ced-7311cf6 646->694 647->649 650 7311df8-7311dfc 647->650 654 73121e1-731220e 649->654 650->654 655 7311e02-7311e08 650->655 666 7312215-7312295 654->666 658 7311e0a 655->658 659 7311e0c-7311e41 655->659 664 7311e48-7311e4e 658->664 659->664 664->666 667 7311e54-7311e5c 664->667 728 731229c-73122be 666->728 672 7311e63-7311e65 667->672 673 7311e5e-7311e62 667->673 678 7311ec7-7311ecd 672->678 679 7311e67-7311e6a 672->679 673->672 687 7311eec-7311f1a 678->687 688 7311ecf-7311eea 678->688 690 7311e74-7311e8b 679->690 704 7311f22-7311f2e 687->704 688->704 712 7311e94-7311e98 690->712 713 7311e8d-7311e92 690->713 696 7311d01-7311d03 693->696 694->696 700 7311cf8-7311cfb 694->700 702 7311d05 696->702 703 7311d0a-7311d0e 696->703 700->696 702->703 709 7311d10-7311d17 703->709 710 7311d1c-7311d22 703->710 727 7311f34-7311f40 704->727 704->728 715 7311db9-7311dbd 709->715 716 7311d24-7311d2a 710->716 717 7311d2c-7311d31 710->717 712->603 720 7311e9e-7311ea1 712->720 719 7311ea4-7311eb5 713->719 725 7311ddc-7311de8 715->725 726 7311dbf-7311dd9 715->726 723 7311d37-7311d3d 716->723 717->723 762 7311eb7 call 7312400 719->762 763 7311eb7 call 73123ef 719->763 720->719 731 7311d43-7311d48 723->731 732 7311d3f-7311d41 723->732 725->646 725->647 726->725 728->603 738 7311d4a-7311d5c 731->738 732->738 735 7311ebd-7311ec5 735->704 743 7311d66-7311d6b 738->743 744 7311d5e-7311d64 738->744 745 7311d71-7311d78 743->745 744->745 749 7311d7a-7311d7c 745->749 750 7311d7e 745->750 753 7311d83-7311d8e 749->753 750->753 754 7311d90-7311d93 753->754 755 7311db2 753->755 754->715 757 7311d95-7311d9b 754->757 755->715 758 7311da2-7311dab 757->758 759 7311d9d-7311da0 757->759 758->715 761 7311dad-7311db0 758->761 759->755 759->758 761->715 761->755 762->735 763->735
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395128898.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7310000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ba79f3c4eeaf8a11fc164315ea3e882ca15918274ff6ab37546baa7c9c5f199
                                  • Instruction ID: 9bd1fe9da773a8ce29c458948c8a7dac6b10c4585d75ba116cdc5700b839f03d
                                  • Opcode Fuzzy Hash: 8ba79f3c4eeaf8a11fc164315ea3e882ca15918274ff6ab37546baa7c9c5f199
                                  • Instruction Fuzzy Hash: B6C14CB5E00259CFEF18CFA5C8807DABBB2BF89310F14C1A9D549AB255EB309985CF51
                                  Function 07311A28 Relevance: .3, Instructions: 279COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 7311a28-7311a60 766 7311f43-7311fac 764->766 767 7311a66-7311a6b 764->767 774 7311fb3-731203b 766->774 767->766 768 7311a71-7311a8e 767->768 768->774 775 7311a94-7311a98 768->775 820 7312046-73120c6 774->820 776 7311aa7-7311aab 775->776 777 7311a9a-7311aa4 call 73113f4 775->777 781 7311aba-7311ac1 776->781 782 7311aad-7311ab7 call 73113f4 776->782 777->776 784 7311ac7-7311af7 781->784 785 7311bdc-7311be1 781->785 782->781 795 73122c6-7312346 784->795 798 7311afd-7311bd0 call 7311400 * 2 784->798 788 7311be3-7311be7 785->788 789 7311be9-7311bee 785->789 788->789 792 7311bf0-7311bf4 788->792 793 7311c00-7311c30 call 731140c * 3 789->793 792->795 796 7311bfa-7311bfd 792->796 793->820 821 7311c36-7311c39 793->821 811 7312348-731234e 795->811 812 731234f-731236c 795->812 796->793 798->785 829 7311bd2 798->829 811->812 837 73120cd-731214f 820->837 821->820 824 7311c3f-7311c41 821->824 824->820 827 7311c47-7311c7c 824->827 836 7311c82-7311c8b 827->836 827->837 829->785 838 7311c91-7311ceb call 731140c * 2 call 731141c * 2 836->838 839 7311dee-7311df2 836->839 841 7312157-73121d9 837->841 885 7311cfd 838->885 886 7311ced-7311cf6 838->886 839->841 842 7311df8-7311dfc 839->842 846 73121e1-731220e 841->846 842->846 847 7311e02-7311e08 842->847 858 7312215-7312295 846->858 850 7311e0a 847->850 851 7311e0c-7311e41 847->851 856 7311e48-7311e4e 850->856 851->856 856->858 859 7311e54-7311e5c 856->859 920 731229c-73122be 858->920 864 7311e63-7311e65 859->864 865 7311e5e-7311e62 859->865 870 7311ec7-7311ecd 864->870 871 7311e67-7311e6a 864->871 865->864 879 7311eec-7311f1a 870->879 880 7311ecf-7311eea 870->880 882 7311e74-7311e8b 871->882 896 7311f22-7311f2e 879->896 880->896 904 7311e94-7311e98 882->904 905 7311e8d-7311e92 882->905 888 7311d01-7311d03 885->888 886->888 892 7311cf8-7311cfb 886->892 894 7311d05 888->894 895 7311d0a-7311d0e 888->895 892->888 894->895 901 7311d10-7311d17 895->901 902 7311d1c-7311d22 895->902 919 7311f34-7311f40 896->919 896->920 907 7311db9-7311dbd 901->907 908 7311d24-7311d2a 902->908 909 7311d2c-7311d31 902->909 904->795 912 7311e9e-7311ea1 904->912 911 7311ea4-7311eb5 905->911 917 7311ddc-7311de8 907->917 918 7311dbf-7311dd9 907->918 915 7311d37-7311d3d 908->915 909->915 954 7311eb7 call 7312400 911->954 955 7311eb7 call 73123ef 911->955 912->911 923 7311d43-7311d48 915->923 924 7311d3f-7311d41 915->924 917->838 917->839 918->917 920->795 930 7311d4a-7311d5c 923->930 924->930 927 7311ebd-7311ec5 927->896 935 7311d66-7311d6b 930->935 936 7311d5e-7311d64 930->936 937 7311d71-7311d78 935->937 936->937 941 7311d7a-7311d7c 937->941 942 7311d7e 937->942 945 7311d83-7311d8e 941->945 942->945 946 7311d90-7311d93 945->946 947 7311db2 945->947 946->907 949 7311d95-7311d9b 946->949 947->907 950 7311da2-7311dab 949->950 951 7311d9d-7311da0 949->951 950->907 953 7311dad-7311db0 950->953 951->947 951->950 953->907 953->947 954->927 955->927
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395128898.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7310000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 574f3a3f6e6280249f78aa5c4fd60cc79a3527d0ee55dc3dee94128afe00477c
                                  • Instruction ID: 613cd15310e93bc266add1dfd6f2c9b24dcb8380aa7eed47c93ea7055ec0fb52
                                  • Opcode Fuzzy Hash: 574f3a3f6e6280249f78aa5c4fd60cc79a3527d0ee55dc3dee94128afe00477c
                                  • Instruction Fuzzy Hash: 2DC13DB5E00259CFEF19CFA5C8807DABBB2BF88310F14C1A9D549AB255EB309985CF51
                                  Function 0731ABF0 Relevance: .2, Instructions: 188COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1101 731abf0-731ac15 1102 731ac17 1101->1102 1103 731ac1c-731ad53 call 731a340 call 73177e8 call 731a340 1101->1103 1102->1103 1116 731ac7b-731ad68 1103->1116 1118 731ad6a-731ad83 call 7319de0 1116->1118 1119 731ad1c-731ad3b call 7319db0 1116->1119 1125 731ac56-731ac5c 1118->1125 1126 731ad89-731ad8a 1118->1126 1124 731ad41-731ad42 1119->1124 1119->1125 1124->1125 1128 731ac65-731ac66 1125->1128 1129 731ac5e 1125->1129 1130 731adf5-731ae1e 1128->1130 1129->1119 1129->1128 1129->1130 1131 731ade9-731adf2 1129->1131 1132 731ad58-731ad59 1129->1132 1133 731ac6b-731ac6f 1129->1133 1134 731ad8f-731add8 call 7319db0 1129->1134 1135 731acae-731ad5f 1129->1135 1148 731ae21 call 731b110 1130->1148 1149 731ae21 call 731b100 1130->1149 1137 731acba-731acd1 1132->1137 1133->1134 1138 731ac75-731ae32 1133->1138 1134->1125 1147 731adde-731ade4 1134->1147 1135->1131 1137->1125 1138->1116 1143 731ae27-731ae28 1143->1137 1147->1125 1148->1143 1149->1143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395128898.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7310000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e25d0b28a51252149d0113af9fdf36fbb256bc22aa834009db8942b9686a9e46
                                  • Instruction ID: aa9766c22eb6a1b6ada93ca886267cb84f6fa18f2ba5241a0c993ce7719a6e32
                                  • Opcode Fuzzy Hash: e25d0b28a51252149d0113af9fdf36fbb256bc22aa834009db8942b9686a9e46
                                  • Instruction Fuzzy Hash: 5961F6B5D1A209CFEB18DFA9D4446EEBBBAAF8A302F10D029E419A7315DB345945CF40
                                  Function 07470040 Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395524447.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: true
                                  • Associated: 00000000.00000002.1395186391.00000000073B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_73b0000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 010e46a89a5fad8d83bce70f72ec5cae81e021f7599dcd55182e71be8719a426
                                  • Instruction ID: 181ba9878a34a2e52dc775903aad28a8d2a815d6fbf2f0015c7147580bc3cbcb
                                  • Opcode Fuzzy Hash: 010e46a89a5fad8d83bce70f72ec5cae81e021f7599dcd55182e71be8719a426
                                  • Instruction Fuzzy Hash: 2631D3B0D15618CBEB18CFAAD8443EEBAF6AFC9311F14C42AD409A6264DB740946CF50
                                  Function 07312400 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 174 7312400-7312425 call 731143c 177 7312427-7312437 174->177 178 731243a-73124cc CreateIconFromResourceEx 174->178 182 73124d5-73124f2 178->182 183 73124ce-73124d4 178->183 183->182
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395128898.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7310000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID: CreateFromIconResource
                                  • String ID:
                                  • API String ID: 3668623891-0
                                  • Opcode ID: f43ee1d8a69e954e7fdcec4ec006cef3f0e2896897ba565f63027cba06b59000
                                  • Instruction ID: daecac35577680ab84448b637bcfaff64a3ec9f0d2098e14ae982f9f48945a87
                                  • Opcode Fuzzy Hash: f43ee1d8a69e954e7fdcec4ec006cef3f0e2896897ba565f63027cba06b59000
                                  • Instruction Fuzzy Hash: C73198B29003599FDB11DFA9C844ADABFF8EF09210F04806AEA58A7261C7359854DFA1
                                  Function 0731143C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 186 731143c-73124cc CreateIconFromResourceEx 188 73124d5-73124f2 186->188 189 73124ce-73124d4 186->189 189->188
                                  APIs
                                  • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0731241A,?,?,?,?,?), ref: 073124BF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395128898.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7310000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID: CreateFromIconResource
                                  • String ID:
                                  • API String ID: 3668623891-0
                                  • Opcode ID: bd09749b3c5aed98b568b738efd2b282fa79b966015dcddf0f8c3ca4bbf4fa92
                                  • Instruction ID: c2358296217713bb49da7eb5f06a64c8ef703e2cf1f59604fb12d1bc299ea727
                                  • Opcode Fuzzy Hash: bd09749b3c5aed98b568b738efd2b282fa79b966015dcddf0f8c3ca4bbf4fa92
                                  • Instruction Fuzzy Hash: 081159B590035D9FDB10DF9AC844BDEBFF8EB48320F14841AE918A7250C775A950CFA4
                                  Function 07312449 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 192 7312449-73124cc CreateIconFromResourceEx 193 73124d5-73124f2 192->193 194 73124ce-73124d4 192->194 194->193
                                  APIs
                                  • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0731241A,?,?,?,?,?), ref: 073124BF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395128898.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7310000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID: CreateFromIconResource
                                  • String ID:
                                  • API String ID: 3668623891-0
                                  • Opcode ID: 7423ffcd723cf2d1e2a14b198c17e305a5742e927e764f5e2d89364d2843dee9
                                  • Instruction ID: 9ec31b7740a7c76b1a998c976378294a6764b48ccb053ea32cd00a6a825a47b3
                                  • Opcode Fuzzy Hash: 7423ffcd723cf2d1e2a14b198c17e305a5742e927e764f5e2d89364d2843dee9
                                  • Instruction Fuzzy Hash: F71156B68002599FDB10CFA9C944BDEBBF8EF48320F14841AE518A7250C3399950DFA0
                                  Function 0134D1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1388020857.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb873f0c84fd9f7bfd897616fb4ce5cc2b31d5aefd40d830946ee369e540ba1b
                                  • Instruction ID: dfa9d9e71b54fa7b06ec699c757bbd500b57eb1d934f93fbd25d05b91b324a73
                                  • Opcode Fuzzy Hash: bb873f0c84fd9f7bfd897616fb4ce5cc2b31d5aefd40d830946ee369e540ba1b
                                  • Instruction Fuzzy Hash: EC212271604304EFDB01DF94D9C4B26BBE5FB94328F20C66DE8094B392C336E406CA61
                                  Function 0134D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1388020857.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ab3ebb07849613aca4b5487137839d700eb179799cd5544d7b0c7d99fc600034
                                  • Instruction ID: e5f21564456e0b68847c2447eee1764edadc468f4c9bf54904751c986ae43237
                                  • Opcode Fuzzy Hash: ab3ebb07849613aca4b5487137839d700eb179799cd5544d7b0c7d99fc600034
                                  • Instruction Fuzzy Hash: A4212275604304DFDB15DF94D884B16BBA5FB94318F20C56DD80A0B786C33AE407CA62
                                  Function 0134D006 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1388020857.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f6775f29a434c4dd500d0d5f9d4285a96fe5fcce260ec1a1fdc8c91b2b0fbd11
                                  • Instruction ID: 41a19c4e2af7591d9b5b7e34719f2e6da7de66bcf4b9b67e4d9097369f2e79ee
                                  • Opcode Fuzzy Hash: f6775f29a434c4dd500d0d5f9d4285a96fe5fcce260ec1a1fdc8c91b2b0fbd11
                                  • Instruction Fuzzy Hash: AF2192755083809FCB03CF54D994711BFB1EB46314F28C5DAD8498F2A7C33A9806CB62
                                  Function 0134D1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1388020857.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_134d000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                  • Instruction ID: 9b37fe1dcef008c1d036e5f5d5f5952c5f1d60338dc7438aadbc3e12ad84962b
                                  • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                  • Instruction Fuzzy Hash: 6F11BB75504280DFCB02CF54C5C4B15BBB2FB84228F24C6ADD8494B296C33AE40ACB61
                                  Function 0133D745 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1387902615.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_133d000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f6859d9f77561f0dcbe11de96a85ae90de8993296b5280469edc453e1c309475
                                  • Instruction ID: 48e115c594f82959a4e6661116d88cfa58fd2e9dd5ff745a3ff00d0d32a251b3
                                  • Opcode Fuzzy Hash: f6859d9f77561f0dcbe11de96a85ae90de8993296b5280469edc453e1c309475
                                  • Instruction Fuzzy Hash: 0601F7710043889BF7125E65CC84B66BF9CEFC1669F54C51AED090B682D7399400CB75
                                  Function 0133D744 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1387902615.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_133d000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 060617c108aac01ca63c54931b062c1a4ed6963520f3d7cfe03a939f2a7ebc91
                                  • Instruction ID: 67ae3f509e6df21d3ec51c4bc6f43d60afeed8a8246a97ea46b6935fe559b57d
                                  • Opcode Fuzzy Hash: 060617c108aac01ca63c54931b062c1a4ed6963520f3d7cfe03a939f2a7ebc91
                                  • Instruction Fuzzy Hash: 61F096714043849FE7119E19DC84B62FFD8EB85678F18C55AED084B2C7D3799844CBB5

                                  Non-executed Functions

                                  Function 073186B7 Relevance: .2, Instructions: 233COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395128898.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7310000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9168034ca2d3f9c1baeb7211d3c0d650a1e359a765a250b2ddf7832c3355086e
                                  • Instruction ID: 5dcce00b64ef2d812c719e86bd40d8c1885ebff7fbabe3a1ed963b50fa68d099
                                  • Opcode Fuzzy Hash: 9168034ca2d3f9c1baeb7211d3c0d650a1e359a765a250b2ddf7832c3355086e
                                  • Instruction Fuzzy Hash: 7DB174B5E01658CFDB58DF6AC984ADDBBF2BF88301F14C1A9D409AB324DB305A858F50
                                  Function 073183C1 Relevance: .2, Instructions: 166COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395128898.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7310000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1929c31ebfc9560de940f87db432954bad5fa3bb32322554c626ba3a884f2ef3
                                  • Instruction ID: e1909bdf74988128466311a1e0bfe25efdae953a911ae6be74b542670e69ad14
                                  • Opcode Fuzzy Hash: 1929c31ebfc9560de940f87db432954bad5fa3bb32322554c626ba3a884f2ef3
                                  • Instruction Fuzzy Hash: 61611970A103098FDB09EF6AE9516AEBFF6FFC8200F14D529D005AB268EB745906CF51
                                  Function 073183D0 Relevance: .2, Instructions: 159COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1395128898.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7310000_preliminary drawing.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef3785aae9938a7556d211271101362b019cf68b63efb8fe74fbd1e925c5a190
                                  • Instruction ID: 51e0497aad63d539b5cba1c6c145b25a72e9c749f7ae374a572b6b33dd50af46
                                  • Opcode Fuzzy Hash: ef3785aae9938a7556d211271101362b019cf68b63efb8fe74fbd1e925c5a190
                                  • Instruction Fuzzy Hash: DE61F970A103098FDB09EF6AE9516AEBBF6FFD8200F14D529D405AB358EB745906CF41

                                  Execution Graph

                                  Execution Coverage:3.9%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:5.4%
                                  Total number of Nodes:1237
                                  Total number of Limit Nodes:65
                                  execution_graph 46716 41d4e0 46717 41d4f6 ctype ___scrt_fastfail 46716->46717 46731 41d6f3 46717->46731 46737 431fa9 21 API calls ___crtLCMapStringA 46717->46737 46720 41d704 46725 41d744 46720->46725 46730 41d770 46720->46730 46733 431fa9 21 API calls ___crtLCMapStringA 46720->46733 46721 41d6a6 ___scrt_fastfail 46721->46725 46738 431fa9 21 API calls ___crtLCMapStringA 46721->46738 46726 41d73d ___scrt_fastfail 46726->46725 46734 43265f 46726->46734 46728 41d6ce ___scrt_fastfail 46728->46725 46739 431fa9 21 API calls ___crtLCMapStringA 46728->46739 46730->46725 46740 41d484 21 API calls ___scrt_fastfail 46730->46740 46731->46725 46732 41d081 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46731->46732 46732->46720 46733->46726 46741 43257f 46734->46741 46736 432667 46736->46730 46737->46721 46738->46728 46739->46731 46740->46725 46742 432598 46741->46742 46745 43258e 46741->46745 46742->46745 46747 431fa9 21 API calls ___crtLCMapStringA 46742->46747 46744 4325b9 46744->46745 46748 43294a CryptAcquireContextA 46744->46748 46745->46736 46747->46744 46749 43296b CryptGenRandom 46748->46749 46750 432966 46748->46750 46749->46750 46751 432980 CryptReleaseContext 46749->46751 46750->46745 46751->46750 46752 426040 46757 426107 recv 46752->46757 46758 4260a1 46763 42611e send 46758->46763 46764 425e66 46765 425e7b 46764->46765 46768 425f1b 46764->46768 46766 425f35 46765->46766 46767 425f6a 46765->46767 46765->46768 46769 425ec9 46765->46769 46770 425f87 46765->46770 46771 425fae 46765->46771 46777 425efe 46765->46777 46792 424364 48 API calls ctype 46765->46792 46766->46767 46766->46768 46795 41f085 52 API calls 46766->46795 46767->46770 46796 424b8b 21 API calls 46767->46796 46769->46768 46769->46777 46793 41f085 52 API calls 46769->46793 46770->46768 46770->46771 46780 424f88 46770->46780 46771->46768 46797 4255d7 28 API calls 46771->46797 46777->46766 46777->46768 46794 424364 48 API calls ctype 46777->46794 46781 424fa7 ___scrt_fastfail 46780->46781 46783 424fb6 46781->46783 46786 424fdb 46781->46786 46798 41e0a7 21 API calls 46781->46798 46783->46786 46791 424fbb 46783->46791 46799 41fae4 45 API calls 46783->46799 46786->46771 46787 424fc4 46787->46786 46802 424195 21 API calls 2 library calls 46787->46802 46789 42505e 46789->46786 46800 431fa9 21 API calls ___crtLCMapStringA 46789->46800 46791->46786 46791->46787 46801 41cf7e 48 API calls 46791->46801 46792->46769 46793->46769 46794->46766 46795->46766 46796->46770 46797->46768 46798->46783 46799->46789 46800->46791 46801->46787 46802->46786 46803 446f53 GetLastError 46804 446f6c 46803->46804 46807 446f72 46803->46807 46829 447476 11 API calls 2 library calls 46804->46829 46809 446fc9 SetLastError 46807->46809 46822 448716 46807->46822 46812 446fd2 46809->46812 46810 446f8c 46830 446ad5 46810->46830 46813 446fa1 46813->46810 46816 446fa8 46813->46816 46815 446f92 46817 446fc0 SetLastError 46815->46817 46837 446d41 20 API calls _abort 46816->46837 46817->46812 46819 446fb3 46820 446ad5 _free 17 API calls 46819->46820 46821 446fb9 46820->46821 46821->46809 46821->46817 46823 448723 _strftime 46822->46823 46824 448763 46823->46824 46825 44874e RtlAllocateHeap 46823->46825 46838 442210 7 API calls 2 library calls 46823->46838 46839 445364 20 API calls _abort 46824->46839 46825->46823 46827 446f84 46825->46827 46827->46810 46836 4474cc 11 API calls 2 library calls 46827->46836 46829->46807 46831 446ae0 RtlFreeHeap 46830->46831 46835 446b09 _free 46830->46835 46832 446af5 46831->46832 46831->46835 46840 445364 20 API calls _abort 46832->46840 46834 446afb GetLastError 46834->46835 46835->46815 46836->46813 46837->46819 46838->46823 46839->46827 46840->46834 46841 43a9a8 46843 43a9b4 _swprintf BuildCatchObjectHelperInternal 46841->46843 46842 43a9c2 46857 445364 20 API calls _abort 46842->46857 46843->46842 46845 43a9ec 46843->46845 46852 444adc EnterCriticalSection 46845->46852 46847 43a9f7 46853 43aa98 46847->46853 46848 43a9c7 _abort std::_Locinfo::_Locinfo_dtor 46852->46847 46855 43aaa6 46853->46855 46854 43aa02 46858 43aa1f LeaveCriticalSection std::_Lockit::~_Lockit 46854->46858 46855->46854 46859 448426 36 API calls 2 library calls 46855->46859 46857->46848 46858->46848 46859->46855 46860 414dba 46875 41a52b 46860->46875 46862 414dc3 46885 401fbd 46862->46885 46866 414dde 46867 4161f2 46866->46867 46890 401eea 46866->46890 46894 401d8c 46867->46894 46870 4161fb 46871 401eea 11 API calls 46870->46871 46872 416207 46871->46872 46873 401eea 11 API calls 46872->46873 46874 416213 46873->46874 46876 41a539 46875->46876 46900 43a89c 46876->46900 46879 41a56c InternetReadFile 46883 41a58f 46879->46883 46881 41a5bc InternetCloseHandle InternetCloseHandle 46882 41a5ce 46881->46882 46882->46862 46883->46879 46883->46881 46884 401eea 11 API calls 46883->46884 46907 401f86 46883->46907 46884->46883 46886 401fcc 46885->46886 46918 402501 46886->46918 46888 401fea 46889 404468 61 API calls ctype 46888->46889 46889->46866 46892 4021b9 46890->46892 46891 4021e8 46891->46867 46892->46891 46923 40262e 11 API calls _Deallocate 46892->46923 46895 40200a 46894->46895 46899 40203a 46895->46899 46924 402654 11 API calls 46895->46924 46897 40202b 46925 4026ba 11 API calls _Deallocate 46897->46925 46899->46870 46902 446b0f _strftime 46900->46902 46901 446b4d 46912 445364 20 API calls _abort 46901->46912 46902->46901 46904 446b38 RtlAllocateHeap 46902->46904 46911 442210 7 API calls 2 library calls 46902->46911 46904->46902 46905 41a543 InternetOpenW InternetOpenUrlW 46904->46905 46905->46879 46908 401f8e 46907->46908 46913 402325 46908->46913 46910 401fa4 46910->46883 46911->46902 46912->46905 46914 40232f 46913->46914 46916 40233a 46914->46916 46917 40294a 28 API calls 46914->46917 46916->46910 46917->46916 46919 40250d 46918->46919 46921 40252b 46919->46921 46922 40261a 28 API calls 46919->46922 46921->46888 46922->46921 46923->46891 46924->46897 46925->46899 46926 42ea2e 46927 42ea39 46926->46927 46929 42ea4d 46927->46929 46930 431fd3 46927->46930 46931 