Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
018292540-LetterReguranPPI-20230814215304.PDF.exe

Overview

General Information

Sample name:018292540-LetterReguranPPI-20230814215304.PDF.exe
Analysis ID:1560895
MD5:667060459d876845db2677ddc3d58488
SHA1:800f741383f4f4027d70a5942fe4b263b592eed5
SHA256:3e080ccb41529931481861828df6a2ca32b039ed0217adcecb832547d8da0566
Tags:exeFakePDFgeoGRCuser-NDA0E
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Uses an obfuscated file name to hide its real file extension (double extension)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["oyo.work.gd:3142:1"], "Assigned name": "Host", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "ios", "Hide file": "Disable", "Mutex": "jkm-I9KENP", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "vlc", "Keylog folder": "pdf", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x691e0:$a1: Remcos restarted by watchdog!
      • 0x69738:$a3: %02i:%02i:%02i:%03i
      • 0x69abd:$a4: * Remcos v
      00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
      • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x6320c:$str_b2: Executing file:
      • 0x64328:$str_b3: GetDirectListeningPort
      • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x63e30:$str_b7: \update.vbs
      • 0x63234:$str_b9: Downloaded file:
      • 0x63220:$str_b10: Downloading file:
      • 0x632c4:$str_b12: Failed to upload file:
      • 0x642f0:$str_b13: StartForward
      • 0x64310:$str_b14: StopForward
      • 0x63dd8:$str_b15: fso.DeleteFile "
      • 0x63d6c:$str_b16: On Error Resume Next
      • 0x63e08:$str_b17: fso.DeleteFolder "
      • 0x632b4:$str_b18: Uploaded file:
      • 0x63274:$str_b19: Unable to delete:
      • 0x63da0:$str_b20: while fso.FileExists("
      • 0x63749:$str_c0: [Firefox StoredLogins not found]
      00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
      • 0x63100:$s1: \Classes\mscfile\shell\open\command
      • 0x63160:$s1: \Classes\mscfile\shell\open\command
      • 0x63148:$s2: eventvwr.exe
      Click to see the 9 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x661e0:$a1: Remcos restarted by watchdog!
        • 0x66738:$a3: %02i:%02i:%02i:%03i
        • 0x66abd:$a4: * Remcos v
        0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpackREMCOS_RAT_variantsunknownunknown
        • 0x611e4:$str_a1: C:\Windows\System32\cmd.exe
        • 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6020c:$str_b2: Executing file:
        • 0x61328:$str_b3: GetDirectListeningPort
        • 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x60e30:$str_b7: \update.vbs
        • 0x60234:$str_b9: Downloaded file:
        • 0x60220:$str_b10: Downloading file:
        • 0x602c4:$str_b12: Failed to upload file:
        • 0x612f0:$str_b13: StartForward
        • 0x61310:$str_b14: StopForward
        • 0x60dd8:$str_b15: fso.DeleteFile "
        • 0x60d6c:$str_b16: On Error Resume Next
        • 0x60e08:$str_b17: fso.DeleteFolder "
        • 0x602b4:$str_b18: Uploaded file:
        • 0x60274:$str_b19: Unable to delete:
        • 0x60da0:$str_b20: while fso.FileExists("
        • 0x60749:$str_c0: [Firefox StoredLogins not found]
        0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
        • 0x60100:$s1: \Classes\mscfile\shell\open\command
        • 0x60160:$s1: \Classes\mscfile\shell\open\command
        • 0x60148:$s2: eventvwr.exe
        3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 17 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Suspicious Double Extension File Execution
          Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe", CommandLine: "C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe, NewProcessName: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe, OriginalFileName: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe", ProcessId: 1224, ProcessName: 018292540-LetterReguranPPI-20230814215304.PDF.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-22T14:17:12.355656+010020365941Malware Command and Control Activity Detected192.168.2.549707154.216.20.1853142TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-22T14:17:15.161615+010028033043Unknown Traffic192.168.2.549709178.237.33.5080TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: oyo.work.gdAvira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["oyo.work.gd:3142:1"], "Assigned name": "Host", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "ios", "Hide file": "Disable", "Mutex": "jkm-I9KENP", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "vlc", "Keylog folder": "pdf", "Keylog file max size": "100"}
          Multi AV Scanner detection for submitted file
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeReversingLabs: Detection: 60%
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2121163899.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2121163899.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 1224, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 6380, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_004315EC
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000000.00000002.2121163899.0000000004CD7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_84dc048d-d
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: zjeK.pdb source: 018292540-LetterReguranPPI-20230814215304.PDF.exe
          Source: Binary string: zjeK.pdbSHA256y source: 018292540-LetterReguranPPI-20230814215304.PDF.exe
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041A01B
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040B28E
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_0040838E
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_004087A0
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_00407848
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004068CD FindFirstFileW,FindNextFileW,3_2_004068CD
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0044BA59 FindFirstFileExA,3_2_0044BA59
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040AA71
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00417AAB
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040AC78
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00406D28

