Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
Analysis ID:1662504
MD5:3880b71c954c43dda144487c14466883
SHA1:d9fd5be5f5f57ca06f59c802d3de8410aecb2615
SHA256:3fe8b092c11e3ec298c7c6e23633f37fecd9ea24c308ff76bf36a6b48a44535e
Tags:AgentTeslaexeuser-SecuriteInfoCom
Infos:

Detection

AgentTesla, DarkTortilla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Tries to delay execution (extensive OutputDebugStringW loop)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe (PID: 3780 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe" MD5: 3880B71C954C43DDA144487C14466883)
    • cmd.exe (PID: 4364 cmdline: "cmd" /c ping 127.0.0.1 -n 67 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7204 cmdline: ping 127.0.0.1 -n 67 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • reg.exe (PID: 7948 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 8004 cmdline: "cmd" /c ping 127.0.0.1 -n 74 > nul && copy "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe" "C:\Users\user\Windows Update.exe" && ping 127.0.0.1 -n 74 > nul && "C:\Users\user\Windows Update.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 8056 cmdline: ping 127.0.0.1 -n 74 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • PING.EXE (PID: 2016 cmdline: ping 127.0.0.1 -n 74 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{
  "Exfil Mode": "SMTP",
  "Port": "587",
  "Host": "smtp.gmail.com",
  "Username": "mj08083399@gmail.com",
  "Password": "bizr usjt guapiims"
}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1837876598.0000000004527000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    00000000.00000002.1839718909.0000000006A50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
      00000000.00000002.1834077322.00000000033AF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
        00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.6a50000.6.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
              0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4527a00.0.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.6a50000.6.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                  0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4527a00.0.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                    0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 37 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Windows Update.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7948, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update.exe
                      Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "cmd" /c ping 127.0.0.1 -n 67 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4364, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe", ProcessId: 7948, ProcessName: reg.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "cmd" /c ping 127.0.0.1 -n 67 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe", CommandLine: "cmd" /c ping 127.0.0.1 -n 67 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, ParentProcessId: 3780, ParentProcessName: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, ProcessCommandLine: "cmd" /c ping 127.0.0.1 -n 67 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe", ProcessId: 4364, ProcessName: cmd.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      • AV Detection
                      • Compliance
                      • Software Vulnerabilities
                      • Networking
                      • Key, Mouse, Clipboard, Microphone and Screen Capturing
                      • System Summary
                      • Data Obfuscation
                      • Persistence and Installation Behavior
                      • Boot Survival
                      • Hooking and other Techniques for Hiding and Protection
                      • Malware Analysis System Evasion
                      • Anti Debugging
                      • HIPS / PFW / Operating System Protection Evasion
                      • Language, Device and Operating System Detection
                      • Stealing of Sensitive Information
                      • Remote Access Functionality

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "mj08083399@gmail.com", "Password": "bizr usjt guapiims"}
                      Source: C:\Users\user\Windows Update.exeReversingLabs: Detection: 52%
                      Source: C:\Users\user\Windows Update.exeVirustotal: Detection: 51%Perma Link
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeVirustotal: Detection: 51%Perma Link
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeReversingLabs: Detection: 52%
                      Source: Submited SampleNeural Call Log Analysis: 98.9%
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_08560A78
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_08560A69

                      Networking

                      barindex
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 67
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1834077322.0000000003381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1837876598.0000000004381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, SKTzxzsJw.cs.Net Code: JhD
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.raw.unpack, SKTzxzsJw.cs.Net Code: JhD
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.raw.unpack, SKTzxzsJw.cs.Net Code: JhD
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.raw.unpack, SKTzxzsJw.cs.Net Code: JhD

                      System Summary

                      barindex
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: Process Memory Space: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe PID: 3780, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_019B4D600_2_019B4D60
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_019B52980_2_019B5298
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_019B72800_2_019B7280
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_019B2EE00_2_019B2EE0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_019B72730_2_019B7273
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_06A000400_2_06A00040
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_06A057800_2_06A05780
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_06A012280_2_06A01228
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_06A07D700_2_06A07D70
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_06A057710_2_06A05771
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_06A07D600_2_06A07D60
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_085633000_2_08563300
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08564BE80_2_08564BE8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08565B700_2_08565B70
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08564BD90_2_08564BD9
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_085624110_2_08562411
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_085624200_2_08562420
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F45E080_2_08F45E08
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F45DF80_2_08F45DF8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F45DB80_2_08F45DB8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F580F00_2_08F580F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F561980_2_08F56198
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F51A080_2_08F51A08
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F57BD80_2_08F57BD8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F5AE300_2_08F5AE30
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F580DF0_2_08F580DF
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F5A8800_2_08F5A880
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F5A8700_2_08F5A870
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F501C80_2_08F501C8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F561880_2_08F56188
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F5AE200_2_08F5AE20
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1839718909.0000000006A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFalimotin.dll4 vs SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1832794561.000000000157E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef070a246-31f8-4fc0-9cb1-fb27e4e93520.exe4 vs SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000000.1213459202.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameori.exe@ vs SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1837876598.0000000004527000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFalimotin.dll4 vs SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1837876598.0000000004381000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef070a246-31f8-4fc0-9cb1-fb27e4e93520.exe4 vs SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeBinary or memory string: OriginalFilenameori.exe@ vs SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe"
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: Process Memory Space: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe PID: 3780, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, Rc3e1AZo.csCryptographic APIs: 'CreateDecryptor'
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, An1r8R2.csCryptographic APIs: 'TransformFinalBlock'
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, m6N9Bjc4.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/6@0/1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeMutant created: NULL
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MyAppMutex
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:120:WilError_03
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeVirustotal: Detection: 51%
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeReversingLabs: Detection: 52%
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeString found in binary or memory: C:\StockTracker)Tracker initialized.;Stock symbol cannot be empty./Added stock symbol: {0}AStock symbol already exists: {0}3Removed stock symbol: {0}7Stock symbol not found: {0}=Added price {0} for symbol {1}CCleared price data for symbol {0}
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 67 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 67
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 74 > nul && copy "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe" "C:\Users\user\Windows Update.exe" && ping 127.0.0.1 -n 74 > nul && "C:\Users\user\Windows Update.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 74
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 74
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 67 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 74 > nul && copy "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe" "C:\Users\user\Windows Update.exe" && ping 127.0.0.1 -n 74 > nul && "C:\Users\user\Windows Update.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 67Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 74Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 74Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.6a50000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4527a00.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.6a50000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4527a00.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1837876598.0000000004527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1839718909.0000000006A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1834077322.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1834077322.0000000003496000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1837876598.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe PID: 3780, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F42430 pushad ; retf 0_2_08F425D1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F42E23 push eax; iretd 0_2_08F42E29
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F540D0 push es; ret 0_2_08F540E0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_08F5B198 pushfd ; iretd 0_2_08F5B199
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeStatic PE information: section name: .text entropy: 6.831509495444582
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, Kw7q5Z1A.csHigh entropy of concatenated method names: 'Xk06LmKo', 'o0H7WtXj', 'Sk9p3RLe', 'p3D6AqNn', 'a5D8WzBc', 'No08PwAb', 'Yb06Emj1', 'k7P4Bwr0', 'Tp89JbBz', 'p1W5JsNi'
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, b6BSd.csHigh entropy of concatenated method names: 'Tc95GsFy', 'c1MDe24G', 'Mr46SsYi', 'z7Z8RnYo', 'm0P1Tjx2', 'b4K1AfYs', 'i7K0Cqz9', 'r0M8Cnd6', 'Xa81TzMf', 'Ls28YtJj'
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, Rc3e1AZo.csHigh entropy of concatenated method names: 'y5Q7', 'Dispose', 'y3C2', 'MoveNext', 'c1Q2', 'GetEnumerator', 'k7FK', 'GetEnumerator', 'a4GE', 'Reset'
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, An1r8R2.csHigh entropy of concatenated method names: 'a2F7NtL', 'c3Y6NqL', 'Be90Gyj', 'a6CKr23', 'Lx07Swg', 'Xt85Hia', 'j6SFf5t', 'Yw6o3RZ', 'Nz72Qxe', 'y4ACb6k'
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, m6N9Bjc4.csHigh entropy of concatenated method names: 'n3LMa1t', 'Px0s2RF', 'f7T4EwH', 'Dy86Nje', 'p1P2TeF', 'Ez34QrJ', 'Ka89Rex', 'n5Y0Szx', 'p5L2Efc', 'f3Q9MzP'
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, w2YM.csHigh entropy of concatenated method names: 'e4QX', 'k5C6', 'w6NQ', 'Kr6y', 'Df3i', 'Yr20', 'a4ZA', 'Ai7j', 'Cg73', 'e9R2'
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, a0A8.csHigh entropy of concatenated method names: 'c0SD', 'Ck05', 'Wr4o', 'Ta1p', 'Ct19', 'Pk9y', 'Zi5o', 'q6P1', 'w1LZ', 'z1JY'
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Windows Update.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Windows Update.exeJump to dropped file