431fe2 46930->46931 46932 431fde 46930->46932 46934 43fcea 46931->46934 46932->46929 46935 44b9ce 46934->46935 46936 44b9e6 46935->46936 46937 44b9db 46935->46937 46939 44b9ee 46936->46939 46945 44b9f7 _strftime 46936->46945 46947 446b0f 46937->46947 46940 446ad5 _free 20 API calls 46939->46940 46943 44b9e3 46940->46943 46941 44ba21 RtlReAllocateHeap 46941->46943 46941->46945 46942 44b9fc 46954 445364 20 API calls _abort 46942->46954 46943->46932 46945->46941 46945->46942 46955 442210 7 API calls 2 library calls 46945->46955 46948 446b4d 46947->46948 46952 446b1d _strftime 46947->46952 46957 445364 20 API calls _abort 46948->46957 46950 446b38 RtlAllocateHeap 46951 446b4b 46950->46951 46950->46952 46951->46943 46952->46948 46952->46950 46956 442210 7 API calls 2 library calls 46952->46956 46954->46943 46955->46945 46956->46952 46957->46951 46958 402bcc 46959 402bd7 46958->46959 46961 402bdf 46958->46961 46976 403315 28 API calls __Getctype 46959->46976 46962 402beb 46961->46962 46966 4015d3 46961->46966 46963 402bdd 46968 43361d 46966->46968 46967 43a89c ___crtLCMapStringA 21 API calls 46967->46968 46968->46967 46969 402be9 46968->46969 46972 43363e std::_Facet_Register 46968->46972 46977 442210 7 API calls 2 library calls 46968->46977 46971 433dfc std::_Facet_Register 46979 437be7 RaiseException 46971->46979 46972->46971 46978 437be7 RaiseException 46972->46978 46974 433e19 46976->46963 46977->46968 46978->46971 46979->46974 46980 4339ce 46981 4339da BuildCatchObjectHelperInternal 46980->46981 47012 4336c3 46981->47012 46983 4339e1 46984 433b34 46983->46984 46987 433a0b 46983->46987 47312 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46984->47312 46986 433b3b 47313 4426ce 28 API calls _abort 46986->47313 46996 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46987->46996 47306 4434e1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46987->47306 46989 433b41 47314 442680 28 API calls _abort 46989->47314 46992 433a24 46994 433a2a 46992->46994 47307 443485 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46992->47307 46993 433b49 46997 433aab 46996->46997 47308 43ee04 35 API calls 2 library calls 46996->47308 47023 433c6e 46997->47023 47006 433acd 47006->46986 47007 433ad1 47006->47007 47008 433ada 47007->47008 47310 442671 28 API calls _abort 47007->47310 47311 433852 13 API calls 2 library calls 47008->47311 47011 433ae2 47011->46994 47013 4336cc 47012->47013 47315 433e1a IsProcessorFeaturePresent 47013->47315 47015 4336d8 47316 4379fe 10 API calls 3 library calls 47015->47316 47017 4336dd 47018 4336e1 47017->47018 47317 44336e 47017->47317 47018->46983 47021 4336f8 47021->46983 47333 436060 47023->47333 47026 433ab1 47027 443432 47026->47027 47335 44ddd9 47027->47335 47029 44343b 47030 433aba 47029->47030 47339 44e0e3 35 API calls 47029->47339 47032 40d767 47030->47032 47341 41bcf3 LoadLibraryA GetProcAddress 47032->47341 47034 40d783 GetModuleFileNameW 47346 40e168 47034->47346 47036 40d79f 47037 401fbd 28 API calls 47036->47037 47038 40d7ae 47037->47038 47039 401fbd 28 API calls 47038->47039 47040 40d7bd 47039->47040 47361 41afd3 47040->47361 47044 40d7cf 47045 401d8c 11 API calls 47044->47045 47046 40d7d8 47045->47046 47047 40d835 47046->47047 47048 40d7eb 47046->47048 47386 401d64 47047->47386 47640 40e986 111 API calls 47048->47640 47051 40d7fd 47053 401d64 28 API calls 47051->47053 47052 40d845 47054 401d64 28 API calls 47052->47054 47057 40d809 47053->47057 47055 40d864 47054->47055 47391 404cbf 47055->47391 47641 40e937 65 API calls 47057->47641 47058 40d873 47395 405ce6 47058->47395 47061 40d87f 47398 401eef 47061->47398 47062 40d824 47642 40e155 65 API calls 47062->47642 47065 40d88b 47066 401eea 11 API calls 47065->47066 47067 40d894 47066->47067 47069 401eea 11 API calls 47067->47069 47068 401eea 11 API calls 47070 40dc9f 47068->47070 47071 40d89d 47069->47071 47309 433ca4 GetModuleHandleW 47070->47309 47072 401d64 28 API calls 47071->47072 47073 40d8a6 47072->47073 47402 401ebd 47073->47402 47075 40d8b1 47076 401d64 28 API calls 47075->47076 47077 40d8ca 47076->47077 47078 401d64 28 API calls 47077->47078 47080 40d8e5 47078->47080 47079 40d946 47081 401d64 28 API calls 47079->47081 47096 40e134 47079->47096 47080->47079 47643 4085b4 47080->47643 47088 40d95d 47081->47088 47083 40d912 47084 401eef 11 API calls 47083->47084 47085 40d91e 47084->47085 47086 401eea 11 API calls 47085->47086 47089 40d927 47086->47089 47087 40d9a4 47406 40bed7 47087->47406 47088->47087 47093 4124b7 3 API calls 47088->47093 47647 4124b7 RegOpenKeyExA 47089->47647 47091 40d9aa 47092 40d82d 47091->47092 47409 41a473 47091->47409 47092->47068 47098 40d988 47093->47098 47725 412902 30 API calls 47096->47725 47097 40d9c5 47099 40da18 47097->47099 47426 40697b 47097->47426 47098->47087 47650 412902 30 API calls 47098->47650 47101 401d64 28 API calls 47099->47101 47104 40da21 47101->47104 47113 40da32 47104->47113 47114 40da2d 47104->47114 47106 40e14a 47726 4112b5 64 API calls ___scrt_fastfail 47106->47726 47107 40d9e4 47651 40699d 30 API calls 47107->47651 47108 40d9ee 47112 401d64 28 API calls 47108->47112 47120 40d9f7 47112->47120 47118 401d64 28 API calls 47113->47118 47654 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47114->47654 47115 40d9e9 47652 4064d0 97 API calls 47115->47652 47119 40da3b 47118->47119 47430 41ae18 47119->47430 47120->47099 47124 40da13 47120->47124 47122 40da46 47434 401e18 47122->47434 47653 4064d0 97 API calls 47124->47653 47125 40da51 47438 401e13 47125->47438 47128 40da5a 47129 401d64 28 API calls 47128->47129 47130 40da63 47129->47130 47131 401d64 28 API calls 47130->47131 47132 40da7d 47131->47132 47133 401d64 28 API calls 47132->47133 47134 40da97 47133->47134 47135 401d64 28 API calls 47134->47135 47137 40dab0 47135->47137 47136 40db1d 47139 40db2c 47136->47139 47145 40dcaa ___scrt_fastfail 47136->47145 47137->47136 47138 401d64 28 API calls 47137->47138 47143 40dac5 _wcslen 47138->47143 47140 40db35 47139->47140 47168 40dbb1 ___scrt_fastfail 47139->47168 47141 401d64 28 API calls 47140->47141 47142 40db3e 47141->47142 47144 401d64 28 API calls 47142->47144 47143->47136 47147 401d64 28 API calls 47143->47147 47146 40db50 47144->47146 47714 41265d RegOpenKeyExA 47145->47714 47150 401d64 28 API calls 47146->47150 47148 40dae0 47147->47148 47151 401d64 28 API calls 47148->47151 47152 40db62 47150->47152 47153 40daf5 47151->47153 47155 401d64 28 API calls 47152->47155 47655 40c89e 47153->47655 47154 40dcef 47156 401d64 28 API calls 47154->47156 47158 40db8b 47155->47158 47159 40dd16 47156->47159 47164 401d64 28 API calls 47158->47164 47452 401f66 47159->47452 47161 401e18 11 API calls 47163 40db14 47161->47163 47166 401e13 11 API calls 47163->47166 47167 40db9c 47164->47167 47165 40dd25 47456 4126d2 RegCreateKeyA 47165->47456 47166->47136 47712 40bc67 45 API calls _wcslen 47167->47712 47442 4128a2 47168->47442 47172 40dbac 47172->47168 47174 40dc45 ctype 47177 401d64 28 API calls 47174->47177 47175 401d64 28 API calls 47176 40dd47 47175->47176 47462 43a5f7 47176->47462 47178 40dc5c 47177->47178 47178->47154 47181 40dc70 47178->47181 47184 401d64 28 API calls 47181->47184 47182 40dd5e 47717 41bec0 86 API calls ___scrt_fastfail 47182->47717 47183 40dd81 47188 401f66 28 API calls 47183->47188 47185 40dc7e 47184->47185 47189 41ae18 28 API calls 47185->47189 47187 40dd65 CreateThread 47187->47183 48261 41c97f 10 API calls 47187->48261 47190 40dd96 47188->47190 47191 40dc87 47189->47191 47192 401f66 28 API calls 47190->47192 47713 40e219 109 API calls 47191->47713 47194 40dda5 47192->47194 47466 41a696 47194->47466 47195 40dc8c 47195->47154 47197 40dc93 47195->47197 47197->47092 47199 401d64 28 API calls 47200 40ddb6 47199->47200 47201 401d64 28 API calls 47200->47201 47202 40ddcb 47201->47202 47203 401d64 28 API calls 47202->47203 47204 40ddeb 47203->47204 47205 43a5f7 _strftime 39 API calls 47204->47205 47206 40ddf8 47205->47206 47207 401d64 28 API calls 47206->47207 47208 40de03 47207->47208 47209 401d64 28 API calls 47208->47209 47210 40de14 47209->47210 47211 401d64 28 API calls 47210->47211 47212 40de29 47211->47212 47213 401d64 28 API calls 47212->47213 47214 40de3a 47213->47214 47215 40de41 StrToIntA 47214->47215 47490 409517 47215->47490 47218 401d64 28 API calls 47219 40de5c 47218->47219 47220 40dea1 47219->47220 47221 40de68 47219->47221 47224 401d64 28 API calls 47220->47224 47718 43361d 22 API calls 3 library calls 47221->47718 47223 40de71 47225 401d64 28 API calls 47223->47225 47226 40deb1 47224->47226 47227 40de84 47225->47227 47229 40def9 47226->47229 47230 40debd 47226->47230 47228 40de8b CreateThread 47227->47228 47228->47220 48265 419138 102 API calls 2 library calls 47228->48265 47231 401d64 28 API calls 47229->47231 47719 43361d 22 API calls 3 library calls 47230->47719 47233 40df02 47231->47233 47237 40df6c 47233->47237 47238 40df0e 47233->47238 47234 40dec6 47235 401d64 28 API calls 47234->47235 47236 40ded8 47235->47236 47239 40dedf CreateThread 47236->47239 47240 401d64 28 API calls 47237->47240 47241 401d64 28 API calls 47238->47241 47239->47229 48264 419138 102 API calls 2 library calls 47239->48264 47242 40df75 47240->47242 47243 40df1e 47241->47243 47244 40df81 47242->47244 47245 40dfba 47242->47245 47246 401d64 28 API calls 47243->47246 47248 401d64 28 API calls 47244->47248 47515 41a7b2 GetComputerNameExW GetUserNameW 47245->47515 47249 40df33 47246->47249 47251 40df8a 47248->47251 47720 40c854 31 API calls 47249->47720 47255 401d64 28 API calls 47251->47255 47252 401e18 11 API calls 47254 40dfce 47252->47254 47257 401e13 11 API calls 47254->47257 47258 40df9f 47255->47258 47256 40df46 47259 401e18 11 API calls 47256->47259 47260 40dfd7 47257->47260 47269 43a5f7 _strftime 39 API calls 47258->47269 47261 40df52 47259->47261 47262 40dfe0 SetProcessDEPPolicy 47260->47262 47263 40dfe3 CreateThread 47260->47263 47266 401e13 11 API calls 47261->47266 47262->47263 47264 40e004 47263->47264 47265 40dff8 CreateThread 47263->47265 48233 40e54f 47263->48233 47267 40e019 47264->47267 47268 40e00d CreateThread 47264->47268 47265->47264 48260 410f36 138 API calls 47265->48260 47270 40df5b CreateThread 47266->47270 47272 40e073 47267->47272 47274 401f66 28 API calls 47267->47274 47268->47267 48262 411524 38 API calls ___scrt_fastfail 47268->48262 47271 40dfac 47269->47271 47270->47237 48263 40196b 49 API calls _strftime 47270->48263 47721 40b95c 7 API calls 47271->47721 47526 41246e RegOpenKeyExA 47272->47526 47275 40e046 47274->47275 47722 404c9e 28 API calls 47275->47722 47279 40e053 47281 401f66 28 API calls 47279->47281 47280 40e12a 47538 40cbac 47280->47538 47284 40e062 47281->47284 47283 41ae18 28 API calls 47286 40e0a4 47283->47286 47287 41a696 79 API calls 47284->47287 47529 412584 RegOpenKeyExW 47286->47529 47288 40e067 47287->47288 47290 401eea 11 API calls 47288->47290 47290->47272 47293 401e13 11 API calls 47296 40e0c5 47293->47296 47294 40e0ed DeleteFileW 47295 40e0f4 47294->47295 47294->47296 47298 41ae18 28 API calls 47295->47298 47296->47294 47296->47295 47297 40e0db Sleep 47296->47297 47723 401e07 47297->47723 47300 40e104 47298->47300 47534 41297a RegOpenKeyExW 47300->47534 47302 40e117 47303 401e13 11 API calls 47302->47303 47304 40e121 47303->47304 47305 401e13 11 API calls 47304->47305 47305->47280 47306->46992 47307->46996 47308->46997 47309->47006 47310->47008 47311->47011 47312->46986 47313->46989 47314->46993 47315->47015 47316->47017 47321 44e959 47317->47321 47320 437a27 8 API calls 3 library calls 47320->47018 47324 44e972 47321->47324 47323 4336ea 47323->47021 47323->47320 47325 433d3c 47324->47325 47326 433d47 IsProcessorFeaturePresent 47325->47326 47327 433d45 47325->47327 47329 4341b4 47326->47329 47327->47323 47332 434178 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47329->47332 47331 434297 47331->47323 47332->47331 47334 433c81 GetStartupInfoW 47333->47334 47334->47026 47336 44dde2 47335->47336 47338 44ddeb 47335->47338 47340 44dcd8 48 API calls 4 library calls 47336->47340 47338->47029 47339->47029 47340->47338 47342 41bd32 LoadLibraryA GetProcAddress 47341->47342 47343 41bd22 GetModuleHandleA GetProcAddress 47341->47343 47344 41bd5b 32 API calls 47342->47344 47345 41bd4b LoadLibraryA GetProcAddress 47342->47345 47343->47342 47344->47034 47345->47344 47727 41a64f FindResourceA 47346->47727 47349 43a89c ___crtLCMapStringA 21 API calls 47350 40e192 ctype 47349->47350 47351 401f86 28 API calls 47350->47351 47352 40e1ad 47351->47352 47353 401eef 11 API calls 47352->47353 47354 40e1b8 47353->47354 47355 401eea 11 API calls 47354->47355 47356 40e1c1 47355->47356 47357 43a89c ___crtLCMapStringA 21 API calls 47356->47357 47358 40e1d2 ctype 47357->47358 47730 406052 47358->47730 47360 40e205 47360->47036 47381 41afe6 47361->47381 47362 41b056 47363 401eea 11 API calls 47362->47363 47364 41b088 47363->47364 47366 401eea 11 API calls 47364->47366 47365 41b058 47367 403b60 28 API calls 47365->47367 47369 41b090 47366->47369 47370 41b064 47367->47370 47371 401eea 11 API calls 47369->47371 47373 401eef 11 API calls 47370->47373 47372 40d7c6 47371->47372 47382 40e8bd 47372->47382 47375 41b06d 47373->47375 47374 401eef 11 API calls 47374->47381 47376 401eea 11 API calls 47375->47376 47378 41b075 47376->47378 47377 401eea 11 API calls 47377->47381 47737 41bfb9 28 API calls 47378->47737 47381->47362 47381->47365 47381->47374 47381->47377 47733 403b60 47381->47733 47736 41bfb9 28 API calls 47381->47736 47383 40e8ca 47382->47383 47385 40e8da 47383->47385 47754 40200a 11 API calls 47383->47754 47385->47044 47387 401d6c 47386->47387 47388 401d74 47387->47388 47755 401fff 28 API calls 47387->47755 47388->47052 47390 401d8b 47392 404ccb 47391->47392 47756 402e78 47392->47756 47394 404cee 47394->47058 47765 404bc4 47395->47765 47397 405cf4 47397->47061 47399 401efe 47398->47399 47401 401f0a 47399->47401 47774 4021b9 11 API calls 47399->47774 47401->47065 47404 401ec9 47402->47404 47403 401ee4 47403->47075 47404->47403 47405 402325 28 API calls 47404->47405 47405->47403 47775 401e8f 47406->47775 47408 40bee1 CreateMutexA GetLastError 47408->47091 47777 41b16b 47409->47777 47414 401eef 11 API calls 47415 41a4af 47414->47415 47416 401eea 11 API calls 47415->47416 47417 41a4b7 47416->47417 47418 41a50a 47417->47418 47419 412513 31 API calls 47417->47419 47418->47097 47420 41a4dd 47419->47420 47421 41a4e8 StrToIntA 47420->47421 47422 41a4ff 47421->47422 47423 41a4f6 47421->47423 47425 401eea 11 API calls 47422->47425 47785 41c112 22 API calls 47423->47785 47425->47418 47427 40698f 47426->47427 47428 4124b7 3 API calls 47427->47428 47429 406996 47428->47429 47429->47107 47429->47108 47431 41ae2c 47430->47431 47786 40b027 47431->47786 47433 41ae34 47433->47122 47435 401e27 47434->47435 47436 401e33 47435->47436 47795 402121 11 API calls 47435->47795 47436->47125 47440 402121 47438->47440 47439 402150 47439->47128 47440->47439 47796 402718 11 API calls _Deallocate 47440->47796 47443 4128c0 47442->47443 47444 406052 28 API calls 47443->47444 47445 4128d5 47444->47445 47446 401fbd 28 API calls 47445->47446 47447 4128e5 47446->47447 47448 4126d2 14 API calls 47447->47448 47449 4128ef 47448->47449 47450 401eea 11 API calls 47449->47450 47451 4128fc 47450->47451 47451->47174 47453 401f6e 47452->47453 47797 402301 47453->47797 47457 412722 47456->47457 47459 4126eb 47456->47459 47458 401eea 11 API calls 47457->47458 47460 40dd3b 47458->47460 47461 4126fd RegSetValueExA RegCloseKey 47459->47461 47460->47175 47461->47457 47463 43a610 _strftime 47462->47463 47801 43994e 47463->47801 47465 40dd54 47465->47182 47465->47183 47467 41a747 47466->47467 47468 41a6ac GetLocalTime 47466->47468 47470 401eea 11 API calls 47467->47470 47469 404cbf 28 API calls 47468->47469 47471 41a6ee 47469->47471 47472 41a74f 47470->47472 47473 405ce6 28 API calls 47471->47473 47474 401eea 11 API calls 47472->47474 47475 41a6fa 47473->47475 47476 40ddaa 47474->47476 47829 4027cb 47475->47829 47476->47199 47478 41a706 47479 405ce6 28 API calls 47478->47479 47480 41a712 47479->47480 47832 406478 76 API calls 47480->47832 47482 41a720 47483 401eea 11 API calls 47482->47483 47484 41a72c 47483->47484 47485 401eea 11 API calls 47484->47485 47486 41a735 47485->47486 47487 401eea 11 API calls 47486->47487 47488 41a73e 47487->47488 47489 401eea 11 API calls 47488->47489 47489->47467 47491 409536 _wcslen 47490->47491 47492 409541 47491->47492 47493 409558 47491->47493 47494 40c89e 31 API calls 47492->47494 47495 40c89e 31 API calls 47493->47495 47496 409549 47494->47496 47497 409560 47495->47497 47498 401e18 11 API calls 47496->47498 47499 401e18 11 API calls 47497->47499 47500 409553 47498->47500 47501 40956e 47499->47501 47503 401e13 11 API calls 47500->47503 47502 401e13 11 API calls 47501->47502 47504 409576 47502->47504 47505 4095ad 47503->47505 47852 40856b 28 API calls 47504->47852 47837 409837 47505->47837 47508 409588 47853 4028cf 47508->47853 47511 409593 47512 401e18 11 API calls 47511->47512 47513 40959d 47512->47513 47514 401e13 11 API calls 47513->47514 47514->47500 47879 403b40 47515->47879 47519 41a80d 47520 4028cf 28 API calls 47519->47520 47521 41a817 47520->47521 47522 401e13 11 API calls 47521->47522 47523 41a820 47522->47523 47524 401e13 11 API calls 47523->47524 47525 40dfc3 47524->47525 47525->47252 47527 40e08b 47526->47527 47528 41248f RegQueryValueExA RegCloseKey 47526->47528 47527->47280 47527->47283 47528->47527 47530 4125b0 RegQueryValueExW RegCloseKey 47529->47530 47531 4125dd 47529->47531 47530->47531 47532 403b40 28 API calls 47531->47532 47533 40e0ba 47532->47533 47533->47293 47535 412992 RegDeleteValueW 47534->47535 47536 4129a6 47534->47536 47535->47536 47537 4129a2 47535->47537 47536->47302 47537->47302 47539 40cbc5 47538->47539 47540 41246e 3 API calls 47539->47540 47541 40cbcc 47540->47541 47545 40cbeb 47541->47545 47906 401602 47541->47906 47543 40cbd9 47909 4127d5 RegCreateKeyA 47543->47909 47546 413fd4 47545->47546 47547 413feb 47546->47547 47923 41aa83 47547->47923 47549 413ff6 47550 401d64 28 API calls 47549->47550 47551 41400f 47550->47551 47552 43a5f7 _strftime 39 API calls 47551->47552 47553 41401c 47552->47553 47554 414021 Sleep 47553->47554 47555 41402e 47553->47555 47554->47555 47556 401f66 28 API calls 47555->47556 47557 41403d 47556->47557 47558 401d64 28 API calls 47557->47558 47559 41404b 47558->47559 47560 401fbd 28 API calls 47559->47560 47561 414053 47560->47561 47562 41afd3 28 API calls 47561->47562 47563 41405b 47562->47563 47927 404262 WSAStartup 47563->47927 47565 414065 47566 401d64 28 API calls 47565->47566 47567 41406e 47566->47567 47568 401d64 28 API calls 47567->47568 47583 4140ed 47567->47583 47569 414087 47568->47569 47572 401d64 28 API calls 47569->47572 47570 401d64 28 API calls 47570->47583 47571 401fbd 28 API calls 47571->47583 47573 414098 47572->47573 47575 401d64 28 API calls 47573->47575 47574 41afd3 28 API calls 47574->47583 47576 4140a9 47575->47576 47578 401d64 28 API calls 47576->47578 47577 4085b4 28 API calls 47577->47583 47579 4140ba 47578->47579 47581 401d64 28 API calls 47579->47581 47580 401eef 11 API calls 47580->47583 47582 4140cb 47581->47582 47584 401d64 28 API calls 47582->47584 47583->47570 47583->47571 47583->47574 47583->47577 47583->47580 47587 401eea 11 API calls 47583->47587 47589 414244 WSAGetLastError 47583->47589 47598 404cbf 28 API calls 47583->47598 47602 405ce6 28 API calls 47583->47602 47604 4027cb 28 API calls 47583->47604 47605 401f66 28 API calls 47583->47605 47606 41a696 79 API calls 47583->47606 47609 4082dc 28 API calls 47583->47609 47611 41265d 3 API calls 47583->47611 47612 412513 31 API calls 47583->47612 47613 403b40 28 API calls 47583->47613 47618 401d64 28 API calls 47583->47618 47638 414259 47583->47638 47928 413f9a 47583->47928 47934 4041f1 47583->47934 47941 404915 47583->47941 47956 40428c connect 47583->47956 48016 41a97d 47583->48016 48019 413683 47583->48019 48022 440c61 47583->48022 48026 40cbf1 47583->48026 48032 41adfe 47583->48032 48035 41aed8 47583->48035 48039 41ad56 47583->48039 47585 4140dd 47584->47585 48071 404101 88 API calls 47585->48071 47587->47583 48072 41bc86 30 API calls 47589->48072 47594 401f66 28 API calls 47594->47638 47596 41a696 79 API calls 47596->47638 47598->47583 47599 401d64 28 API calls 47599->47638 47600 401d8c 11 API calls 47600->47638 47601 43a5f7 _strftime 39 API calls 47603 414b80 Sleep 47601->47603 47602->47583 47603->47638 47604->47583 47605->47583 47606->47583 47609->47583 47611->47583 47612->47583 47613->47583 47619 4144ed GetTickCount 47618->47619 47620 41ad56 28 API calls 47619->47620 47633 414507 47620->47633 47622 41ad56 28 API calls 47622->47633 47625 41aed8 28 API calls 47625->47633 47627 405ce6 28 API calls 47627->47633 47628 4027cb 28 API calls 47628->47633 47629 40275c 28 API calls 47629->47633 47631 401eea 11 API calls 47631->47633 47632 401e13 11 API calls 47632->47633 47633->47622 47633->47625 47633->47627 47633->47628 47633->47629 47633->47631 47633->47632 48044 41acb0 47633->48044 48046 41ac62 47633->48046 48051 40e679 GetLocaleInfoA 47633->48051 48054 4027ec 28 API calls 47633->48054 48055 4045d5 47633->48055 48074 404468 61 API calls ctype 47633->48074 47636 414b22 CreateThread 47636->47638 48226 419e99 103 API calls 47636->48226 47637 401eea 11 API calls 47637->47638 47638->47583 47638->47594 47638->47596 47638->47599 47638->47600 47638->47601 47638->47636 47638->47637 47639 401e13 11 API calls 47638->47639 48073 404c9e 28 API calls 47638->48073 48075 40a767 84 API calls 47638->48075 48076 4047eb 98 API calls 47638->48076 47639->47638 47640->47051 47641->47062 47644 4085c0 47643->47644 47645 402e78 28 API calls 47644->47645 47646 4085e4 47645->47646 47646->47083 47648 4124e1 RegQueryValueExA RegCloseKey 47647->47648 47649 41250b 47647->47649 47648->47649 47649->47079 47650->47087 47651->47115 47652->47108 47653->47099 47654->47113 47656 40c8ba 47655->47656 47657 40c8da 47656->47657 47658 40c90f 47656->47658 47659 40c8d0 47656->47659 48227 41a75b 29 API calls 47657->48227 47662 41b16b GetCurrentProcess 47658->47662 47661 40ca03 GetLongPathNameW 47659->47661 47664 403b40 28 API calls 47661->47664 47665 40c914 47662->47665 47663 40c8e3 47666 401e18 11 API calls 47663->47666 47667 40ca18 47664->47667 47668 40c918 47665->47668 47669 40c96a 47665->47669 47707 40c8ed 47666->47707 47670 403b40 28 API calls 47667->47670 47672 403b40 28 API calls 47668->47672 47671 403b40 28 API calls 47669->47671 47673 40ca27 47670->47673 47674 40c978 47671->47674 47675 40c926 47672->47675 48230 40cc37 28 API calls 47673->48230 47679 403b40 28 API calls 47674->47679 47680 403b40 28 API calls 47675->47680 47676 401e13 11 API calls 47676->47659 47678 40ca3a 48231 402860 28 API calls 47678->48231 47682 40c98e 47679->47682 47683 40c93c 47680->47683 48229 402860 28 API calls 47682->48229 48228 402860 28 API calls 47683->48228 47684 40ca45 48232 402860 28 API calls 47684->48232 47688 40ca4f 47691 401e13 11 API calls 47688->47691 47689 40c999 47692 401e18 11 API calls 47689->47692 47690 40c947 47693 401e18 11 API calls 47690->47693 47694 40ca59 47691->47694 47695 40c9a4 47692->47695 47696 40c952 47693->47696 47697 401e13 11 API calls 47694->47697 47698 401e13 11 API calls 47695->47698 47699 401e13 11 API calls 47696->47699 47700 40ca62 47697->47700 47701 40c9ad 47698->47701 47702 40c95b 47699->47702 47703 401e13 11 API calls 47700->47703 47704 401e13 11 API calls 47701->47704 47705 401e13 11 API calls 47702->47705 47706 40ca6b 47703->47706 47704->47707 47705->47707 47708 401e13 11 API calls 47706->47708 47707->47676 47709 40ca74 47708->47709 47710 401e13 11 API calls 47709->47710 47711 40ca7d 47710->47711 47711->47161 47712->47172 47713->47195 47715 412683 RegQueryValueExA RegCloseKey 47714->47715 47716 4126a7 47714->47716 47715->47716 47716->47154 47717->47187 47718->47223 47719->47234 47720->47256 47721->47245 47722->47279 47724 401e0c 47723->47724 47725->47106 47728 40e183 47727->47728 47729 41a66c LoadResource LockResource SizeofResource 47727->47729 47728->47349 47729->47728 47731 401f86 28 API calls 47730->47731 47732 406066 47731->47732 47732->47360 47738 403c30 47733->47738 47736->47381 47737->47362 47739 403c39 47738->47739 47742 403c59 47739->47742 47743 403c68 47742->47743 47748 4032a4 47743->47748 47745 403c74 47746 402325 28 API calls 47745->47746 47747 403b73 47746->47747 47747->47381 47749 4032b0 47748->47749 47750 4032ad 47748->47750 47753 4032b6 22 API calls 47749->47753 47750->47745 47754->47385 47755->47390 47757 402e85 47756->47757 47758 402ea9 47757->47758 47759 402e98 47757->47759 47761 402eae 47757->47761 47758->47394 47763 403445 28 API calls 47759->47763 47761->47758 47764 40225b 11 API calls 47761->47764 47763->47758 47764->47758 47766 404bd0 47765->47766 47769 40245c 47766->47769 47768 404be4 47768->47397 47770 402469 47769->47770 47772 402478 47770->47772 47773 402ad3 28 API calls 47770->47773 47772->47768 47773->47772 47774->47401 47776 401e94 47775->47776 47778 41a481 47777->47778 47779 41b178 GetCurrentProcess 47777->47779 47780 412513 RegOpenKeyExA 47778->47780 47779->47778 47781 412541 RegQueryValueExA RegCloseKey 47780->47781 47782 412569 47780->47782 47781->47782 47783 401f66 28 API calls 47782->47783 47784 41257e 47783->47784 47784->47414 47785->47422 47787 40b02f 47786->47787 47790 40b04b 47787->47790 47789 40b045 47789->47433 47791 40b055 47790->47791 47793 40b060 47791->47793 47794 40b138 28 API calls 47791->47794 47793->47789 47794->47793 47795->47436 47796->47439 47798 40230d 47797->47798 47799 402325 28 API calls 47798->47799 47800 401f80 47799->47800 47800->47165 47817 43a555 47801->47817 47803 43999b 47823 4392ee 35 API calls 3 library calls 47803->47823 47804 439960 47804->47803 47805 439975 47804->47805 47808 43997a _abort 47804->47808 47822 445364 20 API calls _abort 47805->47822 47808->47465 47810 4399a7 47811 4399d6 47810->47811 47824 43a59a 39 API calls __Tolower 47810->47824 47814 439a42 47811->47814 47825 43a501 20 API calls 2 library calls 47811->47825 47826 43a501 20 API calls 2 library calls 47814->47826 47815 439b09 _strftime 47815->47808 47827 445364 20 API calls _abort 47815->47827 47818 43a55a 47817->47818 47819 43a56d 47817->47819 47828 445364 20 API calls _abort 47818->47828 47819->47804 47821 43a55f _abort 47821->47804 47822->47808 47823->47810 47824->47810 47825->47814 47826->47815 47827->47808 47828->47821 47833 401e9b 47829->47833 47831 4027d9 47831->47478 47832->47482 47834 401ea7 47833->47834 47835 40245c 28 API calls 47834->47835 47836 401eb9 47835->47836 47836->47831 47838 409855 47837->47838 47839 4124b7 3 API calls 47838->47839 47840 40985c 47839->47840 47841 409870 47840->47841 47842 40988a 47840->47842 47843 4095cf 47841->47843 47844 409875 47841->47844 47845 4082dc 28 API calls 47842->47845 47843->47218 47856 4082dc 47844->47856 47847 409898 47845->47847 47861 4098a5 85 API calls 47847->47861 47851 409888 47851->47843 47852->47508 47870 402d8b 47853->47870 47855 4028dd 47855->47511 47857 4082eb 47856->47857 47862 408431 47857->47862 47859 408309 47860 409959 29 API calls 47859->47860 47860->47851 47867 40999f 129 API calls 47860->47867 47861->47843 47868 4099b5 52 API calls 47861->47868 47869 4099a9 124 API calls 47861->47869 47863 40843d 47862->47863 47865 40845b 47863->47865 47866 402f0d 28 API calls 47863->47866 47865->47859 47866->47865 47871 402d97 47870->47871 47874 4030f7 47871->47874 47873 402dab 47873->47855 47875 403101 47874->47875 47877 403115 47875->47877 47878 4036c2 28 API calls 47875->47878 47877->47873 47878->47877 47880 403b48 47879->47880 47886 403b7a 47880->47886 47883 403cbb 47895 403dc2 47883->47895 47885 403cc9 47885->47519 47887 403b86 47886->47887 47890 403b9e 47887->47890 47889 403b5a 47889->47883 47891 403ba8 47890->47891 47893 403bb3 47891->47893 47894 403cfd 28 API calls 47891->47894 47893->47889 47894->47893 47896 403dce 47895->47896 47899 402ffd 47896->47899 47898 403de3 47898->47885 47900 40300e 47899->47900 47901 4032a4 22 API calls 47900->47901 47902 40301a 47901->47902 47904 40302e 47902->47904 47905 4035e8 28 API calls 47902->47905 47904->47898 47905->47904 47912 4395ca 47906->47912 47910 412814 47909->47910 47911 4127ed RegSetValueExA RegCloseKey 47909->47911 47910->47545 47911->47910 47915 43954b 47912->47915 47914 401608 47914->47543 47916 43955a 47915->47916 47917 43956e 47915->47917 47921 445364 20 API calls _abort 47916->47921 47920 43955f __alldvrm _abort 47917->47920 47922 447611 11 API calls 2 library calls 47917->47922 47920->47914 47921->47920 47922->47920 47926 41aac9 ctype ___scrt_fastfail 47923->47926 47924 401f66 28 API calls 47925 41ab3e 47924->47925 47925->47549 47926->47924 47927->47565 47929 413fb3 WSASetLastError 47928->47929 47930 413fa9 47928->47930 47929->47583 48077 413e37 29 API calls ___std_exception_copy 47930->48077 47932 413fae 47932->47929 47935 404206 socket 47934->47935 47936 4041fd 47934->47936 47938 404220 47935->47938 47939 404224 CreateEventW 47935->47939 48078 404262 WSAStartup 47936->48078 47938->47583 47939->47583 47940 404202 47940->47935 47940->47938 47942 40492a 47941->47942 47943 4049b1 47941->47943 47944 404933 47942->47944 47945 404987 CreateEventA CreateThread 47942->47945 47946 404942 GetLocalTime 47942->47946 47943->47583 47944->47945 47945->47943 48080 404b1d 47945->48080 47947 41ad56 28 API calls 47946->47947 47948 40495b 47947->47948 48079 404c9e 28 API calls 47948->48079 47950 404968 47951 401f66 28 API calls 47950->47951 47952 404977 47951->47952 47953 41a696 79 API calls 47952->47953 47954 40497c 47953->47954 47955 401eea 11 API calls 47954->47955 47955->47945 47957 4043e1 47956->47957 47958 4042b3 47956->47958 47959 404343 47957->47959 47960 4043e7 WSAGetLastError 47957->47960 47958->47959 47962 404cbf 28 API calls 47958->47962 47982 4042e8 47958->47982 47959->47583 47960->47959 47961 4043f7 47960->47961 47963 4043fc 47961->47963 47972 4042f7 47961->47972 47965 4042d4 47962->47965 48089 41bc86 30 API calls 47963->48089 47969 401f66 28 API calls 47965->47969 47967 4042f0 47971 404306 47967->47971 47967->47972 47968 401f66 28 API calls 47973 404448 47968->47973 47974 4042e3 47969->47974 47970 40440b 48090 404c9e 28 API calls 47970->48090 47979 404315 47971->47979 47980 40434c 47971->47980 47972->47968 47976 401f66 28 API calls 47973->47976 47977 41a696 79 API calls 47974->47977 47981 404457 47976->47981 47977->47982 47978 404418 47983 401f66 28 API calls 47978->47983 47984 401f66 28 API calls 47979->47984 48086 420f44 54 API calls 47980->48086 47985 41a696 79 API calls 47981->47985 48084 420161 27 API calls 47982->48084 47987 404427 47983->47987 47988 404324 47984->47988 47985->47959 47990 41a696 79 API calls 47987->47990 47991 401f66 28 API calls 47988->47991 47989 404354 47992 404389 47989->47992 47993 404359 47989->47993 47994 40442c 47990->47994 47995 404333 47991->47995 48088 4202fa 28 API calls 47992->48088 47997 401f66 28 API calls 47993->47997 47998 401eea 11 API calls 47994->47998 47999 41a696 79 API calls 47995->47999 48001 404368 47997->48001 47998->47959 48003 404338 47999->48003 48000 404391 48004 4043be CreateEventW CreateEventW 48000->48004 48006 401f66 28 API calls 48000->48006 48002 401f66 28 API calls 48001->48002 48005 404377 48002->48005 48085 41dc25 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48003->48085 48004->47959 48007 41a696 79 API calls 48005->48007 48009 4043a7 48006->48009 48010 40437c 48007->48010 48011 401f66 28 API calls 48009->48011 48087 4205a2 52 API calls 48010->48087 48013 4043b6 48011->48013 48014 41a696 79 API calls 48013->48014 48015 4043bb 48014->48015 48015->48004 48091 41a955 GlobalMemoryStatusEx 48016->48091 48018 41a992 48018->47583 48092 413646 48019->48092 48023 440c6d 48022->48023 48122 440a5d 48023->48122 48025 440c8e 48025->47583 48027 40cc0d 48026->48027 48028 41246e 3 API calls 48027->48028 48029 40cc14 48028->48029 48030 4124b7 3 API calls 48029->48030 48031 40cc2c 48029->48031 48030->48031 48031->47583 48033 401f86 28 API calls 48032->48033 48034 41ae13 48033->48034 48034->47583 48036 41aee5 48035->48036 48037 401f86 28 API calls 48036->48037 48038 41aef7 48037->48038 48038->47583 48040 440c61 20 API calls 48039->48040 48041 41ad77 48040->48041 48042 401f66 28 API calls 48041->48042 48043 41ad85 48042->48043 48043->47583 48045 41acc6 GetTickCount 48044->48045 48045->47633 48047 436060 ___scrt_fastfail 48046->48047 48048 41ac81 GetForegroundWindow GetWindowTextW 48047->48048 48049 403b40 28 API calls 48048->48049 48050 41acab 48049->48050 48050->47633 48052 401f66 28 API calls 48051->48052 48053 40e69e 48052->48053 48053->47633 48054->47633 48062 4045ec 48055->48062 48056 43a89c ___crtLCMapStringA 21 API calls 48056->48062 48058 40465b 48061 404666 48058->48061 48058->48062 48059 401f86 28 API calls 48059->48062 48060 401eef 11 API calls 48060->48062 48139 4047eb 98 API calls 48061->48139 48062->48056 48062->48058 48062->48059 48062->48060 48065 401eea 11 API calls 48062->48065 48127 404688 48062->48127 48138 40455b 57 API calls 48062->48138 48064 40466d 48066 401eea 11 API calls 48064->48066 48065->48062 48067 404676 48066->48067 48068 401eea 11 API calls 48067->48068 48069 40467f 48068->48069 48069->47638 48071->47583 48072->47638 48073->47638 48074->47633 48075->47638 48076->47638 48077->47932 48078->47940 48079->47950 48083 404b29 101 API calls 48080->48083 48082 404b26 48083->48082 48084->47967 48085->47959 48086->47989 48087->48003 48088->48000 48089->47970 48090->47978 48091->48018 48095 413619 48092->48095 48096 41362e ___scrt_initialize_default_local_stdio_options 48095->48096 48099 43e2ed 48096->48099 48102 43b040 48099->48102 48103 43b080 48102->48103 48104 43b068 48102->48104 48103->48104 48105 43b088 48103->48105 48117 445364 20 API calls _abort 48104->48117 48118 4392ee 35 API calls 3 library calls 48105->48118 48108 43b098 48119 43b7c6 20 API calls 2 library calls 48108->48119 48109 43b06d _abort 48110 433d3c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 48109->48110 48112 41363c 48110->48112 48112->47583 48113 43b110 48120 43be34 50 API calls 3 library calls 48113->48120 48116 43b11b 48121 43b830 20 API calls _free 48116->48121 48117->48109 48118->48108 48119->48113 48120->48116 48121->48109 48123 440a74 48122->48123 48125 440aab _abort 48123->48125 48126 445364 20 API calls _abort 48123->48126 48125->48025 48126->48125 48131 4046a3 48127->48131 48128 4047d8 48129 401eea 11 API calls 48128->48129 48130 4047e1 48129->48130 48130->48058 48131->48128 48132 403b60 28 API calls 48131->48132 48133 401eef 11 API calls 48131->48133 48134 401eea 11 API calls 48131->48134 48135 401fbd 28 API calls 48131->48135 48136 401ebd 28 API calls 48131->48136 48132->48131 48133->48131 48134->48131 48135->48131 48137 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 48136->48137 48137->48131 48140 414b9b 48137->48140 48138->48062 48139->48064 48141 401fbd 28 API calls 48140->48141 48142 414bbd SetEvent 48141->48142 48143 414bd2 48142->48143 48144 403b60 28 API calls 48143->48144 48145 414bec 48144->48145 48146 401fbd 28 API calls 48145->48146 48147 414bfc 48146->48147 48148 401fbd 28 API calls 48147->48148 48149 414c0e 48148->48149 48150 41afd3 28 API calls 48149->48150 48151 414c17 48150->48151 48152 4161f2 48151->48152 48153 414de3 48151->48153 48154 414c37 GetTickCount 48151->48154 48155 401d8c 11 API calls 48152->48155 48153->48152 48214 414d99 48153->48214 48156 41ad56 28 API calls 48154->48156 48157 4161fb 48155->48157 48158 414c4d 48156->48158 48160 401eea 11 API calls 48157->48160 48161 41acb0 GetTickCount 48158->48161 48163 416207 48160->48163 48164 414c54 48161->48164 48162 414d7d 48162->48152 48165 401eea 11 API calls 48163->48165 48166 41ad56 28 API calls 48164->48166 48167 416213 48165->48167 48168 414c5f 48166->48168 48169 41ac62 30 API calls 48168->48169 48170 414c6d 48169->48170 48171 41aed8 28 API calls 48170->48171 48172 414c7b 48171->48172 48173 401d64 28 API calls 48172->48173 48174 414c89 48173->48174 48219 4027ec 28 API calls 48174->48219 48176 414c97 48220 40275c 28 API calls 48176->48220 48178 414ca6 48179 4027cb 28 API calls 48178->48179 48180 414cb5 48179->48180 48221 40275c 28 API calls 48180->48221 48182 414cc4 48183 4027cb 28 API calls 48182->48183 48184 414cd0 48183->48184 48222 40275c 28 API calls 48184->48222 48186 414cda 48223 404468 61 API calls ctype 48186->48223 48188 414ce9 48189 401eea 11 API calls 48188->48189 48190 414cf2 48189->48190 48191 401eea 11 API calls 48190->48191 48192 414cfe 48191->48192 48193 401eea 11 API calls 48192->48193 48194 414d0a 48193->48194 48195 401eea 11 API calls 48194->48195 48196 414d16 48195->48196 48197 401eea 11 API calls 48196->48197 48198 414d22 48197->48198 48199 401eea 11 API calls 48198->48199 48200 414d2e 48199->48200 48201 401e13 11 API calls 48200->48201 48202 414d3a 48201->48202 48203 401eea 11 API calls 48202->48203 48204 414d43 48203->48204 48205 401eea 11 API calls 48204->48205 48206 414d4c 48205->48206 48207 401d64 28 API calls 48206->48207 48208 414d57 48207->48208 48209 43a5f7 _strftime 39 API calls 48208->48209 48210 414d64 48209->48210 48211 414d69 48210->48211 48212 414d8f 48210->48212 48215 414d82 48211->48215 48216 414d77 48211->48216 48213 401d64 28 API calls 48212->48213 48213->48214 48214->48152 48225 404ab1 83 API calls 48214->48225 48218 404915 104 API calls 48215->48218 48224 4049ba 81 API calls 48216->48224 48218->48162 48219->48176 48220->48178 48221->48182 48222->48186 48223->48188 48224->48162 48225->48162 48227->47663 48228->47690 48229->47689 48230->47678 48231->47684 48232->47688 48235 40e56a 48233->48235 48234 4124b7 3 API calls 48234->48235 48235->48234 48236 40e60e 48235->48236 48238 40e5fe Sleep 48235->48238 48243 40e59c 48235->48243 48239 4082dc 28 API calls 48236->48239 48237 4082dc 28 API calls 48237->48243 48238->48235 48242 40e619 48239->48242 48241 41ae18 28 API calls 48241->48243 48244 41ae18 28 API calls 48242->48244 48243->48237 48243->48238 48243->48241 48248 401e13 11 API calls 48243->48248 48251 401f66 28 API calls 48243->48251 48255 4126d2 14 API calls 48243->48255 48266 40bf04 73 API calls ___scrt_fastfail 48243->48266 48267 412774 14 API calls 48243->48267 48245 40e625 48244->48245 48268 412774 14 API calls 48245->48268 48248->48243 48249 40e638 48250 401e13 11 API calls 48249->48250 48252 40e644 48250->48252 48251->48243 48253 401f66 28 API calls 48252->48253 48254 40e655 48253->48254 48256 4126d2 14 API calls 48254->48256 48255->48243 48257 40e668 48256->48257 48269 411699 TerminateProcess WaitForSingleObject 48257->48269 48259 40e670 ExitProcess 48270 411637 62 API calls 48260->48270 48267->48243 48268->48249 48269->48259

                                  Executed Functions

                                  Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$HandleLibraryLoadModule
                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                  • API String ID: 384173800-625181639
                                  • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                  • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                                  • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                  • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE
                                  Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                    • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                    • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                  • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                  • ExitProcess.KERNEL32 ref: 0040E672
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                  • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                  • API String ID: 2281282204-3981147832
                                  • Opcode ID: 8b57bce22a9f6d76fda62625c2c9eda57b428cac8fd47ef44d4eceb6ac03292f
                                  • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                                  • Opcode Fuzzy Hash: 8b57bce22a9f6d76fda62625c2c9eda57b428cac8fd47ef44d4eceb6ac03292f
                                  • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF
                                  Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1203 404915-404924 1204 4049b1 1203->1204 1205 40492a-404931 1203->1205 1206 4049b3-4049b7 1204->1206 1207 404933-404937 1205->1207 1208 404939-404940 1205->1208 1209 404987-4049af CreateEventA CreateThread 1207->1209 1208->1209 1210 404942-404982 GetLocalTime call 41ad56 call 404c9e call 401f66 call 41a696 call 401eea 1208->1210 1209->1206 1210->1209
                                  APIs
                                  • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                  • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$EventLocalThreadTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 2532271599-1507639952
                                  • Opcode ID: 2e1fa5831eddf1d4299478bb142e53dbf6bd66ba3f79423caa1a657b487eb59e
                                  • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                                  • Opcode Fuzzy Hash: 2e1fa5831eddf1d4299478bb142e53dbf6bd66ba3f79423caa1a657b487eb59e
                                  • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                                  Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                                  • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                                  • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$Context$AcquireRandomRelease
                                  • String ID:
                                  • API String ID: 1815803762-0
                                  • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                  • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                                  • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                  • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                                  Function 0041A7B2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7CF
                                  • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name$ComputerUser
                                  • String ID:
                                  • API String ID: 4229901323-0
                                  • Opcode ID: b63fbe807418eda0a9fc1ee5865018707abb86735c4632f840b1adfcf73bb3ed
                                  • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                  • Opcode Fuzzy Hash: b63fbe807418eda0a9fc1ee5865018707abb86735c4632f840b1adfcf73bb3ed
                                  • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                  Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: 31219136052544a26d77da0625eb89f11a5a625e23b8e682f5fa2601c68a04a1
                                  • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                  • Opcode Fuzzy Hash: 31219136052544a26d77da0625eb89f11a5a625e23b8e682f5fa2601c68a04a1
                                  • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                  Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: recv
                                  • String ID:
                                  • API String ID: 1507349165-0
                                  • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                  • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                  • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                  • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                  Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 5 40d767-40d7e9 call 41bcf3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afd3 call 40e8bd call 401d8c call 43e830 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 80 40d9a5-40d9ac call 40bed7 69->80 81 40d96d-40d98c call 401e8f call 4124b7 69->81 70->69 101 40e134-40e154 call 401e8f call 412902 call 4112b5 70->101 89 40d9b5-40d9bc 80->89 90 40d9ae-40d9b0 80->90 81->80 97 40d98e-40d9a4 call 401e8f call 412902 81->97 95 40d9c0-40d9cc call 41a473 89->95 96 40d9be 89->96 94 40dc95 90->94 94->49 103 40d9d5-40d9d9 95->103 104 40d9ce-40d9d0 95->104 96->95 97->80 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 127 40da32-40daba call 401d64 call 41ae18 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 117 40d9e0-40d9e2 108->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->107 137 40da03-40da09 121->137 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a621 127->164 128->127 137->107 139 40da0b-40da11 137->139 139->107 142 40da13 call 4064d0 139->142 142->107 166 40dcaa-40dd01 call 436060 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 191 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->191 222 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5f7 166->222 170 40dbb1-40dbbb call 4082d7 167->170 171 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->171 177 40dbc0-40dbe4 call 4022f8 call 4338d8 170->177 171->177 198 40dbf3 177->198 199 40dbe6-40dbf1 call 436060 177->199 191->163 204 40dbf5-40dc40 call 401e07 call 43e359 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 198->204 199->204 259 40dc45-40dc6a call 4338e1 call 401d64 call 40b125 204->259 273 40dd79-40dd7b 222->273 274 40dd5e 222->274 259->222 272 40dc70-40dc91 call 401d64 call 41ae18 call 40e219 259->272 272->222 292 40dc93 272->292 275 40dd81 273->275 276 40dd7d-40dd7f 273->276 278 40dd60-40dd77 call 41bec0 CreateThread 274->278 279 40dd87-40de66 call 401f66 * 2 call 41a696 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->279 276->278 278->279 330 40dea1 279->330 331 40de68-40de9f call 43361d call 401d64 call 401e8f CreateThread 279->331 292->94 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 343 40def9-40df0c call 401d64 call 401e8f 333->343 344 40debd-40def4 call 43361d call 401d64 call 401e8f CreateThread 333->344 354 40df6c-40df7f call 401d64 call 401e8f 343->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->355 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 40b95c 354->365 366 40dfba-40dfde call 41a7b2 call 401e18 call 401e13 354->366 355->354 365->366 388 40dfe0-40dfe1 SetProcessDEPPolicy 366->388 389 40dfe3-40dff6 CreateThread 366->389 388->389 390 40e004-40e00b 389->390 391 40dff8-40e002 CreateThread 389->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a696 call 401eea 399->404 413 40e094-40e0d4 call 41ae18 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->101 434 40e0f4-40e125 call 41ae18 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                  APIs
                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                    • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                    • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                    • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\preliminary drawing.pif.exe,00000104), ref: 0040D790
                                    • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                  • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\preliminary drawing.pif.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                  • API String ID: 2830904901-1273217775
                                  • Opcode ID: 1cbab22fcf9789e2dc0bbe97594bdd2d7531ec5f34be400b221fc91c5f8df585
                                  • Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
                                  • Opcode Fuzzy Hash: 1cbab22fcf9789e2dc0bbe97594bdd2d7531ec5f34be400b221fc91c5f8df585