                      Boot Survival

                      barindex
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Windows Update.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update.exeJump to behavior
                      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update.exeJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeFile opened: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe PID: 3780, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeSection loaded: OutputDebugStringW count: 224
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 67
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 74
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 74
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 67Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 74Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 74Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeMemory allocated: 1970000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeMemory allocated: 3380000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeMemory allocated: 5380000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeWindow / User API: threadDelayed 7796Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeWindow / User API: threadDelayed 2052Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -59890s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -59781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -59672s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -59547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -59437s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -59328s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -59219s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -59094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -58984s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -58875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -58765s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -58656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -58547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -58437s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -58328s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -58219s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -58109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -58000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -57890s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -57781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -57672s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -57562s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -57453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -57344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -57234s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -57125s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -57015s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -56906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -56797s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -56687s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -56578s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -56469s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -56359s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -56250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -56140s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -56031s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -55922s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -55812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -55703s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -55593s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -55484s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -55375s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -55265s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -55155s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -55045s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -54937s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -54828s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -54719s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe TID: 7172Thread sleep time: -54609s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXE TID: 7208Thread sleep count: 65 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXE TID: 7208Thread sleep time: -65000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXE TID: 8060Thread sleep count: 73 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXE TID: 8060Thread sleep time: -73000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                      Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                      Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                      Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 60000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 59890Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 59781Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 59672Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 59547Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 59437Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 59328Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 59219Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 59094Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 58984Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 58875Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 58765Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 58656Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 58547Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 58437Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 58328Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 58219Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 58109Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 58000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 57890Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 57781Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 57672Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 57562Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 57453Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 57344Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 57234Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 57125Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 57015Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 56906Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 56797Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 56687Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 56578Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 56469Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 56359Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 56250Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 56140Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 56031Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 55922Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 55812Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 55703Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 55593Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 55484Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 55375Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 55265Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 55155Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 55045Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 54937Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 54828Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 54719Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeThread delayed: delay time: 54609Jump to behavior
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1839718909.0000000006A50000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1837876598.0000000004527000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1837876598.0000000004527000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
                      Source: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1832794561.00000000015B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeCode function: 0_2_06A0510C CheckRemoteDebuggerPresent,0_2_06A0510C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 67 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 74 > nul && copy "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe" "C:\Users\user\Windows Update.exe" && ping 127.0.0.1 -n 74 > nul && "C:\Users\user\Windows Update.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 67Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 74Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 74Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1837876598.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe PID: 3780, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1837876598.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe PID: 3780, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.441fc02.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.44d6548.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43e2e32.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.4499782.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.43a6052.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1837876598.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe PID: 3780, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                      Command and Scripting Interpreter                      		1
                      Registry Run Keys / Startup Folder                      		11
                      Process Injection                      		111
                      Masquerading                      		1
                      Input Capture                      		211
                      Security Software Discovery                      		Remote Services1
                      Input Capture                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      Registry Run Keys / Startup Folder                      		1
                      Modify Registry                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol11
                      Archive Collected Data                      		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		Security Account Manager141
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook141
                      Virtualization/Sandbox Evasion                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                      Process Injection                      		LSA Secrets1
                      Remote System Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Deobfuscate/Decode Files or Information                      		Cached Domain Credentials1
                      System Network Configuration Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Hidden Files and Directories                      		DCSync12
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
                      Obfuscated Files or Information                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Software Packing                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      DLL Side-Loading                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1662504 Sample: SecuriteInfo.com.Trojan.Rem... Startdate: 10/04/2025 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for dropped file 2->40 42 6 other signatures 2->42 7 SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe 15 3 2->7         started        process3 file4 30 SecuriteInfo.com.T....23891.6776.exe.log, ASCII 7->30 dropped 44 Tries to delay execution (extensive OutputDebugStringW loop) 7->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->46 48 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->48 11 cmd.exe 1 7->11         started        14 cmd.exe 3 7->14         started        signatures5 process6 file7 50 Uses ping.exe to sleep 11->50 52 Drops PE files to the user root directory 11->52 54 Uses ping.exe to check the status of other devices and networks 11->54 17 PING.EXE 1 11->17         started        20 conhost.exe 11->20         started        22 reg.exe 1 1 11->22         started        32 C:\Users\user\Windows Update.exe, PE32 14->32 dropped 24 conhost.exe 14->24         started        26 PING.EXE 1 14->26         started        28 PING.EXE 1 14->28         started        signatures8 process9 dnsIp10 34 127.0.0.1 unknown unknown 17->34

                      Screenshots

                      Download Video

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe51%VirustotalBrowse
                      SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe53%ReversingLabsWin32.Trojan.Jalapeno
                      SAMPLE100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\Windows Update.exe53%ReversingLabsWin32.Trojan.Jalapeno
                      C:\Users\user\Windows Update.exe51%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Download Network PCAP: filteredfull

                      Contacted Domains

                      No contacted domains info
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://account.dyn.com/SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1837876598.0000000004381000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe, 00000000.00000002.1834077322.0000000003381000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious

                          Private

                          IP
                          127.0.0.1

                          General Information

                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1662504
                          Start date and time:2025-04-10 22:38:45 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 54s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:18
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@15/6@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 98%
                          • Number of executed functions: 42
                          • Number of non-executed functions: 8
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 23.44.203.82, 23.44.203.91, 23.44.203.84, 23.44.203.81, 23.44.203.79, 23.44.203.90, 23.44.203.86, 23.44.203.80, 23.44.203.78, 23.9.183.29, 20.109.210.53
                          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          16:39:42API Interceptor2000x Sleep call for process: SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe modified
                          16:40:14API Interceptor75x Sleep call for process: PING.EXE modified
                          22:40:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update.exe C:\Users\user\Windows Update.exe
                          22:40:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update.exe C:\Users\user\Windows Update.exe

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1415
                          Entropy (8bit):5.352427679901606
                          Encrypted:false
                          SSDEEP:24:ML9E4Ke84jE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeUE4KMRSE4j:MxHKevjHKx1qHiYHKh3oPtHo6hAHKzef
                          MD5:6DB90274BECD1E94BB38A7A667B3C365
                          SHA1:9246FCC976C5232C9FE304DD6AA5217AF0979ADB
                          SHA-256:9B8ADE5D49FDC2FC639962E721CF8AA0DD24B39DEFF51D653D226BEAC5AD46B2
                          SHA-512:3A9EDF861B7EE08131DEE85E2E4A083775DCB9877A8EB0E97543797149B24385A89F1CED7C1CBF2BDADA59A436D405531C3B54EF9A29DC025D6A6E17C53F4F10
                          Malicious:true
                          Reputation:low
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                          C:\Users\user\Windows Update.exe

                          Download File
                          Process:C:\Windows\SysWOW64\cmd.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):927232
                          Entropy (8bit):6.824787951089989
                          Encrypted:false
                          SSDEEP:12288:cW1nr+p2cPCXf/keoqQJndVBBlbKG+r/u/E0eM6nNe75:cWVDcqXfceoqQJkVa/6Xe75
                          MD5:3880B71C954C43DDA144487C14466883
                          SHA1:D9FD5BE5F5F57CA06F59C802D3DE8410AECB2615
                          SHA-256:3FE8B092C11E3EC298C7C6E23633F37FECD9EA24C308FF76BF36A6B48A44535E
                          SHA-512:7667B44462D3E9819489B44D5D80F8F0243531FBE7596E9ECAFA889430B744E604BD6A32100274345FCD9D30A357092F6FA9D65545D08CF5DCFA328752804EEE
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 53%
                          • Antivirus: Virustotal, Detection: 51%, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b..,.........."...P.............n<... ...@....@.. ....................................`..................................<..S....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B................P<......H........`..(.......).... ..@@..........................................................333333.?.......?333333.?................................................................ .,.......rn...Z.?.M.O3 ........................................a.e.i.o.u.....(*...*&..(+....*.s,........s-........s.........s/........s0........*Z........oC...........*&..(D....*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*...{......,.+....