                                  • Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                  Function 00413FD4 Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 813sleepnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 447 413fd4-41401f call 401faa call 41aa83 call 401faa call 401d64 call 401e8f call 43a5f7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afd3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afd3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 582 414b54-414b66 call 4047eb call 4020b4 559->582 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a696 560->566 581 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 4 call 41a97d call 413683 call 4082dc call 440c61 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 565->581 565->582 566->582 647 414434-414441 call 40541d 581->647 648 414446-41446d call 401e8f call 412513 581->648 595 414b68-414b88 call 401d64 call 401e8f call 43a5f7 Sleep 582->595 596 414b8e-414b96 call 401d8c 582->596 595->596 596->476 647->648 654 414474-414830 call 403b40 call 40cbf1 call 41adfe call 41aed8 call 41ad56 call 401d64 GetTickCount call 41ad56 call 41acb0 call 41ad56 * 2 call 41ac62 call 41aed8 * 5 call 40e679 call 41aed8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c 648->654 655 41446f-414471 648->655 781 414832 call 404468 654->781 655->654 782 414837-414abb call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 781->782 900 414ac0-414ac7 782->900 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a696 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->582
                                  APIs
                                  • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                  • WSAGetLastError.WS2_32 ref: 00414249
                                  • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$ErrorLastLocalTime
                                  • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\Desktop\preliminary drawing.pif.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                  • API String ID: 524882891-1521279111
                                  • Opcode ID: c5cc2093c3caae45bd84e2f6c1350ac1782337e989a6723bb220563a8dad824c
                                  • Instruction ID: 1c0fcd5d2769b0c1ed3f5537d8c306574ebe830810c6f13c8178cbf41d879861
                                  • Opcode Fuzzy Hash: c5cc2093c3caae45bd84e2f6c1350ac1782337e989a6723bb220563a8dad824c
                                  • Instruction Fuzzy Hash: 3B525E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                  Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • connect.WS2_32(?,?,?), ref: 004042A5
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                  • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                  • API String ID: 994465650-2151626615
                                  • Opcode ID: 4d284fb6bd226b4f6a9a24d86bcde779631d3923fb3a3f6ce286161630388cb1
                                  • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                                  • Opcode Fuzzy Hash: 4d284fb6bd226b4f6a9a24d86bcde779631d3923fb3a3f6ce286161630388cb1
                                  • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF
                                  Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 999 40c89e-40c8c3 call 401e52 1002 40c8c9 999->1002 1003 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 999->1003 1005 40c8d0-40c8d5 1002->1005 1006 40c9c2-40c9c7 1002->1006 1007 40c905-40c90a 1002->1007 1008 40c9d8 1002->1008 1009 40c9c9-40c9ce call 43ac1f 1002->1009 1010 40c8da-40c8e8 call 41a75b call 401e18 1002->1010 1011 40c8fb-40c900 1002->1011 1012 40c9bb-40c9c0 1002->1012 1013 40c90f-40c916 call 41b16b 1002->1013 1026 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1003->1026 1014 40c9dd-40c9e2 call 43ac1f 1005->1014 1006->1014 1007->1014 1008->1014 1023 40c9d3-40c9d6 1009->1023 1030 40c8ed 1010->1030 1011->1014 1012->1014 1027 40c918-40c968 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1013->1027 1028 40c96a-40c9b6 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1013->1028 1029 40c9e3-40c9e8 call 4082d7 1014->1029 1023->1008 1023->1029 1035 40c8f1-40c8f6 call 401e13 1027->1035 1028->1030 1029->1003 1030->1035 1035->1003
                                  APIs
                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LongNamePath
                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                  • API String ID: 82841172-425784914
                                  • Opcode ID: 8bb05b44eb04f1e0dc5581eb888e05d16a888ad6e7e27c2a6ee5d7172b9019e7
                                  • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                                  • Opcode Fuzzy Hash: 8bb05b44eb04f1e0dc5581eb888e05d16a888ad6e7e27c2a6ee5d7172b9019e7
                                  • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F
                                  Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                    • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                    • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                    • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                  • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCurrentOpenProcessQueryValue
                                  • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                  • API String ID: 1866151309-3211212173
                                  • Opcode ID: 6f3ec36fa0fa6d5a89327e59a99bb65c2cd0d17cfb650c456f36b5e487cc7cbe
                                  • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                                  • Opcode Fuzzy Hash: 6f3ec36fa0fa6d5a89327e59a99bb65c2cd0d17cfb650c456f36b5e487cc7cbe
                                  • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE
                                  Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1152 41a52b-41a56a call 401faa call 43a89c InternetOpenW InternetOpenUrlW 1157 41a56c-41a58d InternetReadFile 1152->1157 1158 41a5b3-41a5b6 1157->1158 1159 41a58f-41a5af call 401f86 call 402f08 call 401eea 1157->1159 1161 41a5b8-41a5ba 1158->1161 1162 41a5bc-41a5c9 InternetCloseHandle * 2 call 43a897 1158->1162 1159->1158 1161->1157 1161->1162 1166 41a5ce-41a5d8 1162->1166
                                  APIs
                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                                  Strings
                                  • http://geoplugin.net/json.gp, xrefs: 0041A55E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleOpen$FileRead
                                  • String ID: http://geoplugin.net/json.gp
                                  • API String ID: 3121278467-91888290
                                  • Opcode ID: 31b0211269058d8d80234bb2d45be8077547b9a49cc11acea141c6bd991d7aa0
                                  • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                                  • Opcode Fuzzy Hash: 31b0211269058d8d80234bb2d45be8077547b9a49cc11acea141c6bd991d7aa0
                                  • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA
                                  Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1170 4126d2-4126e9 RegCreateKeyA 1171 412722 1170->1171 1172 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1170->1172 1174 412724-412730 call 401eea 1171->1174 1172->1174
                                  APIs
                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                  • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                  • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: HgF$pth_unenc
                                  • API String ID: 1818849710-3662775637
                                  • Opcode ID: f525b82889cce4ed42b982d416afe85817149c5d652f0b3e4b5f51a1bf5c8cf6
                                  • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                  • Opcode Fuzzy Hash: f525b82889cce4ed42b982d416afe85817149c5d652f0b3e4b5f51a1bf5c8cf6
                                  • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                  Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1180 446f53-446f6a GetLastError 1181 446f6c-446f76 call 447476 1180->1181 1182 446f78-446f7f call 448716 1180->1182 1181->1182 1187 446fc9-446fd0 SetLastError 1181->1187 1186 446f84-446f8a 1182->1186 1188 446f95-446fa3 call 4474cc 1186->1188 1189 446f8c 1186->1189 1191 446fd2-446fd7 1187->1191 1196 446fa5-446fa6 1188->1196 1197 446fa8-446fbe call 446d41 call 446ad5 1188->1197 1192 446f8d-446f93 call 446ad5 1189->1192 1198 446fc0-446fc7 SetLastError 1192->1198 1196->1192 1197->1187 1197->1198 1198->1191
                                  APIs
                                  • GetLastError.KERNEL32(00000000,?,?,00445369,00446B52,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578), ref: 00446F58
                                  • _free.LIBCMT ref: 00446F8D
                                  • _free.LIBCMT ref: 00446FB4
                                  • SetLastError.KERNEL32(00000000), ref: 00446FC1
                                  • SetLastError.KERNEL32(00000000), ref: 00446FCA
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                  • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                                  • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                  • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                                  Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1220 4127d5-4127eb RegCreateKeyA 1221 412818-41281b 1220->1221 1222 4127ed-412812 RegSetValueExA RegCloseKey 1220->1222 1222->1221 1223 412814-412817 1222->1223
                                  APIs
                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                  • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                  • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: TUF
                                  • API String ID: 1818849710-3431404234
                                  • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                  • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                  • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                  • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                  Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 3360349984-0
                                  • Opcode ID: 3c6d86bedaee11f37905f7bca2ddc0060668b498f76e48a755d0382af347efe0
                                  • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                  • Opcode Fuzzy Hash: 3c6d86bedaee11f37905f7bca2ddc0060668b498f76e48a755d0382af347efe0
                                  • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                  Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CountEventTick
                                  • String ID: >G
                                  • API String ID: 180926312-1296849874
                                  • Opcode ID: ce6c9d1715770b429ad55d0905e173b6115a539eb21f1fa84817c17572230590
                                  • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                                  • Opcode Fuzzy Hash: ce6c9d1715770b429ad55d0905e173b6115a539eb21f1fa84817c17572230590
                                  • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                                  Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1363 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                  • GetLastError.KERNEL32 ref: 0040BEF1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateErrorLastMutex
                                  • String ID: (CG
                                  • API String ID: 1925916568-4210230975
                                  • Opcode ID: 296d9643a91431cf214b808cae9b7d77365ac793ad5cac5481aac8ac9a10b333
                                  • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                  • Opcode Fuzzy Hash: 296d9643a91431cf214b808cae9b7d77365ac793ad5cac5481aac8ac9a10b333
                                  • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                  Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                  • RegCloseKey.KERNEL32(?), ref: 0041255F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 8bdb47dcc075b90602d862ed2636d4bb920ab298b1725c427e8c8ce9e7e6604e
                                  • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                  • Opcode Fuzzy Hash: 8bdb47dcc075b90602d862ed2636d4bb920ab298b1725c427e8c8ce9e7e6604e
                                  • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                  Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                  • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                  • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                  • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                  • Opcode Fuzzy Hash: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                  • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                  Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                  • RegCloseKey.KERNEL32(?), ref: 00412500
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                  • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                  • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                  • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                  Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                  • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                  • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                  • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                  • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                  Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID: xAG
                                  • API String ID: 176396367-2759412365
                                  • Opcode ID: ff637472b7ef91eb79cf1c791d23dde74da6086b31a6c5428193f8d367aac764
                                  • Instruction ID: 06a27fc39790a6443aa461e0e984232ee7603be4cd8470566e0b89af9a4a2a71
                                  • Opcode Fuzzy Hash: ff637472b7ef91eb79cf1c791d23dde74da6086b31a6c5428193f8d367aac764
                                  • Instruction Fuzzy Hash: FE1163329002059FCB15FF66D8969EF77A4EF64314B10453FF842622E2EF38A955CB98
                                  Function 0041A955 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A969
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID: @
                                  • API String ID: 1890195054-2766056989
                                  • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                  • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                  • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                  • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                  Function 0044B9CE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 0044B9EF
                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                  • RtlReAllocateHeap.NTDLL(00000000,?,00000000,?,0000000F,?,00431FE7,00000000,0000000F,0042EA4D,?,?,00430AB6,?,00000000), ref: 0044BA2B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap$_free
                                  • String ID:
                                  • API String ID: 1482568997-0
                                  • Opcode ID: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                                  • Instruction ID: 4ec374b27fdcb4e51bf886fe72aa52163d481902fd3bbe85b5f84076fdb7f7cd
                                  • Opcode Fuzzy Hash: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                                  • Instruction Fuzzy Hash: 0FF0C23260051166FB216E679C05F6B2B68DF827B0F15412BFD04B6291DF6CC80191ED
                                  Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                    • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEventStartupsocket
                                  • String ID:
                                  • API String ID: 1953588214-0
                                  • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                  • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                  • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                  • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                  Function 0043361D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DF7
                                    • Part of subcall function 00437BE7: RaiseException.KERNEL32(?,?,?,00433E19,00000000,00000000,?,?,?,?,?,?,00433E19,?,0046D5EC), ref: 00437C47
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E14
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8Throw$ExceptionRaise
                                  • String ID:
                                  • API String ID: 3476068407-0
                                  • Opcode ID: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                  • Instruction ID: a120e58b429b9861eb3006866c51ef53ea309f8249189fce9472b36b7df41f91
                                  • Opcode Fuzzy Hash: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                  • Instruction Fuzzy Hash: EFF0243080430D7BCB14BEAAE80799D772C5D08319F60612BB825955E1EF7CE715C58E
                                  Function 0041AC62 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 0041AC84
                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC97
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$ForegroundText
                                  • String ID:
                                  • API String ID: 29597999-0
                                  • Opcode ID: fc9550f23c582834adc74fe767e5a47d1f70ec12f4b2fc4e7e19963045584285
                                  • Instruction ID: cc2156d331005380bc7f387210694eb4be3f76427b44d354f8bc4e4bef854abe
                                  • Opcode Fuzzy Hash: fc9550f23c582834adc74fe767e5a47d1f70ec12f4b2fc4e7e19963045584285
                                  • Instruction Fuzzy Hash: CFE04875A0031867FB24A765AD4EFD6766C9704715F0000B9BA19E21C3E9B4EA04C7E4
                                  Function 00448716 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F84,00000001,00000364,?,00433637,?,?,00402BE9,?,00402629,00000000,?), ref: 00448757
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: c0e71c43265bb7a2ed883484c95d5de73dd4aa74b019aeb8b9faa22b7eb24aee
                                  • Instruction ID: 28044070be8b550b436e3a89d8ee4c5083ce1cba36f38117670c034d6afde2c5
                                  • Opcode Fuzzy Hash: c0e71c43265bb7a2ed883484c95d5de73dd4aa74b019aeb8b9faa22b7eb24aee
                                  • Instruction Fuzzy Hash: 0FF0E03154562467BB217A669D56B5F7744AF41770B34402FFC04A6190CF68D901C2DD
                                  Function 00446B0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                  • Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
                                  • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                  • Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF
                                  Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startup
                                  • String ID:
                                  • API String ID: 724789610-0
                                  • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                  • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                  • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                  • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                  Function 0042611E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                  • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                  • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                  • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                                  Non-executed Functions

                                  Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEvent.KERNEL32(?), ref: 00406F28
                                  • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                  • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                    • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                    • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                    • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                    • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                    • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                    • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                    • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                    • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                    • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                    • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                    • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                  • DeleteFileA.KERNEL32(?), ref: 004078CC
                                    • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                    • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                    • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                  • Sleep.KERNEL32(000007D0), ref: 00407976
                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                    • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                  • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                  • API String ID: 2918587301-599666313
                                  • Opcode ID: 7c3a10aa70fbc0abb9da896607932978d887201d4489b0b6bbc8d7b181c23716
                                  • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                                  • Opcode Fuzzy Hash: 7c3a10aa70fbc0abb9da896607932978d887201d4489b0b6bbc8d7b181c23716
                                  • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                                  Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 0040508E
                                    • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                    • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  • __Init_thread_footer.LIBCMT ref: 004050CB
                                  • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                                  • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                                    • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                    • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                  • Sleep.KERNEL32(0000012C,00000093), ref: 0040523F
                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                    • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                  • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                  • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                  • CloseHandle.KERNEL32 ref: 004053CD
                                  • CloseHandle.KERNEL32 ref: 004053D5
                                  • CloseHandle.KERNEL32 ref: 004053E7
                                  • CloseHandle.KERNEL32 ref: 004053EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                  • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                                  • API String ID: 3815868655-1274243119
                                  • Opcode ID: 8cd6bbeebd9e9caaf9f123fd2fe0eeab76399212a4f0088d548ca011392efa26
                                  • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                                  • Opcode Fuzzy Hash: 8cd6bbeebd9e9caaf9f123fd2fe0eeab76399212a4f0088d548ca011392efa26