                          C:\Users\user\Windows Update.exe:Zone.Identifier

                          Download File
                          Process:C:\Windows\SysWOW64\cmd.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:false
                          Preview:[ZoneTransfer]....ZoneId=0

                          \Device\Null

                          Download File
                          Process:C:\Windows\SysWOW64\PING.EXE
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):436
                          Entropy (8bit):4.6943362611589565
                          Encrypted:false
                          SSDEEP:6:PzLSLzMRfmWxHLThx2LThx2LThx2LThx2LThx2LThx2LThx2LThxO:PKMRJpTeTeTeTeTeTeTeTO
                          MD5:919D78A60120D84A4154FEACE8DF7930
                          SHA1:7F32A8B6EFC9AFB2C5645033FD3504B3375CE20C
                          SHA-256:1119F305ED40163DC23961207E5648E9A1A719C33360C0FE429330249B86E268
                          SHA-512:119651E753FD632EC2178AE6BEA7595BC00EB7F2F2C88B204E8239092425246974BF2D30694675260FE7A942CCC6D71C93A904A6275F13507E0A78C0587287AB
                          Malicious:false
                          Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):6.824787951089989
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
                          File size:927'232 bytes
                          MD5:3880b71c954c43dda144487c14466883
                          SHA1:d9fd5be5f5f57ca06f59c802d3de8410aecb2615
                          SHA256:3fe8b092c11e3ec298c7c6e23633f37fecd9ea24c308ff76bf36a6b48a44535e
                          SHA512:7667b44462d3e9819489b44d5d80f8f0243531fbe7596e9ecafa889430b744e604bd6a32100274345fcd9d30a357092f6fa9d65545d08cf5dcfa328752804eee
                          SSDEEP:12288:cW1nr+p2cPCXf/keoqQJndVBBlbKG+r/u/E0eM6nNe75:cWVDcqXfceoqQJkVa/6Xe75
                          TLSH:6615E08C63E48A44F9BF1AB98071558843B0F447DAA7E75C0FC0A5F62E72792DC097A7
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b..,.........."...P.............n<... ...@....@.. ....................................`................................

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0x4e3c6e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x2C89BF62 [Sun Sep 5 10:28:50 1993 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xe3c180x53.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe40000x3d8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xe1c740xe1e00a4c822624895523cb321f10cd14d9c0bFalse0.6804160037354732data6.831509495444582IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xe40000x3d80x400ef0aba59de8dc3ffad2593044801eb60False0.4189453125data3.375612745135494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xe60000xc0x200f8fcffde904fd9c8f639c7fe2ce0863bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0xe40580x380data0.44754464285714285
                          DLLImport
                          mscoree.dll_CorExeMain
                          DescriptionData
                          Translation0x0000 0x04b0
                          Comments@JB?7B4GC5J;H==555F2I@
                          CompanyName324J8GCBI?6CB@FA7G7;<
                          FileDescriptionC=2:2CI7IB4D9GD
                          FileVersion7.10.13.17
                          InternalNameori.exe
                          LegalCopyrightCopyright 2010 324J8GCBI?6CB@FA7G7;<
                          OriginalFilenameori.exe
                          ProductNameC=2:2CI7IB4D9GD
                          ProductVersion7.10.13.17
                          Assembly Version1.0.0.0

                          Network Behavior

                          Download Network PCAP: filteredfull

                          TimestampSource PortDest PortSource IPDest IP
                          Apr 10, 2025 22:40:22.871448040 CEST5365102162.159.36.2192.168.2.6

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          • File
                          • Registry
                          • Network

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:16:39:40
                          Start date:10/04/2025
                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe"
                          Imagebase:0xf30000
                          File size:927'232 bytes
                          MD5 hash:3880B71C954C43DDA144487C14466883
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1837876598.0000000004527000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1839718909.0000000006A50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1834077322.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1837876598.0000000004499000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1834077322.0000000003496000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1837876598.0000000004381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1837876598.0000000004381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1837876598.0000000004381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true
                          Show Windows behavior

                          File Activities

                          Show Windows behavior

                          Section Activities

                          Show Windows behavior

                          Registry Activities

                          COM Activities

                          Show Windows behavior

                          Mutex Activities

                          Show Windows behavior

                          Process Activities

                          Show Windows behavior

                          Thread Activities

                          Show Windows behavior

                          Memory Activities

                          Show Windows behavior

                          System Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Windows UI Activities

                          Network Activities

                          Process Token Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          General

                          Target ID:2
                          Start time:16:39:42
                          Start date:10/04/2025
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"cmd" /c ping 127.0.0.1 -n 67 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe"
                          Imagebase:0x2a0000
                          File size:236'544 bytes
                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true
                          Show Windows behavior

                          File Activities

                          Show Windows behavior

                          Section Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Process Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Memory Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          General

                          Target ID:3
                          Start time:16:39:42
                          Start date:10/04/2025
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff68dae0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true
                          Show Windows behavior

                          File Activities

                          Show Windows behavior

                          Section Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Mutex Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Thread Activities

                          Show Windows behavior

                          Memory Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          General

                          Target ID:4
                          Start time:16:39:42
                          Start date:10/04/2025
                          Path:C:\Windows\SysWOW64\PING.EXE
                          Wow64 process (32bit):true
                          Commandline:ping 127.0.0.1 -n 67
                          Imagebase:0xe80000
                          File size:18'944 bytes
                          MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Section Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Thread Activities

                          Show Windows behavior

                          Memory Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          General

                          Target ID:11
                          Start time:16:40:35
                          Start date:10/04/2025
                          Path:C:\Windows\SysWOW64\reg.exe
                          Wow64 process (32bit):true
                          Commandline:REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\user\Windows Update.exe"
                          Imagebase:0x4b0000
                          File size:59'392 bytes
                          MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Section Activities

                          Show Windows behavior

                          Registry Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          General

                          Target ID:12
                          Start time:16:40:42
                          Start date:10/04/2025
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"cmd" /c ping 127.0.0.1 -n 74 > nul && copy "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Remcos.125.23891.6776.exe" "C:\Users\user\Windows Update.exe" && ping 127.0.0.1 -n 74 > nul && "C:\Users\user\Windows Update.exe"
                          Imagebase:0x2a0000
                          File size:236'544 bytes
                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false
                          Show Windows behavior

                          File Activities

                          Show Windows behavior

                          Section Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Process Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Memory Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          General

                          Target ID:13
                          Start time:16:40:42
                          Start date:10/04/2025
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff68dae0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false
                          Show Windows behavior

                          File Activities

                          Show Windows behavior

                          Section Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Thread Activities

                          Show Windows behavior

                          Memory Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          General

                          Target ID:14
                          Start time:16:40:42
                          Start date:10/04/2025
                          Path:C:\Windows\SysWOW64\PING.EXE
                          Wow64 process (32bit):true
                          Commandline:ping 127.0.0.1 -n 74
                          Imagebase:0xe80000
                          File size:18'944 bytes
                          MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Section Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Thread Activities

                          Show Windows behavior

                          Memory Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          General

                          Target ID:17
                          Start time:16:41:38
                          Start date:10/04/2025
                          Path:C:\Windows\SysWOW64\PING.EXE
                          Wow64 process (32bit):true
                          Commandline:ping 127.0.0.1 -n 74
                          Imagebase:0xe80000
                          File size:18'944 bytes
                          MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Section Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                          Show Windows behavior

                          Thread Activities

                          Show Windows behavior

                          Memory Activities

                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                          Disassembly

                          Execution Graph

                          Execution Coverage

                          Dynamic/Packed Code Coverage

                          Signature Coverage

                          Execution Coverage:13.1%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:16.5%
                          Total number of Nodes:85
                          Total number of Limit Nodes:8
                          Show Legend
                          Hide Nodes/Edges
                          execution_graph 54975 6a07d70 54976 6a07d92 54975->54976 54977 6a08117 54976->54977 54980 8f42430 54976->54980 54986 8f42420 54976->54986 54981 8f42445 54980->54981 54983 8f42500 54981->54983 54992 8f425e0 54981->54992 54999 8f425d3 54981->54999 54982 8f424d5 54982->54976 54983->54976 54987 8f42430 54986->54987 54989 8f42500 54987->54989 54990 8f425e0 GetCurrentThreadId 54987->54990 54991 8f425d3 GetCurrentThreadId 54987->54991 54988 8f424d5 54988->54976 54989->54976 54990->54988 54991->54988 54993 8f42604 54992->54993 54994 8f4260b 54992->54994 54993->54982 54998 8f42632 54994->54998 55005 8f41064 54994->55005 54997 8f41064 GetCurrentThreadId 54997->54998 54998->54982 55000 8f425e0 54999->55000 55001 8f41064 GetCurrentThreadId 55000->55001 55004 8f42604 55000->55004 55002 8f42628 55001->55002 55003 8f41064 GetCurrentThreadId 55002->55003 55003->55004 55004->54982 55006 8f4106f 55005->55006 55007 8f4294f GetCurrentThreadId 55006->55007 55008 8f42628 55006->55008 55007->55008 55008->54997 55059 19be8f8 55060 19be93a 55059->55060 55061 19be940 GetModuleHandleW 55059->55061 55060->55061 55062 19be96d 55061->55062 54956 6a05ca8 54957 6a05ccc 54956->54957 54960 6a0510c 54957->54960 54964 6a05124 54957->54964 54961 6a05e90 CheckRemoteDebuggerPresent 54960->54961 54963 6a05f16 54961->54963 54963->54957 54965 6a06418 OutputDebugStringW 54964->54965 54967 6a06497 54965->54967 54967->54957 54968 8564f98 54969 8565123 54968->54969 54971 8564fbe 54968->54971 54971->54969 54972 85637d4 54971->54972 54973 8565218 PostMessageW 54972->54973 54974 8565284 54973->54974 54974->54971 55009 6a0823e 55010 6a085d1 55009->55010 55012 6a08255 55009->55012 55017 8f56198 55010->55017 55022 8f56188 55010->55022 55011 6a08829 55012->55010 55013 8f42430 GetCurrentThreadId 55012->55013 55014 8f42420 GetCurrentThreadId 55012->55014 55013->55012 55014->55012 55018 8f561c5 55017->55018 55027 8f57a00 55018->55027 55032 8f579ef 55018->55032 55019 8f56e28 55019->55011 55023 8f561c5 55022->55023 55025 8f57a00 DeleteFileW 55023->55025 55026 8f579ef DeleteFileW 55023->55026 55024 8f56e28 55024->55011 55025->55024 55026->55024 55028 8f57a24 55027->55028 55037 8f57ae9 55028->55037 55042 8f57af8 55028->55042 55029 8f57a42 55029->55019 55033 8f57a24 55032->55033 55034 8f57ae9 DeleteFileW 55033->55034 55035 8f57af8 DeleteFileW 55033->55035 55036 8f57a42 55034->55036 55035->55036 55036->55019 55038 8f57b1c 55037->55038 55047 8f57f60 55038->55047 55051 8f57f50 55038->55051 55039 8f57b87 55039->55029 55043 8f57b1c 55042->55043 55045 8f57f60 DeleteFileW 55043->55045 55046 8f57f50 DeleteFileW 55043->55046 55044 8f57b87 55044->55029 55045->55044 55046->55044 55048 8f57f87 55047->55048 55055 8f558a0 55048->55055 55052 8f57f87 55051->55052 55053 8f558a0 DeleteFileW 55052->55053 55054 8f58007 55053->55054 55054->55039 55056 8f58030 DeleteFileW 55055->55056 55058 8f58007 55056->55058 55058->55039

                          Executed Functions

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 19b4d60-19b4d7a 1 19b4d7c 0->1 2 19b4d81-19b4deb 0->2 1->2 4 19b4ded-19b4e05 2->4 5 19b4e07-19b4e5c 2->5 8 19b4e5f-19b4f07 call 19b013c 4->8 5->8 22 19b4f09 8->22 23 19b4f0e-19b4f14 8->23 22->23 24 19b4f1b-19b4f30 23->24 25 19b4f16 23->25 26 19b4f48-19b4f5b 24->26 27 19b4f32-19b4f3d 24->27 25->24 30 19b4f69-19b4f6f 26->30 31 19b4f5d-19b4f67 26->31 28 19b4f3f 27->28 29 19b4f44-19b4f47 27->29 28->29 29->26 32 19b4f72-19b4f7e 30->32 31->32 33 19b4f8c-19b4f9d 32->33 34 19b4f9f-19b4fb7 33->34 35 19b4f80-19b4f84 33->35 39 19b4fb9-19b4fc0 34->39 40 19b4fc2-19b4fc4 34->40 36 19b4f8b 35->36 37 19b4f86 35->37 36->33 37->36 41 19b4fc7-19b4fce call 19b5298 39->41 40->41 42 19b4fd4-19b4fdb 41->42
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833553941.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_19b0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: d$tSp
                          • API String ID: 0-2751586273
                          • Opcode ID: be6629b8dbbe5099ebd62f312ee8d52c1143c0befd7cfe55ce138a42e484a046
                          • Instruction ID: 3ac2bae1c72617c63651991536b36a0dfb12394d53359495f4faf26258c1d11d
                          • Opcode Fuzzy Hash: be6629b8dbbe5099ebd62f312ee8d52c1143c0befd7cfe55ce138a42e484a046
                          • Instruction Fuzzy Hash: FE71D1B4E003099BDB04DFAAD9846EEBBF6FF89300F108029D819BB355DB385A458B55