                                  • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                                  Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                    • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                  • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                    • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                    • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                    • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                  • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                  • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                  • API String ID: 65172268-860466531
                                  • Opcode ID: 9350a0bfaaa346c981537caebe022d0b66937e050ede51e08580dc4a1b0d10a8
                                  • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                                  • Opcode Fuzzy Hash: 9350a0bfaaa346c981537caebe022d0b66937e050ede51e08580dc4a1b0d10a8
                                  • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                                  Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                  • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                  • FindClose.KERNEL32(00000000), ref: 0040B517
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                  • API String ID: 1164774033-3681987949
                                  • Opcode ID: d31dc0994ab30dcfd54242808f5dccdbe37c143db5f301c056987ee8bc4f95bd
                                  • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                                  • Opcode Fuzzy Hash: d31dc0994ab30dcfd54242808f5dccdbe37c143db5f301c056987ee8bc4f95bd
                                  • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                  Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                  • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                  • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                  • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$Close$File$FirstNext
                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 3527384056-432212279
                                  • Opcode ID: d22135443ec3619cb2b9c334a04a2bc6f2d5b008a30f7aac8bfac88d4055024f
                                  • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                                  • Opcode Fuzzy Hash: d22135443ec3619cb2b9c334a04a2bc6f2d5b008a30f7aac8bfac88d4055024f
                                  • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                                  Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                  • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                    • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                  • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                  • API String ID: 726551946-3025026198
                                  • Opcode ID: 4a678bf591e4b073bad77d61a16c88d6c6538d5c61b7572df8285ad76feeffde
                                  • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                                  • Opcode Fuzzy Hash: 4a678bf591e4b073bad77d61a16c88d6c6538d5c61b7572df8285ad76feeffde
                                  • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                                  Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32 ref: 004159C7
                                  • EmptyClipboard.USER32 ref: 004159D5
                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                  • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                  • CloseClipboard.USER32 ref: 00415A5A
                                  • OpenClipboard.USER32 ref: 00415A61
                                  • GetClipboardData.USER32(0000000D), ref: 00415A71
                                  • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                  • CloseClipboard.USER32 ref: 00415A89
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                  • String ID:
                                  • API String ID: 3520204547-0
                                  • Opcode ID: b229eecd7f5f368363f49aac189717c0758c1b66ee9c9f0eb92ac6ae0fc6aaec
                                  • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                                  • Opcode Fuzzy Hash: b229eecd7f5f368363f49aac189717c0758c1b66ee9c9f0eb92ac6ae0fc6aaec
                                  • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                  Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0$1$2$3$4$5$6$7
                                  • API String ID: 0-3177665633
                                  • Opcode ID: eb0228fa31f86a03f128981edebf5efc69ad907c47aa728b7f3ab7f186b6d359
                                  • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                                  • Opcode Fuzzy Hash: eb0228fa31f86a03f128981edebf5efc69ad907c47aa728b7f3ab7f186b6d359
                                  • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                                  Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 00409B3F
                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                  • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                  • GetKeyState.USER32(00000010), ref: 00409B5C
                                  • GetKeyboardState.USER32(?), ref: 00409B67
                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                  • String ID: X[G
                                  • API String ID: 1888522110-739899062
                                  • Opcode ID: d91d0540f812f4871974057b5933cd142222a9cf3d101d705a5052a8f4d3ab48
                                  • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                                  • Opcode Fuzzy Hash: d91d0540f812f4871974057b5933cd142222a9cf3d101d705a5052a8f4d3ab48
                                  • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                                  Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00406788
                                  • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Object_wcslen
                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                  • API String ID: 240030777-3166923314
                                  • Opcode ID: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                  • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                                  • Opcode Fuzzy Hash: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                  • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                                  Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                                  • GetLastError.KERNEL32 ref: 00419945
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                  • String ID:
                                  • API String ID: 3587775597-0
                                  • Opcode ID: 9221a97e37ce63e1dfc2a590e15a2d383158a23c63d16956968e5530d48b3d55
                                  • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                                  • Opcode Fuzzy Hash: 9221a97e37ce63e1dfc2a590e15a2d383158a23c63d16956968e5530d48b3d55
                                  • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                                  Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                  • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                  • GetLastError.KERNEL32 ref: 00409A1B
                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                  • TranslateMessage.USER32(?), ref: 00409A7A
                                  • DispatchMessageA.USER32(?), ref: 00409A85
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                  • String ID: Keylogger initialization failure: error $`Wu
                                  • API String ID: 3219506041-303027793
                                  • Opcode ID: b74c3dc71f70a9bf2cd1c948d442c303f38e51d857cdf486f3a00ad27f425dcb
                                  • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                                  • Opcode Fuzzy Hash: b74c3dc71f70a9bf2cd1c948d442c303f38e51d857cdf486f3a00ad27f425dcb
                                  • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA
                                  Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B539
                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B546
                                    • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B580
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B593
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                  • String ID:
                                  • API String ID: 2341273852-0
                                  • Opcode ID: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                  • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                                  • Opcode Fuzzy Hash: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                  • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                                  Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041301A
                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00413026
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                  • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                  • API String ID: 2127411465-314212984
                                  • Opcode ID: 3d5d85589f288751b747da18e3261fc8bbb1cc723702bb643045872f452b8079
                                  • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                                  • Opcode Fuzzy Hash: 3d5d85589f288751b747da18e3261fc8bbb1cc723702bb643045872f452b8079
                                  • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                  Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                  • GetLastError.KERNEL32 ref: 0040B261
                                  Strings
                                  • UserProfile, xrefs: 0040B227
                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                  • [Chrome StoredLogins not found], xrefs: 0040B27B
                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteErrorFileLast
                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                  • API String ID: 2018770650-1062637481
                                  • Opcode ID: d6b26b2fc00cbdbf6c62eaeae4a3d61b585e2547b48eec92df3cc9bf4f0242e8
                                  • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                                  • Opcode Fuzzy Hash: d6b26b2fc00cbdbf6c62eaeae4a3d61b585e2547b48eec92df3cc9bf4f0242e8
                                  • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                                  Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                  • GetLastError.KERNEL32 ref: 00416B02
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 3534403312-3733053543
                                  • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                  • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                  • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                  • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                  Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 004089AE
                                    • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                    • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                    • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                    • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                    • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                    • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                    • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                  • String ID:
                                  • API String ID: 4043647387-0
                                  • Opcode ID: 6f3eccfca96d4b142c060df322bd8414f790790a966ee1a681bdbc2f09e147d7
                                  • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                                  • Opcode Fuzzy Hash: 6f3eccfca96d4b142c060df322bd8414f790790a966ee1a681bdbc2f09e147d7
                                  • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                                  Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                  • String ID:
                                  • API String ID: 276877138-0
                                  • Opcode ID: d0335b8e3d7468fec46ab29645fca41a8d5a3df9c65c6e17278e64ff330a848c
                                  • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                                  • Opcode Fuzzy Hash: d0335b8e3d7468fec46ab29645fca41a8d5a3df9c65c6e17278e64ff330a848c
                                  • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                                  Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                                    • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Find$CreateFirstNext
                                  • String ID: @CG$XCG$>G
                                  • API String ID: 341183262-3030817687
                                  • Opcode ID: c0dacc97b84158c7d45d92c31c25591959a82423881f90f3d71fa8b0818c424b
                                  • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                                  • Opcode Fuzzy Hash: c0dacc97b84158c7d45d92c31c25591959a82423881f90f3d71fa8b0818c424b
                                  • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                                  Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                    • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                    • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                    • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                    • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                  • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                  • String ID: PowrProf.dll$SetSuspendState
                                  • API String ID: 1589313981-1420736420
                                  • Opcode ID: df8b207651d327b52872d4944338054bfaf40e95f0964e0c8296abddc2e90af7
                                  • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                                  • Opcode Fuzzy Hash: df8b207651d327b52872d4944338054bfaf40e95f0964e0c8296abddc2e90af7
                                  • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                                  Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 0045128C
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 004512B5
                                  • GetACP.KERNEL32(?,?,00451512,?,00000000), ref: 004512CA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                  • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                                  • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                  • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                                  Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                                  • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                                  • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                                  • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID: SETTINGS
                                  • API String ID: 3473537107-594951305
                                  • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                  • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                                  • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                  • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                                  Function 004513C7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514D3
                                  • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                                  • GetLocaleInfoW.KERNEL32(?,00001001,00443CFC,00000040,?,00443E1C,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                                  • GetLocaleInfoW.KERNEL32(?,00001002,00443D7C,00000040), ref: 004515A4
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                  • String ID:
                                  • API String ID: 745075371-0
                                  • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                  • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                                  • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                  • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                                  Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00407A91
                                  • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstH_prologNext
                                  • String ID:
                                  • API String ID: 1157919129-0
                                  • Opcode ID: 83a04e897456c06476c0188e1b3c165a288fac2d66b8657447a90d53acfeb016
                                  • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                                  • Opcode Fuzzy Hash: 83a04e897456c06476c0188e1b3c165a288fac2d66b8657447a90d53acfeb016
                                  • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                                  Function 0044801F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                                  • _free.LIBCMT ref: 00448077
                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                  • _free.LIBCMT ref: 00448243
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                  • String ID:
                                  • API String ID: 1286116820-0
                                  • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                  • Instruction ID: 9f73030e0ab81e705d7e97d576e5185c64763d3f00745452c155363557a16cba
                                  • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                  • Instruction Fuzzy Hash: 97512A718002099BE714EF69CC829BF77BCEF44364F11026FE454A32A1EB389E46CB58
                                  Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DownloadExecuteFileShell
                                  • String ID: C:\Users\user\Desktop\preliminary drawing.pif.exe$open
                                  • API String ID: 2825088817-2974482943
                                  • Opcode ID: 765abf8145860beed28f06e3b24565460c573b71584b490c45b988b9667a7c1f
                                  • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                                  • Opcode Fuzzy Hash: 765abf8145860beed28f06e3b24565460c573b71584b490c45b988b9667a7c1f
                                  • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                                  Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$FirstNextsend
                                  • String ID: x@G$x@G
                                  • API String ID: 4113138495-3390264752
                                  • Opcode ID: c04ab06c041af9497b2557498bc4f46392862e0e5e1a6a3cc1468d299a87a31a
                                  • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                                  • Opcode Fuzzy Hash: c04ab06c041af9497b2557498bc4f46392862e0e5e1a6a3cc1468d299a87a31a
                                  • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                  Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                    • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                    • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                    • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateInfoParametersSystemValue
                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                  • API String ID: 4127273184-3576401099
                                  • Opcode ID: a245bcba594aafc3506fa3fd8a5928f5fbb82046cba1041144db6cf1cc865380
                                  • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                                  • Opcode Fuzzy Hash: a245bcba594aafc3506fa3fd8a5928f5fbb82046cba1041144db6cf1cc865380
                                  • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                                  Function 00450A8F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443D03,?,?,?,?,?,?,00000004), ref: 00450B71
                                  • _wcschr.LIBVCRUNTIME ref: 00450C01
                                  • _wcschr.LIBVCRUNTIME ref: 00450C0F
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443D03,00000000,00443E23), ref: 00450CB2
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                  • String ID:
                                  • API String ID: 4212172061-0
                                  • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                  • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                                  • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                  • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                                  Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00408DAC
                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$FirstH_prologNext
                                  • String ID:
                                  • API String ID: 301083792-0
                                  • Opcode ID: 087b4d6ee7dc7226c50be3fa637d442bf855f63d98fc2bb096af3080c0c2ca97
                                  • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                                  • Opcode Fuzzy Hash: 087b4d6ee7dc7226c50be3fa637d442bf855f63d98fc2bb096af3080c0c2ca97
                                  • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                                  Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                  • String ID:
                                  • API String ID: 2829624132-0
                                  • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                  • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                                  • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                  • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                                  Function 0043A66D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0043A765
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0043A76F
                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043A77C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                  • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                                  • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                  • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                                  Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?,0044253A,?), ref: 00442585
                                  • TerminateProcess.KERNEL32(00000000,?,0044253A,?), ref: 0044258C
                                  • ExitProcess.KERNEL32 ref: 0044259E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                  • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                                  • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                  • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                                  Function 0044D5F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: .