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 170 6a0510c-6a05f14 CheckRemoteDebuggerPresent 173 6a05f16-6a05f1c 170->173 174 6a05f1d-6a05f58 170->174 173->174
                          APIs
                          • CheckRemoteDebuggerPresent.KERNEL32(?,00000000), ref: 06A05F07
                          Memory Dump Source
                          • Source File: 00000000.00000002.1839601799.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6a00000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CheckDebuggerPresentRemote
                          • String ID:
                          • API String ID: 3662101638-0
                          • Opcode ID: 0c97ab1017115de91b8f118fa98b56b5eecfdc9d129d99be731e68cf9a9a7147
                          • Instruction ID: 75dbdb00a7e2c055eec956884f94283ec664b90082e9789d8e770b96dfa2935b
                          • Opcode Fuzzy Hash: 0c97ab1017115de91b8f118fa98b56b5eecfdc9d129d99be731e68cf9a9a7147
                          • Instruction Fuzzy Hash: B42127B1C002598FDB10DF9AD584BEEBBF4AF49310F14845AE455B7341D778A944CFA0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 784dbef5d5b3149cd660bfc2b1a5533f370a9794d23238824354c3524d7cbcf2
                          • Instruction ID: 781cb12735557237aff15bde77a7a002da0e1253b9ff1fb060431ebe336cae5a
                          • Opcode Fuzzy Hash: 784dbef5d5b3149cd660bfc2b1a5533f370a9794d23238824354c3524d7cbcf2
                          • Instruction Fuzzy Hash: 5872C170B006058FCB05EB78C85466E7BA7AFC9311F248169E916DB3A1DE34EE46C7A1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1839601799.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6a00000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9bf2af7b97a4c5d97bb3e9a9d5ba05b5e186669204243ed54e927dfbefcb496d
                          • Instruction ID: 9e402d67cf23421bc106e3c82f092d6f9c64fa8845d27030484220199bc9835f
                          • Opcode Fuzzy Hash: 9bf2af7b97a4c5d97bb3e9a9d5ba05b5e186669204243ed54e927dfbefcb496d
                          • Instruction Fuzzy Hash: 40824B30A00209DFEB55EF68E984BAEBBF2FF89314F158555E405EB2A1D734E941CB90
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2253adf1459194cc587ac2702b0911956528c8060dd8d1166e322aa94dae4e22
                          • Instruction ID: da1366b621762db87f7494d9a6db7b74aa1673628d575e16514bd24fb65457b1
                          • Opcode Fuzzy Hash: 2253adf1459194cc587ac2702b0911956528c8060dd8d1166e322aa94dae4e22
                          • Instruction Fuzzy Hash: A6829D34902218CFCBA9EF34D954699B7B2FF8A306F1054ADD54AAB351DB369D82CF40
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 52e12b03dc112865e9fa3d9634db1a72e6c36986ddcf189f287c3e4ab27596cb
                          • Instruction ID: ac73ac5ef556741fd1acd39f025b991a5b3c5b2c9bfe94ee2e0312358859548a
                          • Opcode Fuzzy Hash: 52e12b03dc112865e9fa3d9634db1a72e6c36986ddcf189f287c3e4ab27596cb
                          • Instruction Fuzzy Hash: 8D829D34902218CFCBA9EF34D954699B7B2FF8A306F1054ADD54AAB351DB369D82CF40
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842269444.0000000008F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f40000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa048d1d217b2699d81400a0cbfb69480674ddc6a9ae9213f4128cd70509a4dd
                          • Instruction ID: 8d706a1f91b20aeee34f916915f2172eb89d83f30bc58913d1073ede4ae80513
                          • Opcode Fuzzy Hash: aa048d1d217b2699d81400a0cbfb69480674ddc6a9ae9213f4128cd70509a4dd
                          • Instruction Fuzzy Hash: 1E525E34A003458FCB15EF68C844B99B7B2FF89314F2582A9D5586F3A2DB71AD86CF41
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842269444.0000000008F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f40000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 00e7b2dd027beaeeae8cbe99bee03cc233d04b3dbb23054be3e2adca1e4aeaca
                          • Instruction ID: 59efcdcdbd1e4a13dc1e3fce626f697c8b2a0767151d2cdcfb24f2e2c8cd8636
                          • Opcode Fuzzy Hash: 00e7b2dd027beaeeae8cbe99bee03cc233d04b3dbb23054be3e2adca1e4aeaca
                          • Instruction Fuzzy Hash: FB525E34A00345CFCB15EF28C844B99B7B2FF89314F2582A9D5586F3A2DB75A986CF41
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842269444.0000000008F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f40000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eaac87eec3c1b39c4aedab374ab18fda8f110947ef7ab55fedc043065ac8424b
                          • Instruction ID: a8496a97d580259a9e3833e3e9f0df6339d4911baf95d118ff236c8b1332d2b0
                          • Opcode Fuzzy Hash: eaac87eec3c1b39c4aedab374ab18fda8f110947ef7ab55fedc043065ac8424b
                          • Instruction Fuzzy Hash: 95525F34A00355CFCB15EF28C844B98B7B2FF89314F2582A9D5586F3A2DB75A986CF41
                          Memory Dump Source
                          • Source File: 00000000.00000002.1839601799.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6a00000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 334c7d39662f7812eb398ebfc03a1ad1336d57ed7843223a30c1e2a056f09bb4
                          • Instruction ID: 9f0051ee0b0a1b82718d6c2cbc0c1c4e871e0491964c8e09d040f353c5ca46dc
                          • Opcode Fuzzy Hash: 334c7d39662f7812eb398ebfc03a1ad1336d57ed7843223a30c1e2a056f09bb4
                          • Instruction Fuzzy Hash: FCF1B434B00205CFFBA46BA9E4847AA7BB6EFC4705F198429E8469B6D5CB34DC41CF91
                          Memory Dump Source
                          • Source File: 00000000.00000002.1841568858.0000000008560000.00000040.00000800.00020000.00000000.sdmp, Offset: 08560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8560000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 01f1145395ee5f2a5230abdc35ee3c300f8ac326c071d60395c764a467a93d28
                          • Instruction ID: 0952686d2ade6fbedbe7e2cf0be2f7ca5ed21dd0af49aaef88a4dd034b028378
                          • Opcode Fuzzy Hash: 01f1145395ee5f2a5230abdc35ee3c300f8ac326c071d60395c764a467a93d28
                          • Instruction Fuzzy Hash: 8CC1BB717007058FEB1AEB75C9607AEB7F6AFC9612F24446DC14A8B391DB35E802CB61
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833553941.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_19b0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dcf91a7b61b7fe99d029dd0f8a588883be3ab7752f3a7b35317883e94025593e
                          • Instruction ID: 6d9f86173014e7f1bab8868a69011da8a475847bb7333880b30c9f5320149d6d
                          • Opcode Fuzzy Hash: dcf91a7b61b7fe99d029dd0f8a588883be3ab7752f3a7b35317883e94025593e
                          • Instruction Fuzzy Hash: 63E13831D1075ADAD711EBA4C840B9AF775FFD6300F11979AE0097B250EBB0AAC5CB91
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833553941.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_19b0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f6bfdc17804fcc08bff8935935e69f34375429787fd321b6e712206fdd467bdb
                          • Instruction ID: b17295be43fd9b75191b40e18a652144b753846e1337fe8312b4e53fda531e84
                          • Opcode Fuzzy Hash: f6bfdc17804fcc08bff8935935e69f34375429787fd321b6e712206fdd467bdb
                          • Instruction Fuzzy Hash: 4DE13931D1075ADAD710EBA4C840B9AF775FFD6300F21979AE0097B250EBB0AAC5CB91
                          Memory Dump Source
                          • Source File: 00000000.00000002.1839601799.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6a00000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 761025b218d67c0cf2a4bf8f9038b9f61ac19e65103832f7427a0985b33c2200
                          • Instruction ID: 409e82094e18c56f70e36a2a374040ad4fc0d46f62e1e2225405c327d05278e2
                          • Opcode Fuzzy Hash: 761025b218d67c0cf2a4bf8f9038b9f61ac19e65103832f7427a0985b33c2200
                          • Instruction Fuzzy Hash: 1CD1E270D01219CFDBA8EF69D9847DDB7B2BF89301F5084A9D409A7290EB359E81CF50
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a10b0dfdd8f3f50cc19475d87813d988e92c90b1a61a5491b80ffb853b24d2a8
                          • Instruction ID: 808005151b24363f91865461d4f68948dd96e8676b30f8907283f06cc2a8e83d
                          • Opcode Fuzzy Hash: a10b0dfdd8f3f50cc19475d87813d988e92c90b1a61a5491b80ffb853b24d2a8
                          • Instruction Fuzzy Hash: DBD1C0B4E00218CFDB54DFA9D984BADBBB2FF88300F1081AAD949A7355DB345A85CF51
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ee1c576be2954dd0fe4305d00bd01c82d0d2a151f550f2e819c9573bc7aa5d5
                          • Instruction ID: 2334824247c70a649ef835e90566676fd80fb09001ab82e3ff6d01552fd22e30
                          • Opcode Fuzzy Hash: 0ee1c576be2954dd0fe4305d00bd01c82d0d2a151f550f2e819c9573bc7aa5d5
                          • Instruction Fuzzy Hash: 88817535B00218DBDB18EFB9985467EBBA7BFC8701B15852DE406E7388DE34DD058BA1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833553941.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_19b0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2bd762c6b02d5cfa2d55f91fb4678e34abb5602cc72586a69746701e002f01a3
                          • Instruction ID: 2e619dc1384c98656da2db8d63d1fd293c02debe84fdca50b79d616255694e3e
                          • Opcode Fuzzy Hash: 2bd762c6b02d5cfa2d55f91fb4678e34abb5602cc72586a69746701e002f01a3
                          • Instruction Fuzzy Hash: 48B1D175E012189FEB15DFAAD980BDEBBB6BF89301F148069D808BB355EB345A41CF50
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ee22b928ce66807376903f84dceae6f2b6b228f468ba7a59f9068a38e95d32c9
                          • Instruction ID: 58270dd2beb52fb02a953aaf464d2b7482ca3f406cb045a5d0a6f43d1f9e3211
                          • Opcode Fuzzy Hash: ee22b928ce66807376903f84dceae6f2b6b228f468ba7a59f9068a38e95d32c9
                          • Instruction Fuzzy Hash: 27B1C275E00218CFDB14DFB9C884A9DFBB2BF89311F1081AAD819AB355EB349985CF50
                          Memory Dump Source
                          • Source File: 00000000.00000002.1841568858.0000000008560000.00000040.00000800.00020000.00000000.sdmp, Offset: 08560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8560000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f54427e395dd30645af8234c94aa678d00e7ce9c0e6d9ded7219a89eb34e2d06
                          • Instruction ID: d3c973bb6aeec0506f39764d65abeea1d75c2df77991cc3970a6b20341d50c23
                          • Opcode Fuzzy Hash: f54427e395dd30645af8234c94aa678d00e7ce9c0e6d9ded7219a89eb34e2d06
                          • Instruction Fuzzy Hash: 85B1A374E00209DFDB05DFA5D895AAEBBB2FF89300F20816AD9096B3A5DB395D41CF50
                          Memory Dump Source
                          • Source File: 00000000.00000002.1841568858.0000000008560000.00000040.00000800.00020000.00000000.sdmp, Offset: 08560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8560000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 21b2a29dac7d41ec11056d9f43be2a2cbd3bd16d7ba8fc55a1b9f09825461ada
                          • Instruction ID: 0e1ba9026c7ff2ef069931cf6a95467a9593e28eea5a7d365ad4dadc40c60369
                          • Opcode Fuzzy Hash: 21b2a29dac7d41ec11056d9f43be2a2cbd3bd16d7ba8fc55a1b9f09825461ada
                          • Instruction Fuzzy Hash: 19B19274E00209DFDB05DFA5D895AADBBB2FF89300F20812AD9096B3A5DB396D41CF54
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 042c4f1c3e524b3137898832cbb75b79ef2db942616b01b01ec6645ab4aba392
                          • Instruction ID: 2daaadae635c28460f663e4aa4e0f35c8358d058a2ce4f4c9e6916015d2b1f5f
                          • Opcode Fuzzy Hash: 042c4f1c3e524b3137898832cbb75b79ef2db942616b01b01ec6645ab4aba392
                          • Instruction Fuzzy Hash: 78A1C074E00618CFDB54EFA9D9847ADBBF2FF88300F1084AAD849AB255DB305A85CF51
                          Memory Dump Source
                          • Source File: 00000000.00000002.1839601799.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6a00000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac12890abd1a3715cf4a9edad3c848c0abf92df02b44b3865f7efa64b9fba3ba
                          • Instruction ID: a15f182737b99d2232a941d948d5512bf8359677b89f24534b2ff73953fb4734
                          • Opcode Fuzzy Hash: ac12890abd1a3715cf4a9edad3c848c0abf92df02b44b3865f7efa64b9fba3ba
                          • Instruction Fuzzy Hash: 5B71EB71D01618CFDB98DF66D9806DDB7F2BF89301F1085A9D409B7294DB349A81CF54
                          Memory Dump Source
                          • Source File: 00000000.00000002.1839601799.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6a00000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c8c68cb00a5133b0d14b71a898405f7a8554d77cbfc59c8ab3040fcde77bec9c
                          • Instruction ID: a97c53754a920e79a6998805b218b6fd1f9fed28e89ac68c165f5558c7760324
                          • Opcode Fuzzy Hash: c8c68cb00a5133b0d14b71a898405f7a8554d77cbfc59c8ab3040fcde77bec9c
                          • Instruction Fuzzy Hash: 3F61C375E00219DFDB44DFA9D890AAEBBB2FF89300F208429D815AB354DB359946CF90
                          Memory Dump Source
                          • Source File: 00000000.00000002.1839601799.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6a00000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5bf0ddbee5f312aa4d3d3283f9de9f7d11baceac63c8ba171029ac538d8a9cdc
                          • Instruction ID: 53aea30d1b993dcae31ceafbe7795fe4e03afe584fbb4b846813d244d283fc4c
                          • Opcode Fuzzy Hash: 5bf0ddbee5f312aa4d3d3283f9de9f7d11baceac63c8ba171029ac538d8a9cdc
                          • Instruction Fuzzy Hash: A361A375E00219DFDB44DFA9D890AAEBBB2FF88300F208429D805AB354DB359946CF90
                          Memory Dump Source
                          • Source File: 00000000.00000002.1841568858.0000000008560000.00000040.00000800.00020000.00000000.sdmp, Offset: 08560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8560000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 24546b96988547a45972d8e6f51c5c9bf600a8a2c0a5b6612fd60e0392cdc4e8
                          • Instruction ID: b4513e79560370bbda6e61e7376ce1a6ca0e8e69e597bc6dfe2bbd929a428457
                          • Opcode Fuzzy Hash: 24546b96988547a45972d8e6f51c5c9bf600a8a2c0a5b6612fd60e0392cdc4e8
                          • Instruction Fuzzy Hash: 3E511374D01218CFDB18DFA5D5887EDBBB2BF49315F289029E405BB2A0C7799A86CF50
                          Memory Dump Source
                          • Source File: 00000000.00000002.1841568858.0000000008560000.00000040.00000800.00020000.00000000.sdmp, Offset: 08560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8560000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6ea484fd399ac5e18b305b995494aa569d1de4b3fba88b58df7241246b511da5
                          • Instruction ID: 21ae73f80da72da2a8aa57f8caaa49fe28ddfa9b27638d0396f6a149a8d230cf
                          • Opcode Fuzzy Hash: 6ea484fd399ac5e18b305b995494aa569d1de4b3fba88b58df7241246b511da5
                          • Instruction Fuzzy Hash: 974124B4C01258DFDB14CFA4D5887EDBBB2BF49316F189029E405BB2A0C7798A86CF54