                                  • API String ID: 0-248832578
                                  • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                  • Instruction ID: 7b9f70a4ed7410ef06f95e01b7d5f23a490d2b0eff2bca8ad8bf22ff3bb6f1ff
                                  • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                  • Instruction Fuzzy Hash: 65310371C00209AFEB249E79CC84EEB7BBDDB86318F1501AEF91997351E6389E418B54
                                  Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: GetLocaleInfoEx
                                  • API String ID: 2299586839-2904428671
                                  • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                  • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                                  • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                  • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                                  Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                  • String ID:
                                  • API String ID: 1663032902-0
                                  • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                  • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                                  • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                  • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                                  Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                  • EnumSystemLocalesW.KERNEL32(00450E7A,00000001,00000000,?,00443CFC,?,004514A7,00000000,?,?,?), ref: 00450DC4
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                                  • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                                  • Opcode Fuzzy Hash: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                                  • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                                  Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale_abort_free
                                  • String ID:
                                  • API String ID: 2692324296-0
                                  • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                  • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                                  • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                  • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                                  Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                  • EnumSystemLocalesW.KERNEL32(004510CA,00000001,?,?,00443CFC,?,0045146B,00443CFC,?,?,?,?,?,00443CFC,?,?), ref: 00450E39
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                                  • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                                  • Opcode Fuzzy Hash: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                                  • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                                  Function 004470BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(?,?,0044226B,00000000,0046DAC0,0000000C,00442226,?,?,?,00448749,?,?,00446F84,00000001,00000364), ref: 00444AEB
                                  • EnumSystemLocalesW.KERNEL32(00447078,00000001,0046DC48,0000000C), ref: 004470F6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                  • String ID:
                                  • API String ID: 1272433827-0
                                  • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                  • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                                  • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                  • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                                  Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                  • EnumSystemLocalesW.KERNEL32(00450C5E,00000001,?,?,?,004514C9,00443CFC,?,?,?,?,?,00443CFC,?,?,?), ref: 00450D3E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                  • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                                  • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                  • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                                  Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                  • Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
                                  • Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                  • Instruction Fuzzy Hash:
                                  Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: HeapProcess
                                  • String ID:
                                  • API String ID: 54951025-0
                                  • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                  • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                  • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                  • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                  Function 00417FAF Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                                  • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                                    • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                                  • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                                  • DeleteDC.GDI32(?), ref: 0041806D
                                  • DeleteDC.GDI32(00000000), ref: 00418070
                                  • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                                  • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                                  • GetIconInfo.USER32(?,?), ref: 004180DB
                                  • DeleteObject.GDI32(?), ref: 0041810A
                                  • DeleteObject.GDI32(?), ref: 00418117
                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                                  • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                                  • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                                  • DeleteDC.GDI32(?), ref: 0041828F
                                  • DeleteDC.GDI32(00000000), ref: 00418292
                                  • DeleteObject.GDI32(00000000), ref: 00418295
                                  • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                                  • DeleteObject.GDI32(00000000), ref: 00418354
                                  • GlobalFree.KERNEL32(?), ref: 0041835B
                                  • DeleteDC.GDI32(?), ref: 0041836B
                                  • DeleteDC.GDI32(00000000), ref: 00418376
                                  • DeleteDC.GDI32(?), ref: 004183A8
                                  • DeleteDC.GDI32(00000000), ref: 004183AB
                                  • DeleteObject.GDI32(?), ref: 004183B1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                  • String ID: DISPLAY
                                  • API String ID: 1765752176-865373369
                                  • Opcode ID: 4456aa023600f513d2376330aa21a61ead9ad87b97dc951b70a4a0f185fcf856
                                  • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                                  • Opcode Fuzzy Hash: 4456aa023600f513d2376330aa21a61ead9ad87b97dc951b70a4a0f185fcf856
                                  • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                                  Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                  • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                  • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                  • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                  • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                  • ResumeThread.KERNEL32(?), ref: 00417582
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                  • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                  • GetLastError.KERNEL32 ref: 004175C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Wu$ntdll
                                  • API String ID: 4188446516-529412701
                                  • Opcode ID: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                  • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                                  • Opcode Fuzzy Hash: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                  • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A
                                  Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                  • ExitProcess.KERNEL32 ref: 0041151D
                                    • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                    • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                    • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                    • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                  • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                    • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                  • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                  • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                    • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
                                    • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
                                    • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000), ref: 0041B61C
                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                  • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                  • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                    • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                  • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                  • API String ID: 4250697656-2665858469
                                  • Opcode ID: 0f3d8273c2450781682a40f4251623d23898c6c12ff08a1a6ea7cde3ae6d6a1f
                                  • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                                  • Opcode Fuzzy Hash: 0f3d8273c2450781682a40f4251623d23898c6c12ff08a1a6ea7cde3ae6d6a1f
                                  • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                  Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                    • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                    • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                  • ExitProcess.KERNEL32 ref: 0040C63E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                  • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                  • API String ID: 1861856835-3168347843
                                  • Opcode ID: 0671730743dcdda34a708e1622111953b6d36e6e82ef052ddb06e33766e99e90
                                  • Instruction ID: 0897204671ac35a997fd8cee39da091aa0ef4b51e820d3179f4d1f6ac17f39c2
                                  • Opcode Fuzzy Hash: 0671730743dcdda34a708e1622111953b6d36e6e82ef052ddb06e33766e99e90
                                  • Instruction Fuzzy Hash: CD9184316042005AC314FB25D852ABF7799AF91318F10453FF98AA31E2EF7CAD49C69E
                                  Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                    • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                    • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                  • ExitProcess.KERNEL32 ref: 0040C287
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                  • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                  • API String ID: 3797177996-1998216422
                                  • Opcode ID: 37579f35246a9f2a2d9726df7c31ff5b9e300a1892b2ac34e5fca18ffe2a3e87
                                  • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                                  • Opcode Fuzzy Hash: 37579f35246a9f2a2d9726df7c31ff5b9e300a1892b2ac34e5fca18ffe2a3e87
                                  • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                                  Function 0041A1CB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                                  • SetEvent.KERNEL32 ref: 0041A39A
                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                                  • CloseHandle.KERNEL32 ref: 0041A3BB
                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                  • API String ID: 738084811-1408154895
                                  • Opcode ID: 9065e2e075b335b05affa0df2fe2cb818e2088cbf0b4bf79a50698391b07ad3d
                                  • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                                  • Opcode Fuzzy Hash: 9065e2e075b335b05affa0df2fe2cb818e2088cbf0b4bf79a50698391b07ad3d
                                  • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                                  Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                  • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                  • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                  • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Write$Create
                                  • String ID: RIFF$WAVE$data$fmt
                                  • API String ID: 1602526932-4212202414
                                  • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                  • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                  • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                  • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                  Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\preliminary drawing.pif.exe,00000001,004068B2,C:\Users\user\Desktop\preliminary drawing.pif.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                  • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: C:\Users\user\Desktop\preliminary drawing.pif.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                  • API String ID: 1646373207-1182032949
                                  • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                  • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                  • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                  • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                  Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 0040BC75
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\preliminary drawing.pif.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                  • _wcslen.LIBCMT ref: 0040BD54
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\preliminary drawing.pif.exe,00000000,00000000), ref: 0040BDF2
                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                  • _wcslen.LIBCMT ref: 0040BE34
                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                  • ExitProcess.KERNEL32 ref: 0040BED0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                  • String ID: 6$C:\Users\user\Desktop\preliminary drawing.pif.exe$del$open$BG$BG
                                  • API String ID: 1579085052-3788286679
                                  • Opcode ID: e8abb110fca814814f827c8d7195f2b75caa8ea8e16461f0a273f989d8a521bf
                                  • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                                  • Opcode Fuzzy Hash: e8abb110fca814814f827c8d7195f2b75caa8ea8e16461f0a273f989d8a521bf
                                  • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                                  Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenW.KERNEL32(?), ref: 0041B1E6
                                  • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                                  • lstrlenW.KERNEL32(?), ref: 0041B217
                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                                  • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                                  • _wcslen.LIBCMT ref: 0041B2EB
                                  • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                                  • GetLastError.KERNEL32 ref: 0041B323
                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                                  • lstrcatW.KERNEL32(?,?), ref: 0041B369
                                  • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                                  • GetLastError.KERNEL32 ref: 0041B380
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                  • String ID: ?
                                  • API String ID: 3941738427-1684325040
                                  • Opcode ID: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                  • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                                  • Opcode Fuzzy Hash: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                  • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                                  Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$EnvironmentVariable$_wcschr
                                  • String ID:
                                  • API String ID: 3899193279-0
                                  • Opcode ID: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                  • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                                  • Opcode Fuzzy Hash: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                  • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                                  Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                    • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                  • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                  • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                  • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                  • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                  • Sleep.KERNEL32(00000064), ref: 00412060
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                  • String ID: /stext "$HDG$HDG$>G$>G
                                  • API String ID: 1223786279-3931108886
                                  • Opcode ID: 83e73dbe193bf924be28d247cca5bdf1fadd331ff804e3ba434729a63ca86ba9
                                  • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                                  • Opcode Fuzzy Hash: 83e73dbe193bf924be28d247cca5bdf1fadd331ff804e3ba434729a63ca86ba9
                                  • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A
                                  Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                  • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                  • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                  • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                  • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                  • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                  • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                  • API String ID: 2490988753-744132762
                                  • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                  • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                                  • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                  • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                                  Function 0041B834 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B856
                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B89A
                                  • RegCloseKey.ADVAPI32(?), ref: 0041BB64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumOpen
                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                  • API String ID: 1332880857-3714951968
                                  • Opcode ID: 215c57200e4132b606c9945ca49ffbcd4ff4902c7a8f2fc98260f39500a70a98
                                  • Instruction ID: efd277ba010ae8e34e1206f32af9d70b7e49420e91acd4d446967662cfc0484b
                                  • Opcode Fuzzy Hash: 215c57200e4132b606c9945ca49ffbcd4ff4902c7a8f2fc98260f39500a70a98
                                  • Instruction Fuzzy Hash: 67813E311082449BD324EB21DC51AEFB7E9FFD4314F10493FB586921E1EF34AA49CA9A
                                  Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 0040A456
                                  • Sleep.KERNEL32(000001F4), ref: 0040A461
                                  • GetForegroundWindow.USER32 ref: 0040A467
                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                  • Sleep.KERNEL32(000003E8), ref: 0040A574
                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                  • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                                  • API String ID: 911427763-1497357211
                                  • Opcode ID: 4af0660bd7cce6148f6ac578c4d9ed660de8b6730e35106d4511fa484fe6483c
                                  • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                                  • Opcode Fuzzy Hash: 4af0660bd7cce6148f6ac578c4d9ed660de8b6730e35106d4511fa484fe6483c
                                  • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F
                                  Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                                  • GetCursorPos.USER32(?), ref: 0041CB08
                                  • SetForegroundWindow.USER32(?), ref: 0041CB11
                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                                  • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                                  • ExitProcess.KERNEL32 ref: 0041CB84
                                  • CreatePopupMenu.USER32 ref: 0041CB8A
                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                  • String ID: Close
                                  • API String ID: 1657328048-3535843008
                                  • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                  • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                                  • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                  • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                                  Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$Info
                                  • String ID:
                                  • API String ID: 2509303402-0
                                  • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                  • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                                  • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                  • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                                  Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                  • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                  • __aulldiv.LIBCMT ref: 00407FE9
                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                  • CloseHandle.KERNEL32(00000000), ref: 00408200
                                  • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                  • CloseHandle.KERNEL32(00000000), ref: 00408256
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                  • API String ID: 1884690901-3066803209
                                  • Opcode ID: 51f6ec7ee361f84ed51c15878d9456d0fd639fe045a6810c8297f24ba8c123f1
                                  • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                                  • Opcode Fuzzy Hash: 51f6ec7ee361f84ed51c15878d9456d0fd639fe045a6810c8297f24ba8c123f1
                                  • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                                  Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00001388), ref: 00409E62
                                    • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                    • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                    • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                    • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                  • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                    • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                  • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                  • API String ID: 3795512280-3163867910
                                  • Opcode ID: 43824015871ffdc9cceb4578b4fee9fa3a28496cc02366550c3b8792ebe0b8eb
                                  • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                                  • Opcode Fuzzy Hash: 43824015871ffdc9cceb4578b4fee9fa3a28496cc02366550c3b8792ebe0b8eb
                                  • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A
                                  Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 004500C1
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                                    • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                                  • _free.LIBCMT ref: 004500B6
                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                  • _free.LIBCMT ref: 004500D8
                                  • _free.LIBCMT ref: 004500ED
                                  • _free.LIBCMT ref: 004500F8
                                  • _free.LIBCMT ref: 0045011A
                                  • _free.LIBCMT ref: 0045012D
                                  • _free.LIBCMT ref: 0045013B
                                  • _free.LIBCMT ref: 00450146
                                  • _free.LIBCMT ref: 0045017E
                                  • _free.LIBCMT ref: 00450185
                                  • _free.LIBCMT ref: 004501A2
                                  • _free.LIBCMT ref: 004501BA
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                  • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                                  • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                  • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                                  Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0041913D
                                  • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                                  • Sleep.KERNEL32(000003E8), ref: 0041927D
                                  • GetLocalTime.KERNEL32(?), ref: 0041928C
                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                  • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                  • API String ID: 489098229-65789007
                                  • Opcode ID: b2d76c7f695b661a2565fc7d8c666ce67a34c34858b2e1a1b71e7514c81657a7
                                  • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                                  • Opcode Fuzzy Hash: b2d76c7f695b661a2565fc7d8c666ce67a34c34858b2e1a1b71e7514c81657a7
                                  • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                                  Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                    • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                    • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                    • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                  • ExitProcess.KERNEL32 ref: 0040C832
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                  • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                  • API String ID: 1913171305-390638927
                                  • Opcode ID: dada0ed0d4209c31df466426df5f9cdebe912d300f49689cfd6db9fb7200f24b
                                  • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                                  • Opcode Fuzzy Hash: dada0ed0d4209c31df466426df5f9cdebe912d300f49689cfd6db9fb7200f24b
                                  • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                  Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                  • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                                  • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                  • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                                  Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                  • closesocket.WS2_32(000000FF), ref: 0040481F
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                  • String ID:
                                  • API String ID: 3658366068-0
                                  • Opcode ID: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                  • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                                  • Opcode Fuzzy Hash: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                  • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48
                                  Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                                  • GetLastError.KERNEL32 ref: 00454AA6
                                  • __dosmaperr.LIBCMT ref: 00454AAD
                                  • GetFileType.KERNEL32(00000000), ref: 00454AB9
                                  • GetLastError.KERNEL32 ref: 00454AC3
                                  • __dosmaperr.LIBCMT ref: 00454ACC
                                  • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                                  • CloseHandle.KERNEL32(?), ref: 00454C36
                                  • GetLastError.KERNEL32 ref: 00454C68
                                  • __dosmaperr.LIBCMT ref: 00454C6F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: H
                                  • API String ID: 4237864984-2852464175
                                  • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                  • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                                  • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                  • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                                  Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 65535$udp
                                  • API String ID: 0-1267037602
                                  • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                  • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                                  • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                  • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                                  Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                                  • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                                  • __dosmaperr.LIBCMT ref: 004393DD
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                                  • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                                  • __dosmaperr.LIBCMT ref: 0043941A
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                                  • __dosmaperr.LIBCMT ref: 0043946E
                                  • _free.LIBCMT ref: 0043947A
                                  • _free.LIBCMT ref: 00439481
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                  • String ID:
                                  • API String ID: 2441525078-0
                                  • Opcode ID: af2e038675629699a3bdf98db1be6e4acccc81897dfbfa3a6a3584a15f099ab5
                                  • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                                  • Opcode Fuzzy Hash: af2e038675629699a3bdf98db1be6e4acccc81897dfbfa3a6a3584a15f099ab5
                                  • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                                  Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEvent.KERNEL32(?), ref: 00404E71
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                  • TranslateMessage.USER32(?), ref: 00404F30
                                  • DispatchMessageA.USER32(?), ref: 00404F3B
                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00404FF3
                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                  • API String ID: 2956720200-749203953
                                  • Opcode ID: c339364a56400ba016452a84765f809abf44a3768ad92d8ade49ba5fdcbecace
                                  • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                                  • Opcode Fuzzy Hash: c339364a56400ba016452a84765f809abf44a3768ad92d8ade49ba5fdcbecace
                                  • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                                  Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                  • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                  • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                  • String ID: <$@$@FG$@FG$Temp
                                  • API String ID: 1107811701-2245803885
                                  • Opcode ID: ab5b89d772336d76391af79b4d69c50c7b3bae16eba3a9f653188f72880e18b6
                                  • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                                  • Opcode Fuzzy Hash: ab5b89d772336d76391af79b4d69c50c7b3bae16eba3a9f653188f72880e18b6
                                  • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                  Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                  • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\preliminary drawing.pif.exe), ref: 00406705
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentProcess
                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                  • API String ID: 2050909247-4145329354
                                  • Opcode ID: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                  • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                                  • Opcode Fuzzy Hash: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                  • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                                  Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: 8e03560cb0675c648ac56349715ca1a1b796bf89e929aa235aab360fad5c5935
                                  • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                                  • Opcode Fuzzy Hash: 8e03560cb0675c648ac56349715ca1a1b796bf89e929aa235aab360fad5c5935
                                  • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                                  Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00446DEF
                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                  • _free.LIBCMT ref: 00446DFB
                                  • _free.LIBCMT ref: 00446E06
                                  • _free.LIBCMT ref: 00446E11
                                  • _free.LIBCMT ref: 00446E1C
                                  • _free.LIBCMT ref: 00446E27
                                  • _free.LIBCMT ref: 00446E32
                                  • _free.LIBCMT ref: 00446E3D
                                  • _free.LIBCMT ref: 00446E48
                                  • _free.LIBCMT ref: 00446E56
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                  • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                                  • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                  • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                                  Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Eventinet_ntoa
                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                  • API String ID: 3578746661-4192532303
                                  • Opcode ID: e0f9160805710664edf0e27341cbdbe8e84ca529ebbd30c6c3d8b307befaccec
                                  • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                                  • Opcode Fuzzy Hash: e0f9160805710664edf0e27341cbdbe8e84ca529ebbd30c6c3d8b307befaccec
                                  • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                                  Function 00455149 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DBF), ref: 0045516C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DecodePointer
                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                  • API String ID: 3527080286-3064271455
                                  • Opcode ID: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
                                  • Instruction ID: dc575b74d0f085a316b11c585a5ec2812edae3f3668b4c4373b6e849a421fba0
                                  • Opcode Fuzzy Hash: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
                                  • Instruction Fuzzy Hash: F7517D70900A09CBCF149FA9E9581BDBBB0FB09342F244197EC45A7366DB7D8A188B1D
                                  Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                    • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                  • Sleep.KERNEL32(00000064), ref: 00416688
                                  • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateDeleteExecuteShellSleep
                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                  • API String ID: 1462127192-2001430897
                                  • Opcode ID: c8587a14bbe35693a2e3bc70c86dcb8d84d87b988e69820d29fa998b80063bb1
                                  • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                                  • Opcode Fuzzy Hash: c8587a14bbe35693a2e3bc70c86dcb8d84d87b988e69820d29fa998b80063bb1
                                  • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                                  Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strftime.LIBCMT ref: 00401AD3
                                    • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                  • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                  • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                  • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                  • API String ID: 3809562944-3643129801
                                  • Opcode ID: c841204475c7ae46a74b483a1aba92a1dcf7bdd331d866315fd8e516c17a7bbf
                                  • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                                  • Opcode Fuzzy Hash: c841204475c7ae46a74b483a1aba92a1dcf7bdd331d866315fd8e516c17a7bbf
                                  • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                                  Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                  • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                  • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                  • waveInStart.WINMM ref: 00401A81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                  • String ID: XCG$`=G$x=G
                                  • API String ID: 1356121797-903574159
                                  • Opcode ID: 8206edf6e37a5adcca5346354a1971bb532ceb570a07efb292636a8a68d9c199
                                  • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                                  • Opcode Fuzzy Hash: 8206edf6e37a5adcca5346354a1971bb532ceb570a07efb292636a8a68d9c199
                                  • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                  Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                                    • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                    • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                    • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                                  • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                                  • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                                  • TranslateMessage.USER32(?), ref: 0041CA0B
                                  • DispatchMessageA.USER32(?), ref: 0041CA15
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                  • String ID: Remcos
                                  • API String ID: 1970332568-165870891
                                  • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                  • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                                  • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                  • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                  Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                                  • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                                  • Opcode Fuzzy Hash: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                                  • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                                  Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E13,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BE6