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 177 6a05e88-6a05f14 CheckRemoteDebuggerPresent 180 6a05f16-6a05f1c 177->180 181 6a05f1d-6a05f58 177->181 180->181
                          APIs
                          • CheckRemoteDebuggerPresent.KERNEL32(?,00000000), ref: 06A05F07
                          Memory Dump Source
                          • Source File: 00000000.00000002.1839601799.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6a00000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CheckDebuggerPresentRemote
                          • String ID:
                          • API String ID: 3662101638-0
                          • Opcode ID: 236603a35450e1a5c18b966dd9ac1aac8b3005e27752e90869516402acc15fbf
                          • Instruction ID: 6907764c1e05a32a0e423da9b32501f8c6f64f94af8f9d32eb0e67952808c475
                          • Opcode Fuzzy Hash: 236603a35450e1a5c18b966dd9ac1aac8b3005e27752e90869516402acc15fbf
                          • Instruction Fuzzy Hash: 1F2125B2C002598FCB10DF9AD885BEEBBF4AF48310F24845AE455B3351D778AA44CF65

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 184 8f558a0-8f5807a 187 8f58082-8f580ad DeleteFileW 184->187 188 8f5807c-8f5807f 184->188 189 8f580b6-8f580de 187->189 190 8f580af-8f580b5 187->190 188->187 190->189
                          APIs
                          • DeleteFileW.KERNEL32(00000000), ref: 08F580A0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: DeleteFile
                          • String ID:
                          • API String ID: 4033686569-0
                          • Opcode ID: 1c7b9d3e78a54c17ba63d4d59e3958711a0822e1fe35828d0f0d4462ad35e4d0
                          • Instruction ID: 7df92560ddb8f43fb864f820a54d57a8c446e8d2e06fc33e48b530e391d46b25
                          • Opcode Fuzzy Hash: 1c7b9d3e78a54c17ba63d4d59e3958711a0822e1fe35828d0f0d4462ad35e4d0
                          • Instruction Fuzzy Hash: C72147B2C1061A9BCB24CFAAC4447AEFBF4FB48310F14812AD918B7741D778A940CFA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 193 8f5802c-8f5807a 196 8f58082-8f580ad DeleteFileW 193->196 197 8f5807c-8f5807f 193->197 198 8f580b6-8f580de 196->198 199 8f580af-8f580b5 196->199 197->196 199->198
                          APIs
                          • DeleteFileW.KERNEL32(00000000), ref: 08F580A0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: DeleteFile
                          • String ID:
                          • API String ID: 4033686569-0
                          • Opcode ID: 3b8d617d4d45a37679e9362d07e96dcd5c11626477b282a797fad833a1d34c88
                          • Instruction ID: 9a0d66420b0edf21c46a16e67bbc771cd4fadcc0c51e0589be0138023f294ade
                          • Opcode Fuzzy Hash: 3b8d617d4d45a37679e9362d07e96dcd5c11626477b282a797fad833a1d34c88
                          • Instruction Fuzzy Hash: 352147B2C0061A9BCB20CFAAC4456DEFBB4FB48310F14812AD918B3741D778A940CFA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 202 6a05124-6a06462 205 6a06464-6a06467 202->205 206 6a0646a-6a06495 OutputDebugStringW 202->206 205->206 208 6a06497-6a0649d 206->208 209 6a0649e-6a064b2 206->209 208->209
                          APIs
                          • OutputDebugStringW.KERNELBASE(00000000), ref: 06A06488
                          Memory Dump Source
                          • Source File: 00000000.00000002.1839601799.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6a00000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: DebugOutputString
                          • String ID:
                          • API String ID: 1166629820-0
                          • Opcode ID: ef86b4090f831f815034efee007363beb964ddc676e0f31d63d36675fddc4de0
                          • Instruction ID: 4c47f6a94b8f51afcdf7b148973e15be5c38300fd42ac4f25affc9e6e4fb6ce2
                          • Opcode Fuzzy Hash: ef86b4090f831f815034efee007363beb964ddc676e0f31d63d36675fddc4de0
                          • Instruction Fuzzy Hash: 5C1142B1C0060AAFCB10DF9AD944A9EFBF4FB48314F10812AE818B7341C374A954CFA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 211 6a06411-6a06462 214 6a06464-6a06467 211->214 215 6a0646a-6a06470 211->215 214->215 216 6a06472-6a06495 OutputDebugStringW 215->216 217 6a06497-6a0649d 216->217 218 6a0649e-6a064b2 216->218 217->218
                          APIs
                          • OutputDebugStringW.KERNELBASE(00000000), ref: 06A06488
                          Memory Dump Source
                          • Source File: 00000000.00000002.1839601799.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6a00000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: DebugOutputString
                          • String ID:
                          • API String ID: 1166629820-0
                          • Opcode ID: 958955b250b41283067ac183ae873cd422550ec35c1514b3368f3f9c38bd52b1
                          • Instruction ID: 1dcfc0d96a38b50c92aa6e039878af050fa48cac0937add74f968d09fa5a91e5
                          • Opcode Fuzzy Hash: 958955b250b41283067ac183ae873cd422550ec35c1514b3368f3f9c38bd52b1
                          • Instruction Fuzzy Hash: 631153B1C0064AAFCB10DF9AD940A9EFBF4FB48314F14811AE918B7740C774A955CFA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 220 19be8f8-19be938 221 19be93a-19be93d 220->221 222 19be940-19be96b GetModuleHandleW 220->222 221->222 223 19be96d-19be973 222->223 224 19be974-19be988 222->224 223->224
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 019BE95E
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833553941.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_19b0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 18312db9a8a072ad86c3edd86dce5a191d83942acd5b0e652bd37395335a72ae
                          • Instruction ID: 11ac10c578eb4b734f98ed2808cdc2044b81b011265f434cdf0f366ede6221af
                          • Opcode Fuzzy Hash: 18312db9a8a072ad86c3edd86dce5a191d83942acd5b0e652bd37395335a72ae
                          • Instruction Fuzzy Hash: DF110FB6C002498FDB20CF9AC584ADEFBF8EB88224F14841AD559B7600C375A549CFA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 231 8565210-8565282 PostMessageW 232 8565284-856528a 231->232 233 856528b-856529f 231->233 232->233
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 08565275
                          Memory Dump Source
                          • Source File: 00000000.00000002.1841568858.0000000008560000.00000040.00000800.00020000.00000000.sdmp, Offset: 08560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8560000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: eaf373a444d88f934a9bf87a23e9b7dfb00c9794c7994f6a1364aff6173bc0a8
                          • Instruction ID: d4b49bda59c57997c43718085136495ab02ddd8a77fdbf8244a285228fd56880
                          • Opcode Fuzzy Hash: eaf373a444d88f934a9bf87a23e9b7dfb00c9794c7994f6a1364aff6173bc0a8
                          • Instruction Fuzzy Hash: 3E1113B58002498FCB10CF9AD844BDEBBF8FB48324F24841EE514A7611C375A954CFA0

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 226 85637d4-8565282 PostMessageW 228 8565284-856528a 226->228 229 856528b-856529f 226->229 228->229
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 08565275
                          Memory Dump Source
                          • Source File: 00000000.00000002.1841568858.0000000008560000.00000040.00000800.00020000.00000000.sdmp, Offset: 08560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8560000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 1c3437c30e1312cb4353d2ce622c7bd385202d405ef288c91322334f090afaf0
                          • Instruction ID: 2856d83d94d52e8a6d32e75473b0ada95fec9aa59f4712bfa03c249eeb82563d
                          • Opcode Fuzzy Hash: 1c3437c30e1312cb4353d2ce622c7bd385202d405ef288c91322334f090afaf0
                          • Instruction Fuzzy Hash: A311E0B5800349DFCB20CF9AD485BDEBBF8FB48320F24841AE518A7601D375A954CFA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 235 6a064b4-6a064c0 236 6a06472-6a06495 OutputDebugStringW 235->236 237 6a064c2-6a06544 235->237 238 6a06497-6a0649d 236->238 239 6a0649e-6a064b2 236->239 238->239
                          APIs
                          • OutputDebugStringW.KERNELBASE(00000000), ref: 06A06488
                          Memory Dump Source
                          • Source File: 00000000.00000002.1839601799.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6a00000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: DebugOutputString
                          • String ID:
                          • API String ID: 1166629820-0
                          • Opcode ID: c73fe40c3cb2bc435fa7e3056a9619bef026e7f4cb1ce046ce2cbb3e0f0ccbf6
                          • Instruction ID: 5bc9937627b1d24083c63f5c99f2d2397f47b3eaca85a8756dcb38f93c237650
                          • Opcode Fuzzy Hash: c73fe40c3cb2bc435fa7e3056a9619bef026e7f4cb1ce046ce2cbb3e0f0ccbf6
                          • Instruction Fuzzy Hash: E9F0F0B2C08358DEEB119BA9E8143D9FFB0EB09318F08C08AD158A7291C3B95165CBA1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833175770.00000000018ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 018ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_18ed000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 370f7580b9686d94a80090b33fc52f0c79999ba533a513a8e2d0f33a381df489
                          • Instruction ID: 68feaabc480e8306147bae9f3b45758cb66420975b090198b0d0edd5a3fb27eb
                          • Opcode Fuzzy Hash: 370f7580b9686d94a80090b33fc52f0c79999ba533a513a8e2d0f33a381df489
                          • Instruction Fuzzy Hash: 2D31917550D7C08FD707CB64C898715BFB1AF47214F18C6DAC8898B1A3C23AD50ACB62
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833175770.00000000018ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 018ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_18ed000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b50b2be42e3c8bb3b44967ebece494fec559c236ba96bcb46d103f3e162aa12a
                          • Instruction ID: 2b2125ea8b628039e83dd4b4fc427936612d3a0e091c0667a15edfd1ba386af0
                          • Opcode Fuzzy Hash: b50b2be42e3c8bb3b44967ebece494fec559c236ba96bcb46d103f3e162aa12a
                          • Instruction Fuzzy Hash: 7A216471104604DFDB01DF58C8C8B12FBA1FB89314F24C66CE9098B356C33BD90ACA61
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833175770.00000000018ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 018ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_18ed000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7425517a4e3e91050de5000f2ff5ea46a7346f8a218caf61a6e8a2145cd808fb
                          • Instruction ID: 53c71aac974ff65c854e84d6a170dc0df34bfe7cda96a3ab0ea78f6aa30593f7
                          • Opcode Fuzzy Hash: 7425517a4e3e91050de5000f2ff5ea46a7346f8a218caf61a6e8a2145cd808fb
                          • Instruction Fuzzy Hash: 02214971504204DFCB05DF98D5C4B16BBE1FB85318F24C66DD8098B356C33AE90ACB61
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833175770.00000000018ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 018ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_18ed000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 44f1263354aa438b67139e5c25fb1cd0b9417e6904dd65133f5afe81dc0b0ea2
                          • Instruction ID: 2acddb9bc16031e010e2dfe150e9f8e2ef38c334b986b6add72c3c94b5edcb46
                          • Opcode Fuzzy Hash: 44f1263354aa438b67139e5c25fb1cd0b9417e6904dd65133f5afe81dc0b0ea2
                          • Instruction Fuzzy Hash: 142171755097808FD703CF64C994715BFB1AB46314F28C6DAD9498B2A3C23AD90ACB62
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833175770.00000000018ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 018ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_18ed000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e0f503f778aeac3a07bb6588130c9135d0a53f708ec3930929eee3262ecda282
                          • Instruction ID: 3a5e0c4da0c44fca32e8485ba49cfc9e0e4ca7c56a3271fe24d60488b71a6abe
                          • Opcode Fuzzy Hash: e0f503f778aeac3a07bb6588130c9135d0a53f708ec3930929eee3262ecda282
                          • Instruction Fuzzy Hash: 5511D076504240CFDB06CF58D5C4B15BFB1FB45318F28C6A9D8498B656C33AE40ACB51
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833121773.00000000018DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_18dd000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b2c5a0d9faf4469d04cd4afec058e5405bb30fe40cdccfb5a4267a754f6bdaa2
                          • Instruction ID: 403d3723f3083ddc7d353c85c28a89b3f10631881a094aad18dcf7dc9522582a
                          • Opcode Fuzzy Hash: b2c5a0d9faf4469d04cd4afec058e5405bb30fe40cdccfb5a4267a754f6bdaa2
                          • Instruction Fuzzy Hash: E3012B31004344DAE7124A9ACC85767FF98DF41374F18C91AED0C9B2C3C3789A44C6B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833121773.00000000018DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_18dd000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b418d4cc4834ecd9107019001ee2c0d63961aa50068e0cebeb3f284be71e3d95
                          • Instruction ID: 3fd97e69fbd11a89739b52b6823065a64cd32d1f825f1d9779fb06cc26b42c90
                          • Opcode Fuzzy Hash: b418d4cc4834ecd9107019001ee2c0d63961aa50068e0cebeb3f284be71e3d95
                          • Instruction Fuzzy Hash: FDF0C271404340AEE7118A1AC9C4B62FF98EB41374F18C55AED4C9F297C278A844CA71

                          Non-executed Functions

                          Memory Dump Source
                          • Source File: 00000000.00000002.1841568858.0000000008560000.00000040.00000800.00020000.00000000.sdmp, Offset: 08560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8560000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 39782d5e54162954b8e6da97661a6ac35db90c1c16b5b96c5a3c98c5f74538fe
                          • Instruction ID: 8f4fb819c93199d08011e3d8ed737c5ace98dec38792ea8b0a584f468e9c6b76
                          • Opcode Fuzzy Hash: 39782d5e54162954b8e6da97661a6ac35db90c1c16b5b96c5a3c98c5f74538fe
                          • Instruction Fuzzy Hash: 2A02E674D00229CFDB24CFA9C884BEDBBB2BF89315F1485A9D409A7391DB349A85CF50
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bdb38925a7731ebd955b6649b27b6be0d8c240ef7b327ef77f44b37fdda2dd5f
                          • Instruction ID: a48de6a5af2401acded12ccef0c943663e92f1da37d23b54de04dd4f9fb86192
                          • Opcode Fuzzy Hash: bdb38925a7731ebd955b6649b27b6be0d8c240ef7b327ef77f44b37fdda2dd5f
                          • Instruction Fuzzy Hash: 86A19370B006459BDB49E7BC881436F3AE7AFC9340F64852DD54AE7784DE38DE0687A1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1841568858.0000000008560000.00000040.00000800.00020000.00000000.sdmp, Offset: 08560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8560000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 058f05dffddb792c41d0f1c3a3e021b62957b8dd63c6998f219f08757d323bd4
                          • Instruction ID: e0415f8be79b1a49816ad4694e5c8186a41c836eded79224fe0c0475f5c5f6c4
                          • Opcode Fuzzy Hash: 058f05dffddb792c41d0f1c3a3e021b62957b8dd63c6998f219f08757d323bd4
                          • Instruction Fuzzy Hash: EFD1C374A40505CFDB18DF69C598AA9B7F2BF4D312F2580A8E505EB362DB31AD41CF60
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 00d6764ba0a1896c29489066f9aaac7d8093e63b9ecd13974b05eb3f9f557a88
                          • Instruction ID: c23c35d918dcfa7874c9a867f1164947a9055c0a30bf79b15f0517fdfd701bf0
                          • Opcode Fuzzy Hash: 00d6764ba0a1896c29489066f9aaac7d8093e63b9ecd13974b05eb3f9f557a88
                          • Instruction Fuzzy Hash: BDD11931C2075ACACB01EBA4D990AA9F3B5FFE5300F10979AD4497B251EB706EC5CB91
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9d95f34d30077f10b58e3389d3dcf37e3a9bf47c2ed36d133a69bda0c285b8bc
                          • Instruction ID: 63f49c08d01d5db32ffc2f123fd85b7b6e4e871739016697abbca626ce425fc8
                          • Opcode Fuzzy Hash: 9d95f34d30077f10b58e3389d3dcf37e3a9bf47c2ed36d133a69bda0c285b8bc
                          • Instruction Fuzzy Hash: BCD1F931C2075ACACB01EBA4D990AA9F3B5FFE5300F50979AD4497B250EB706EC5CB91
                          Memory Dump Source
                          • Source File: 00000000.00000002.1833553941.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_19b0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b24a7e52f9dbda37e2683e401ff143a394678621e1175f727e33031fbfc2f761
                          • Instruction ID: cbb0f49aa19bc9d6016462b22f6b1f8b187c5bdf68f2a17b8e8a7be5e60033f5
                          • Opcode Fuzzy Hash: b24a7e52f9dbda37e2683e401ff143a394678621e1175f727e33031fbfc2f761
                          • Instruction Fuzzy Hash: 004188614292D08FCB07CF2DCAE86F13BA4E95619C7DC19EDC48A9E317D3117916C761
                          Memory Dump Source
                          • Source File: 00000000.00000002.1841568858.0000000008560000.00000040.00000800.00020000.00000000.sdmp, Offset: 08560000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8560000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b1eadccf4a5a723011472bead80e26b41e123f14f30e5c738c2ca6aab3fe3c2
                          • Instruction ID: c73b709cb42b782c5b25200eaefec0e7e30a81b08feaa9e8d525b5b4d9ef35a6
                          • Opcode Fuzzy Hash: 5b1eadccf4a5a723011472bead80e26b41e123f14f30e5c738c2ca6aab3fe3c2
                          • Instruction Fuzzy Hash: D841A575D05628CFEB24CFA6D8547DEBBB2BF89315F14C0AAD448AB250DB740A85CF50
                          Memory Dump Source
                          • Source File: 00000000.00000002.1842325055.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f50000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c2d6475956888d495dc10624304c8570f86512cc725e5030bcd08dd0284e3a2d
                          • Instruction ID: 3720f3234b9e492032c56dc152cba5aa6bbf74b1719af191d50e2dda0a7d1991
                          • Opcode Fuzzy Hash: c2d6475956888d495dc10624304c8570f86512cc725e5030bcd08dd0284e3a2d
                          • Instruction Fuzzy Hash: B331A2B1E006188FDB58CFAAC9446DDFBF2BF89311F14C1AAD918AB265EB344945CF40