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C69
                                  • __alloca_probe_16.LIBCMT ref: 00452CA1
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E13,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CFC
                                  • __alloca_probe_16.LIBCMT ref: 00452D4B
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D13
                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D8F
                                  • __freea.LIBCMT ref: 00452DBA
                                  • __freea.LIBCMT ref: 00452DC6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                  • String ID:
                                  • API String ID: 201697637-0
                                  • Opcode ID: b1c83994ecbe3f941fd24685bb9664c395dd4006a3bd2ce5fbc620e0f8a5dfb4
                                  • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                                  • Opcode Fuzzy Hash: b1c83994ecbe3f941fd24685bb9664c395dd4006a3bd2ce5fbc620e0f8a5dfb4
                                  • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                                  Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                    • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                    • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                    • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                  • _memcmp.LIBVCRUNTIME ref: 004446B3
                                  • _free.LIBCMT ref: 00444724
                                  • _free.LIBCMT ref: 0044473D
                                  • _free.LIBCMT ref: 0044476F
                                  • _free.LIBCMT ref: 00444778
                                  • _free.LIBCMT ref: 00444784
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorLast$_abort_memcmp
                                  • String ID: C
                                  • API String ID: 1679612858-1037565863
                                  • Opcode ID: c80eba29621552cc0015daa61550ea74c149dc0acfa072f5cc390db0d0044802
                                  • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                                  • Opcode Fuzzy Hash: c80eba29621552cc0015daa61550ea74c149dc0acfa072f5cc390db0d0044802
                                  • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                                  Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: tcp$udp
                                  • API String ID: 0-3725065008
                                  • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                  • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                                  • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                  • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                  Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                    • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                    • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                  • String ID: .part
                                  • API String ID: 1303771098-3499674018
                                  • Opcode ID: cf57b88e8736247bab96c122cc0a48a1b12f1b6bcdae9bb4a006722ccb69ac59
                                  • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                                  • Opcode Fuzzy Hash: cf57b88e8736247bab96c122cc0a48a1b12f1b6bcdae9bb4a006722ccb69ac59
                                  • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                                  Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                    • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                    • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                    • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                  • _wcslen.LIBCMT ref: 0041A906
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                  • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                  • API String ID: 37874593-703403762
                                  • Opcode ID: d1b129823d2eb871984bf039fa82585e8236e7331ec38122e0fed58a21493060
                                  • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                                  • Opcode Fuzzy Hash: d1b129823d2eb871984bf039fa82585e8236e7331ec38122e0fed58a21493060
                                  • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                                  Function 00449960 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE63,?,?,?,00449BB1,00000001,00000001,?), ref: 004499BA
                                  • __alloca_probe_16.LIBCMT ref: 004499F2
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE63,?,?,?,00449BB1,00000001,00000001,?), ref: 00449A40
                                  • __alloca_probe_16.LIBCMT ref: 00449AD7
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                                  • __freea.LIBCMT ref: 00449B47
                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                  • __freea.LIBCMT ref: 00449B50
                                  • __freea.LIBCMT ref: 00449B75
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                  • String ID:
                                  • API String ID: 3864826663-0
                                  • Opcode ID: 81d70c20703e66394a8e6e24da3589bfc2c015b76e7b2aedf7d205086cdaf592
                                  • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                                  • Opcode Fuzzy Hash: 81d70c20703e66394a8e6e24da3589bfc2c015b76e7b2aedf7d205086cdaf592
                                  • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                                  Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendInput.USER32 ref: 00418B18
                                  • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                                  • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                                    • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InputSend$Virtual
                                  • String ID:
                                  • API String ID: 1167301434-0
                                  • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                  • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                                  • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                  • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                                  Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32 ref: 00415A46
                                  • EmptyClipboard.USER32 ref: 00415A54
                                  • CloseClipboard.USER32 ref: 00415A5A
                                  • OpenClipboard.USER32 ref: 00415A61
                                  • GetClipboardData.USER32(0000000D), ref: 00415A71
                                  • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                  • CloseClipboard.USER32 ref: 00415A89
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                  • String ID:
                                  • API String ID: 2172192267-0
                                  • Opcode ID: 2d3b56b95838ce08d86a2e4d06a8e3cc238982747feb028c64ae05ca54457186
                                  • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                                  • Opcode Fuzzy Hash: 2d3b56b95838ce08d86a2e4d06a8e3cc238982747feb028c64ae05ca54457186
                                  • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                                  Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16
                                  • String ID: a/p$am/pm$fD
                                  • API String ID: 3509577899-1143445303
                                  • Opcode ID: e0c58fd508ac7f9020f233231798530ee610dc717e528da9a7e0b991552c4189
                                  • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                                  • Opcode Fuzzy Hash: e0c58fd508ac7f9020f233231798530ee610dc717e528da9a7e0b991552c4189
                                  • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                                  Function 00447E4A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00447ECC
                                  • _free.LIBCMT ref: 00447EF0
                                  • _free.LIBCMT ref: 00448077
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                                  • _free.LIBCMT ref: 00448243
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                  • String ID:
                                  • API String ID: 314583886-0
                                  • Opcode ID: 83ba8f2d62c5e3ad5148b86fb09d723ebab1b028d42839a605bfd88c95d0b2fc
                                  • Instruction ID: 19e3b7565c7c288d74bc5d2e619305edf95ef22548e2b541e8d8082bcdfeb5ac
                                  • Opcode Fuzzy Hash: 83ba8f2d62c5e3ad5148b86fb09d723ebab1b028d42839a605bfd88c95d0b2fc
                                  • Instruction Fuzzy Hash: 27C10671904205ABFB24DF698C41AAE7BB9EF45314F2441AFE484A7251EB388E47C758
                                  Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                  • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                                  • Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                  • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                                  Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                  • _free.LIBCMT ref: 00444096
                                  • _free.LIBCMT ref: 004440AD
                                  • _free.LIBCMT ref: 004440CC
                                  • _free.LIBCMT ref: 004440E7
                                  • _free.LIBCMT ref: 004440FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$AllocateHeap
                                  • String ID: Z7D
                                  • API String ID: 3033488037-2145146825
                                  • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                  • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                                  • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                  • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                                  Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A115
                                  • __fassign.LIBCMT ref: 0044A190
                                  • __fassign.LIBCMT ref: 0044A1AB
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1D1
                                  • WriteFile.KERNEL32(?,00000000,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                                  • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                  • String ID:
                                  • API String ID: 1324828854-0
                                  • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                  • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                                  • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                  • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                                  Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ExitThread.KERNEL32 ref: 004017F4
                                    • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                    • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                    • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                  • __Init_thread_footer.LIBCMT ref: 004017BC
                                    • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                    • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                  • String ID: T=G$>G$>G
                                  • API String ID: 1596592924-1617985637
                                  • Opcode ID: d1365f7f77802962f7994e5e9ee858f7cc26909dfe0d37eba0dff20f3b17b4ae
                                  • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                                  • Opcode Fuzzy Hash: d1365f7f77802962f7994e5e9ee858f7cc26909dfe0d37eba0dff20f3b17b4ae
                                  • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                                  Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                    • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                    • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumInfoOpenQuerysend
                                  • String ID: TUFTUF$>G$DG$DG
                                  • API String ID: 3114080316-344394840
                                  • Opcode ID: ab94d16146313dcf7be53f87edfe1d32ca0c410ab586fef58f6e17ab1ea5acb0
                                  • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                                  • Opcode Fuzzy Hash: ab94d16146313dcf7be53f87edfe1d32ca0c410ab586fef58f6e17ab1ea5acb0
                                  • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                  Function 00437A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                                  • _ValidateLocalCookies.LIBCMT ref: 00437B51
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                                  • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                  • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                                  • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                  • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                                  Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                    • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                    • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                  • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                  • API String ID: 1133728706-4073444585
                                  • Opcode ID: a94ab199ae6375f73d8e7764e9a9313e8b6e47f7884371dc3135ef485941189b
                                  • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                                  • Opcode Fuzzy Hash: a94ab199ae6375f73d8e7764e9a9313e8b6e47f7884371dc3135ef485941189b
                                  • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                                  Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                                  • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                                  • Opcode Fuzzy Hash: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                                  • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                                  Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                  • int.LIBCPMT ref: 0040FC0F
                                    • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                    • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                  • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                  • String ID: p[G
                                  • API String ID: 2536120697-440918510
                                  • Opcode ID: 21b0a4efc7602d160aff57bcb0434e0537ff44c0ab5ab895835da1e08b7de2e9
                                  • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                                  • Opcode Fuzzy Hash: 21b0a4efc7602d160aff57bcb0434e0537ff44c0ab5ab895835da1e08b7de2e9
                                  • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                                  Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                                  • _free.LIBCMT ref: 0044FD39
                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                  • _free.LIBCMT ref: 0044FD44
                                  • _free.LIBCMT ref: 0044FD4F
                                  • _free.LIBCMT ref: 0044FDA3
                                  • _free.LIBCMT ref: 0044FDAE
                                  • _free.LIBCMT ref: 0044FDB9
                                  • _free.LIBCMT ref: 0044FDC4
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                  • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                                  • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                  • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                                  Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\preliminary drawing.pif.exe), ref: 00406835
                                    • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                    • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                  • CoUninitialize.OLE32 ref: 0040688E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InitializeObjectUninitialize_wcslen
                                  • String ID: C:\Users\user\Desktop\preliminary drawing.pif.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                  • API String ID: 3851391207-2741792862
                                  • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                  • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                  • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                  • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                  Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                  • int.LIBCPMT ref: 0040FEF2
                                    • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                    • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                  • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                  • String ID: h]G
                                  • API String ID: 2536120697-1579725984
                                  • Opcode ID: 8c8f0d1d08d765d4a28e06ad20e8fb44e6fb0a24af2cea39948b13a93e2f9581
                                  • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                                  • Opcode Fuzzy Hash: 8c8f0d1d08d765d4a28e06ad20e8fb44e6fb0a24af2cea39948b13a93e2f9581
                                  • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                                  Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                  • GetLastError.KERNEL32 ref: 0040B2EE
                                  Strings
                                  • UserProfile, xrefs: 0040B2B4
                                  • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                  • [Chrome Cookies not found], xrefs: 0040B308
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteErrorFileLast
                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                  • API String ID: 2018770650-304995407
                                  • Opcode ID: df2b122620bdc2d0f7a4047d02f486a961feb96554cb73831d1fa6b02d26bf65
                                  • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                                  • Opcode Fuzzy Hash: df2b122620bdc2d0f7a4047d02f486a961feb96554cb73831d1fa6b02d26bf65
                                  • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                                  Function 0041BEC0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                                  • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$AllocOutputShowWindow
                                  • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                  • API String ID: 2425139147-2527699604
                                  • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                  • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                                  • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                  • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                                  Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: (CG$C:\Users\user\Desktop\preliminary drawing.pif.exe$BG
                                  • API String ID: 0-1756670384
                                  • Opcode ID: b400c12b05c9e5cfb729653fd7a91a891c92a570d8021ffcb9c35e87f5e75d17
                                  • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                  • Opcode Fuzzy Hash: b400c12b05c9e5cfb729653fd7a91a891c92a570d8021ffcb9c35e87f5e75d17
                                  • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                  Function 00419F42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                                  • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                                  • Sleep.KERNEL32(00002710), ref: 00419F89
                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                  • String ID: Alarm triggered$`Wu
                                  • API String ID: 614609389-1738255680
                                  • Opcode ID: 675496d61beac401ff127cc547d74cd9544cf0f8399b274fc267c3937a2c6cfc
                                  • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                                  • Opcode Fuzzy Hash: 675496d61beac401ff127cc547d74cd9544cf0f8399b274fc267c3937a2c6cfc
                                  • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                                  Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  • __allrem.LIBCMT ref: 00439799
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                                  • __allrem.LIBCMT ref: 004397CC
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                                  • __allrem.LIBCMT ref: 00439801
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                  • String ID:
                                  • API String ID: 1992179935-0
                                  • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                  • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                                  • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                  • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                                  Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __cftoe
                                  • String ID:
                                  • API String ID: 4189289331-0
                                  • Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                  • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                                  • Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                  • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                                  Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                  • String ID:
                                  • API String ID: 493672254-0
                                  • Opcode ID: 278cd7c7b1e512cd1ff2c1b40676ad723d9eb82b7f9a8c909b76352d7357707f
                                  • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                                  • Opcode Fuzzy Hash: 278cd7c7b1e512cd1ff2c1b40676ad723d9eb82b7f9a8c909b76352d7357707f
                                  • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                                  Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                                  • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                  • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                                  • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                  • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                                  Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                  • _free.LIBCMT ref: 00446F06
                                  • _free.LIBCMT ref: 00446F2E
                                  • SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                  • SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                  • _abort.LIBCMT ref: 00446F4D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                  • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                                  • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                  • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                                  Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: facabc629ece00eb5c6b8119d2553d40166156de758601b1177479ca1c3dec6c
                                  • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                                  • Opcode Fuzzy Hash: facabc629ece00eb5c6b8119d2553d40166156de758601b1177479ca1c3dec6c
                                  • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                                  Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: 48f7f48bbaef7dc56ded15f7c4ab138f238c70d6356feb2091f1178006fb1abd
                                  • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                                  • Opcode Fuzzy Hash: 48f7f48bbaef7dc56ded15f7c4ab138f238c70d6356feb2091f1178006fb1abd
                                  • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                                  Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: 9d56ba1c0ab4f3c7c35dd1a36e14f7b770e45bff24f4a3e5cfd9a6ef981b4461
                                  • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                                  • Opcode Fuzzy Hash: 9d56ba1c0ab4f3c7c35dd1a36e14f7b770e45bff24f4a3e5cfd9a6ef981b4461
                                  • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                                  Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                  • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Enum$InfoQueryValue
                                  • String ID: [regsplt]$DG
                                  • API String ID: 3554306468-1089238109
                                  • Opcode ID: f76f7d8a3feb44154312acde208abc42ab012475c41fa2c2401bf71254fb0806
                                  • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                                  • Opcode Fuzzy Hash: f76f7d8a3feb44154312acde208abc42ab012475c41fa2c2401bf71254fb0806
                                  • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                                  Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                    • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                    • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                  • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                    • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                    • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                  • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                                  • API String ID: 2974294136-4018440003
                                  • Opcode ID: fb62717d46fc7ecbc42087c370a96dc6eb3b4465a01d7892031e61a77adff347
                                  • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                                  • Opcode Fuzzy Hash: fb62717d46fc7ecbc42087c370a96dc6eb3b4465a01d7892031e61a77adff347
                                  • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                                  Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                  • wsprintfW.USER32 ref: 0040A905
                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EventLocalTimewsprintf
                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                  • API String ID: 1497725170-248792730
                                  • Opcode ID: 9a34a7458f1c20cb12493feb96893f1eba9bb7caed0c70e4ea315b3b83d61c09
                                  • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                                  • Opcode Fuzzy Hash: 9a34a7458f1c20cb12493feb96893f1eba9bb7caed0c70e4ea315b3b83d61c09
                                  • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                                  Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                  • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                  • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSizeSleep
                                  • String ID: `AG
                                  • API String ID: 1958988193-3058481221
                                  • Opcode ID: c7a1c7132ab23e5055f4e72d382b13d917683b1be07da7315746d2f78610f71c
                                  • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                  • Opcode Fuzzy Hash: c7a1c7132ab23e5055f4e72d382b13d917683b1be07da7315746d2f78610f71c
                                  • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                  Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                  • GetLastError.KERNEL32 ref: 0041CAA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ClassCreateErrorLastRegisterWindow
                                  • String ID: 0$MsgWindowClass
                                  • API String ID: 2877667751-2410386613
                                  • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                  • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                                  • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                  • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                                  Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                  • CloseHandle.KERNEL32(?), ref: 00406A0F
                                  • CloseHandle.KERNEL32(?), ref: 00406A14
                                  Strings
                                  • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreateProcess
                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                  • API String ID: 2922976086-4183131282
                                  • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                  • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                                  • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                  • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                                  Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,?,?,0044253A,?), ref: 00442609
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,?,?,0044253A,?), ref: 0044263F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                  • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                                  • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                  • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                                  Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                  • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                  • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: pth_unenc$BG
                                  • API String ID: 1818849710-2233081382
                                  • Opcode ID: 973a25ebb1caf1a999240221b82a1221728af968a6994185e1d569d383d5ef51
                                  • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                  • Opcode Fuzzy Hash: 973a25ebb1caf1a999240221b82a1221728af968a6994185e1d569d383d5ef51
                                  • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                  Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                  • SetEvent.KERNEL32(?), ref: 00404AF9
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404B04
                                  • CloseHandle.KERNEL32(?), ref: 00404B0D
                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                  • String ID: KeepAlive | Disabled
                                  • API String ID: 2993684571-305739064
                                  • Opcode ID: 2c413dba4ec25e9a557225f3b5e8a330a8ff44d2cc7f690761566cb273d0ee99
                                  • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                                  • Opcode Fuzzy Hash: 2c413dba4ec25e9a557225f3b5e8a330a8ff44d2cc7f690761566cb273d0ee99
                                  • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                                  Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                                  Strings
                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                  • API String ID: 3024135584-2418719853
                                  • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                  • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                  • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                  • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                  Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                  • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: GetCursorInfo$User32.dll$`Wu
                                  • API String ID: 1646373207-4024354691
                                  • Opcode ID: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                                  • Instruction ID: 8a619761425f66876362e8ef81435da0b65ff7d8438f08abde0d1abd95200d6c
                                  • Opcode Fuzzy Hash: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                                  • Instruction Fuzzy Hash: DAB092B458A3059BC7206BE0BD0EA083B64E644703B1000B2F087C1261EB788080DA6E
                                  Function 0044017A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                  • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                                  • Opcode Fuzzy Hash: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                  • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                                  Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                  • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                  • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                  • String ID:
                                  • API String ID: 3525466593-0
                                  • Opcode ID: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                  • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                                  • Opcode Fuzzy Hash: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                  • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                                  Function 00403DE7 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 135sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000), ref: 00403E8A
                                    • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prologSleep
                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                  • API String ID: 3469354165-3547787478
                                  • Opcode ID: a122f6229746d385c4f416c669bcdad8eca0f696cc6a3fa41fb32722828ec2df
                                  • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                                  • Opcode Fuzzy Hash: a122f6229746d385c4f416c669bcdad8eca0f696cc6a3fa41fb32722828ec2df
                                  • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                                  Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                  • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                    • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                                    • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                    • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 4269425633-0
                                  • Opcode ID: 1ec2ecfc9363a03e65524e8aa165d06ad2208bde730ce5fcc833432faa24ddf7
                                  • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                                  • Opcode Fuzzy Hash: 1ec2ecfc9363a03e65524e8aa165d06ad2208bde730ce5fcc833432faa24ddf7
                                  • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                                  Function 004430A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                  • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                                  • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                  • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                                  Function 0044FEE3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE63,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63), ref: 0044FF30
                                  • __alloca_probe_16.LIBCMT ref: 0044FF68
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE63,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63,?), ref: 0044FFB9
                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63,?,00000002,?), ref: 0044FFCB
                                  • __freea.LIBCMT ref: 0044FFD4
                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                  • String ID:
                                  • API String ID: 313313983-0
                                  • Opcode ID: 88201f02e49098e6f592975d0299b58774541eebf8c41212138823b53665fa5d
                                  • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                                  • Opcode Fuzzy Hash: 88201f02e49098e6f592975d0299b58774541eebf8c41212138823b53665fa5d
                                  • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                                  Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                                    • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433637,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B41
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                                  • _free.LIBCMT ref: 0044E1B0
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                  • String ID:
                                  • API String ID: 336800556-0
                                  • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                  • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                                  • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                  • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                                  Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 0044F7C5
                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                  • _free.LIBCMT ref: 0044F7D7
                                  • _free.LIBCMT ref: 0044F7E9
                                  • _free.LIBCMT ref: 0044F7FB
                                  • _free.LIBCMT ref: 0044F80D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                  • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                                  • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                  • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                                  Function 004432F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00443315
                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                  • _free.LIBCMT ref: 00443327
                                  • _free.LIBCMT ref: 0044333A
                                  • _free.LIBCMT ref: 0044334B
                                  • _free.LIBCMT ref: 0044335C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                  • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                                  • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                  • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                                  Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                  • IsWindowVisible.USER32(?), ref: 004167A1
                                    • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                    • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessWindow$Open$TextThreadVisible
                                  • String ID: (FG
                                  • API String ID: 3142014140-2273637114
                                  • Opcode ID: 0f52e11b974ff95c31186c01a7254dc63d673be105b8893ac4fb40578ce54e73
                                  • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                                  • Opcode Fuzzy Hash: 0f52e11b974ff95c31186c01a7254dc63d673be105b8893ac4fb40578ce54e73
                                  • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                                  Function 0044D469 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strpbrk.LIBCMT ref: 0044D4B8
                                  • _free.LIBCMT ref: 0044D5D5
                                    • Part of subcall function 0043A864: IsProcessorFeaturePresent.KERNEL32(00000017,0043A836,?,?,?,00414BBD,?,00000000,00000000,?,0043A856,00000000,00000000,00000000,00000000,00000000), ref: 0043A866
                                    • Part of subcall function 0043A864: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A888
                                    • Part of subcall function 0043A864: TerminateProcess.KERNEL32(00000000), ref: 0043A88F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                  • String ID: *?$.
                                  • API String ID: 2812119850-3972193922
                                  • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                  • Instruction ID: 5f997c8b803d418df4da1c9987192ed3b052b04d21a58de33721a68e59565ce0
                                  • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                  • Instruction Fuzzy Hash: AC519571D00209AFEF14DFA9C841AAEB7B5EF58318F24816FE454E7341DA799E01CB54
                                  Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                    • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                    • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                    • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                  • String ID: XCG$`AG$>G
                                  • API String ID: 2334542088-2372832151
                                  • Opcode ID: e160828a944c1732c0da46d5bab93a752a8501b4681f1e888d567a680be26c48
                                  • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                                  • Opcode Fuzzy Hash: e160828a944c1732c0da46d5bab93a752a8501b4681f1e888d567a680be26c48
                                  • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                                  Function 004426E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\preliminary drawing.pif.exe,00000104), ref: 00442724
                                  • _free.LIBCMT ref: 004427EF
                                  • _free.LIBCMT ref: 004427F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$FileModuleName
                                  • String ID: C:\Users\user\Desktop\preliminary drawing.pif.exe
                                  • API String ID: 2506810119-4192985679
                                  • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                  • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                                  • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                  • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                                  Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                  • WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                  • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EventObjectSingleWaitsend
                                  • String ID: LAL
                                  • API String ID: 3963590051-3302426157
                                  • Opcode ID: f25fa012b18c9ed95a66b115db40201d3afac5cd2f391390b4c6a6902dff0e1e
                                  • Instruction ID: 8f6f307dcfa5e25975ae7096dc57d747427bb4b25c3784bf73346896dbb4b4c1
                                  • Opcode Fuzzy Hash: f25fa012b18c9ed95a66b115db40201d3afac5cd2f391390b4c6a6902dff0e1e
                                  • Instruction Fuzzy Hash: B82123B29001196BCF04ABA5DC96DEE777CBF54358B00413EF916B21E1EA78AA04D6A4
                                  Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                    • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                    • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                  • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                  • String ID: /sort "Visit Time" /stext "$8>G
                                  • API String ID: 368326130-2663660666
                                  • Opcode ID: bb7906b63535f5b0bb0dc5ebb8b1e58d3af4c47a1bfc61be0735b752c80df92a
                                  • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                                  • Opcode Fuzzy Hash: bb7906b63535f5b0bb0dc5ebb8b1e58d3af4c47a1bfc61be0735b752c80df92a
                                  • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                                  Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                  • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread$LocalTimewsprintf
                                  • String ID: Offline Keylogger Started
                                  • API String ID: 465354869-4114347211
                                  • Opcode ID: 05877a722daf468141bef583add307defc7e71697eaf2c1a9a3a0591a9a20a7d
                                  • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                                  • Opcode Fuzzy Hash: 05877a722daf468141bef583add307defc7e71697eaf2c1a9a3a0591a9a20a7d
                                  • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                                  Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                  • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                  • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread$LocalTime$wsprintf
                                  • String ID: Online Keylogger Started
                                  • API String ID: 112202259-1258561607
                                  • Opcode ID: 8b934532d5ad90f3292272dc0992c10352544020ee2e11b7fc8575cf1005411d
                                  • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                                  • Opcode Fuzzy Hash: 8b934532d5ad90f3292272dc0992c10352544020ee2e11b7fc8575cf1005411d
                                  • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                  Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                                  • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                                  • __dosmaperr.LIBCMT ref: 0044AB0E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseErrorHandleLast__dosmaperr
                                  • String ID: `@
                                  • API String ID: 2583163307-951712118
                                  • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                  • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                                  • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                  • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                                  Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                  • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                  • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandleObjectSingleWait
                                  • String ID: Connection Timeout
                                  • API String ID: 2055531096-499159329
                                  • Opcode ID: 96a4edac1a058f04c3ad407f14895f77ac6fb9ff937b43e6201c32ffecfaeaf2
                                  • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                                  • Opcode Fuzzy Hash: 96a4edac1a058f04c3ad407f14895f77ac6fb9ff937b43e6201c32ffecfaeaf2
                                  • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                                  Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                    • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                                    • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                  • String ID: bad locale name
                                  • API String ID: 3628047217-1405518554
                                  • Opcode ID: d75f37e1b89ee78a4a0f808b0b17b1e5c3b7b9634f49529d216c4b18a17b3ee6
                                  • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                                  • Opcode Fuzzy Hash: d75f37e1b89ee78a4a0f808b0b17b1e5c3b7b9634f49529d216c4b18a17b3ee6
                                  • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                                  Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell
                                  • String ID: /C $cmd.exe$open
                                  • API String ID: 587946157-3896048727
                                  • Opcode ID: 48c4e9bf8b9074f27646adf5b30bc281ede9c2cdd6c59f38ee373b2102eacdae
                                  • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                  • Opcode Fuzzy Hash: 48c4e9bf8b9074f27646adf5b30bc281ede9c2cdd6c59f38ee373b2102eacdae
                                  • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                  Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                  • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                  • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: TerminateThread$HookUnhookWindows
                                  • String ID: pth_unenc
                                  • API String ID: 3123878439-4028850238
                                  • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                  • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                  • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                  • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                  Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                  • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetLastInputInfo$User32.dll
                                  • API String ID: 2574300362-1519888992
                                  • Opcode ID: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                                  • Instruction ID: d4d82ae3f827bcfb7cdfeca7c6c066ea5703a418acbc3ecfb38afa42acb71bdc
                                  • Opcode Fuzzy Hash: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                                  • Instruction Fuzzy Hash: 6CB092B85843449BC7212BF1BC0DA293AA8FA48B43720447AF406C21A1EB7881809F6F
                                  Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID:
                                  • API String ID: 1036877536-0
                                  • Opcode ID: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                  • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                                  • Opcode Fuzzy Hash: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                  • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                                  Function 004559DA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                  • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                                  • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                  • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                                  Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                  • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                                  • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                  • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                                  Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                  • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                  • API String ID: 3472027048-1236744412
                                  • Opcode ID: c560560ec7d4d1dc68260b17dc6ebfb42e9a5e0b1871810b26060d25c010d2d5
                                  • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                                  • Opcode Fuzzy Hash: c560560ec7d4d1dc68260b17dc6ebfb42e9a5e0b1871810b26060d25c010d2d5
                                  • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                                  Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                    • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                    • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                  • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQuerySleepValue
                                  • String ID: @CG$exepath$BG
                                  • API String ID: 4119054056-3221201242
                                  • Opcode ID: da9c82b859fadff46026edc260230fa4890c9be1e72736e6911473bc79de2098
                                  • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                                  • Opcode Fuzzy Hash: da9c82b859fadff46026edc260230fa4890c9be1e72736e6911473bc79de2098
                                  • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                                  Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                                    • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                                    • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                                  • Sleep.KERNEL32(000001F4), ref: 00409C95
                                  • Sleep.KERNEL32(00000064), ref: 00409D1F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$ForegroundLength
                                  • String ID: [ $ ]
                                  • API String ID: 3309952895-93608704
                                  • Opcode ID: 94898d049807b5b7b9a9a00ee9d94e571809afb3060b307ff591eca3c25171bd
                                  • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                                  • Opcode Fuzzy Hash: 94898d049807b5b7b9a9a00ee9d94e571809afb3060b307ff591eca3c25171bd
                                  • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                                  Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
                                  • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
                                  • CloseHandle.KERNEL32(00000000), ref: 0041B61C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandlePointerWrite
                                  • String ID:
                                  • API String ID: 3604237281-0
                                  • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                  • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                                  • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                  • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                                  Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                  • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                                  • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                  • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                                  Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                  • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                                  • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                  • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                                  Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                                    • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                                    • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                                  • _UnwindNestedFrames.LIBCMT ref: 00438134
                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                                  • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                  • String ID:
                                  • API String ID: 737400349-0
                                  • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                  • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                                  • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                  • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                                  Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00414BBD,00000000,00000000,?,004471C7,00414BBD,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                                  • GetLastError.KERNEL32(?,004471C7,00414BBD,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,00414BBD,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                  • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                                  • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                  • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                                  Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B657
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B67C
                                  • CloseHandle.KERNEL32(00000000), ref: 0041B68A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleReadSize
                                  • String ID:
                                  • API String ID: 3919263394-0
                                  • Opcode ID: e3fa97375f397a9adf851a325cc2d4fe92c4ff8b8f1d8781d8034c29ac5bd751
                                  • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                                  • Opcode Fuzzy Hash: e3fa97375f397a9adf851a325cc2d4fe92c4ff8b8f1d8781d8034c29ac5bd751
                                  • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                                  Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemMetrics.USER32(0000004C), ref: 00418529
                                  • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                                  • GetSystemMetrics.USER32(0000004E), ref: 00418535
                                  • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MetricsSystem
                                  • String ID:
                                  • API String ID: 4116985748-0
                                  • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                  • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                                  • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                  • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                                  Function 0041B38D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleOpenProcess
                                  • String ID:
                                  • API String ID: 39102293-0
                                  • Opcode ID: ce5486b1f796499b88157f01d5bcfd41214e425df4fcbc0a0cf489e7c63b94f0
                                  • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                                  • Opcode Fuzzy Hash: ce5486b1f796499b88157f01d5bcfd41214e425df4fcbc0a0cf489e7c63b94f0
                                  • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                                  Function 00441EED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                  Download Yara Rule
                                  APIs
                                  • __startOneArgErrorHandling.LIBCMT ref: 00441F7D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorHandling__start
                                  • String ID: pow
                                  • API String ID: 3213639722-2276729525
                                  • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                  • Instruction ID: b0758be5652a64c1ac5d647a76b92dde9bac1040a8da8be5e5c84d6172790ea5
                                  • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                  • Instruction Fuzzy Hash: E6515A61A0A20296F7117B14C98136F6B949B50741F288D6BF085823F9EF3DCCDB9A4E
                                  Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID: 4[G$4[G
                                  • API String ID: 2931989736-4028565467
                                  • Opcode ID: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                  • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                                  • Opcode Fuzzy Hash: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                  • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                                  Function 0044DB44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Info
                                  • String ID: $vD
                                  • API String ID: 1807457897-3636070802
                                  • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                  • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                                  • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                  • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                                  Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B49,?,00000050,?,?,?,?,?), ref: 004509C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ACP$OCP
                                  • API String ID: 0-711371036
                                  • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                  • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                                  • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                  • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                                  Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                  • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 481472006-1507639952
                                  • Opcode ID: 4f6b1efb12a248594bccd04848032ccab0071e62ae302411cc77295897f1e6c7
                                  • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                                  • Opcode Fuzzy Hash: 4f6b1efb12a248594bccd04848032ccab0071e62ae302411cc77295897f1e6c7
                                  • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                                  Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: | $%02i:%02i:%02i:%03i
                                  • API String ID: 481472006-2430845779
                                  • Opcode ID: 1a1c1d99914311ed49dc3e5caaf331b21a8f994fd2e0132385b0d15101f6b3b4
                                  • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                                  • Opcode Fuzzy Hash: 1a1c1d99914311ed49dc3e5caaf331b21a8f994fd2e0132385b0d15101f6b3b4
                                  • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                                  Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                    • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                  • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                  • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                  • String ID: Online Keylogger Stopped
                                  • API String ID: 1623830855-1496645233
                                  • Opcode ID: 210eaf94d2c8d867fdf64f7f37305f3cc6df1b38461a5d576770527f398436e8
                                  • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                                  • Opcode Fuzzy Hash: 210eaf94d2c8d867fdf64f7f37305f3cc6df1b38461a5d576770527f398436e8
                                  • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                                  Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                                  • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferHeaderPrepare
                                  • String ID: T=G
                                  • API String ID: 2315374483-379896819
                                  • Opcode ID: b5a1dd24f47cf6807038c428b2f4b185eaaf619d090bdcfa74a6be548d705e4e
                                  • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                  • Opcode Fuzzy Hash: b5a1dd24f47cf6807038c428b2f4b185eaaf619d090bdcfa74a6be548d705e4e
                                  • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                  Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocaleValid
                                  • String ID: IsValidLocaleName$z=D
                                  • API String ID: 1901932003-2791046955
                                  • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                  • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                                  • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                  • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                                  Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: T=G$T=G
                                  • API String ID: 3519838083-3732185208
                                  • Opcode ID: 982f7bd813af9d9c889e4a2d4ec4ec1ff60f17d6450c8448ea392ea3d49e0b1a
                                  • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                                  • Opcode Fuzzy Hash: 982f7bd813af9d9c889e4a2d4ec4ec1ff60f17d6450c8448ea392ea3d49e0b1a
                                  • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                                  Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyState.USER32(00000011), ref: 0040AD5B
                                    • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                    • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                    • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                    • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                    • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                    • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                    • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                  • String ID: [AltL]$[AltR]
                                  • API String ID: 2738857842-2658077756
                                  • Opcode ID: 4e5e1223f7f845a1eab5c2f051b9cc675264121dd46054d4836379e51054800e
                                  • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                  • Opcode Fuzzy Hash: 4e5e1223f7f845a1eab5c2f051b9cc675264121dd46054d4836379e51054800e
                                  • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                  Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00448835
                                    • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                    • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorFreeHeapLast_free
                                  • String ID: `@$`@
                                  • API String ID: 1353095263-20545824
                                  • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                  • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                                  • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                  • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                                  Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyState.USER32(00000012), ref: 0040ADB5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: State
                                  • String ID: [CtrlL]$[CtrlR]
                                  • API String ID: 1649606143-2446555240
                                  • Opcode ID: 8b954ca590bdb4d290c694a5b82ac8cddf9bd556695a62cd8e1f2d6ba09f11ff
                                  • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                  • Opcode Fuzzy Hash: 8b954ca590bdb4d290c694a5b82ac8cddf9bd556695a62cd8e1f2d6ba09f11ff
                                  • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                  Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                  • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                  Strings
                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteOpenValue
                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                  • API String ID: 2654517830-1051519024
                                  • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                  • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                  • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                  • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                  Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                  • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteDirectoryFileRemove
                                  • String ID: pth_unenc
                                  • API String ID: 3325800564-4028850238
                                  • Opcode ID: 61d114f186a888d4709b2c681f6d3031ab31f41b35aa7972edbcea0596dbeef1
                                  • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                  • Opcode Fuzzy Hash: 61d114f186a888d4709b2c681f6d3031ab31f41b35aa7972edbcea0596dbeef1
                                  • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                  Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                  • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ObjectProcessSingleTerminateWait
                                  • String ID: pth_unenc
                                  • API String ID: 1872346434-4028850238
                                  • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                  • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                  • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                  • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                  Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                                  • GetLastError.KERNEL32 ref: 0043FB12
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3829958030.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_preliminary drawing.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1717984340-0
                                  • Opcode ID: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                  • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                                  • Opcode Fuzzy Hash: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                  • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759