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49707 -> 154.216.20.185:3142
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: oyo.work.gd
          Source: global trafficTCP traffic: 192.168.2.5:49707 -> 154.216.20.185:3142
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49709 -> 178.237.33.50:80
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,3_2_0041936B
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: global trafficDNS traffic detected: DNS query: oyo.work.gd
          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmp, 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000000.00000002.2121163899.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000000.00000002.2121163899.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to register a low level keyboard hook
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00409340 SetWindowsHookExA 0000000D,0040932C,000000003_2_00409340
          Installs a global keyboard hook
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,3_2_0040A65A
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_00414EC1
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,3_2_0040A65A
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,3_2_00409468

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2121163899.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2121163899.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 1224, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 6380, type: MEMORYSTR

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Contains functionalty to change the wallpaper
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0041A76C SystemParametersInfoW,3_2_0041A76C

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 00000000.00000002.2121163899.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000000.00000002.2121163899.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 1224, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 6380, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: 018292540-LetterReguranPPI-20230814215304.PDF.exe
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_00414DB4
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 0_2_016042040_2_01604204
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 0_2_01606F900_2_01606F90
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 0_2_0160DED40_2_0160DED4
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 0_2_05CA83D00_2_05CA83D0
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 0_2_05CA97D80_2_05CA97D8
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 0_2_05CA77280_2_05CA7728
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 0_2_05CA7F880_2_05CA7F88
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 0_2_05CA7F980_2_05CA7F98
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 0_2_05CA7B600_2_05CA7B60
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004251523_2_00425152
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004352863_2_00435286
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004513D43_2_004513D4
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0045050B3_2_0045050B
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004365103_2_00436510
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004316FB3_2_004316FB
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0043569E3_2_0043569E
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004437003_2_00443700
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004257FB3_2_004257FB
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004128E33_2_004128E3
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004259643_2_00425964
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0041B9173_2_0041B917
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0043D9CC3_2_0043D9CC
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00435AD33_2_00435AD3
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00424BC33_2_00424BC3
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0043DBFB3_2_0043DBFB
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0044ABA93_2_0044ABA9
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00433C0B3_2_00433C0B
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00434D8A3_2_00434D8A
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0043DE2A3_2_0043DE2A
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0041CEAF3_2_0041CEAF
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00435F083_2_00435F08
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: String function: 00402073 appears 51 times
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: String function: 00432B90 appears 53 times
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: String function: 00432525 appears 41 times
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000000.00000002.2119999802.0000000003258000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 018292540-LetterReguranPPI-20230814215304.PDF.exe
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000000.00000002.2121163899.00000000041D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 018292540-LetterReguranPPI-20230814215304.PDF.exe
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000000.00000002.2124309926.0000000007740000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 018292540-LetterReguranPPI-20230814215304.PDF.exe
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000000.00000002.2123778763.0000000005C80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 018292540-LetterReguranPPI-20230814215304.PDF.exe
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000000.00000002.2119999802.00000000032D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 018292540-LetterReguranPPI-20230814215304.PDF.exe
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeBinary or memory string: OriginalFilenamezjeK.exeJ vs 018292540-LetterReguranPPI-20230814215304.PDF.exe
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 00000000.00000002.2121163899.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000000.00000002.2121163899.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 1224, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 6380, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, woR9Eg0Q9801FPuSXk.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, woR9Eg0Q9801FPuSXk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, woR9Eg0Q9801FPuSXk.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, laiXiEOHsVj1lH9DPO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, laiXiEOHsVj1lH9DPO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, woR9Eg0Q9801FPuSXk.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, woR9Eg0Q9801FPuSXk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, woR9Eg0Q9801FPuSXk.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, laiXiEOHsVj1lH9DPO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, laiXiEOHsVj1lH9DPO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@3/3@4/2
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_00415C90
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,3_2_0040E2E7
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,3_2_00419493
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00418A00
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\018292540-LetterReguranPPI-20230814215304.PDF.exe.logJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeMutant created: NULL
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeMutant created: \Sessions\1\BaseNamedObjects\jkm-I9KENP
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeReversingLabs: Detection: 60%
          Source: unknownProcess created: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe "C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe"
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess created: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe "C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe"
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess created: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe "C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe"Jump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: zjeK.pdb source: 018292540-LetterReguranPPI-20230814215304.PDF.exe
          Source: Binary string: zjeK.pdbSHA256y source: 018292540-LetterReguranPPI-20230814215304.PDF.exe

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, woR9Eg0Q9801FPuSXk.cs.Net Code: mmHDAsF1FN System.Reflection.Assembly.Load(byte[])
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, woR9Eg0Q9801FPuSXk.cs.Net Code: mmHDAsF1FN System.Reflection.Assembly.Load(byte[])
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeStatic PE information: 0xE0A2DAA6 [Sun Jun 5 00:19:50 2089 UTC]
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041A8DA
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 0_2_0160B670 push 14418B05h; ret 0_2_0160B683
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 0_2_05CA4D46 push eax; iretd 0_2_05CA4D47
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004000D8 push es; iretd 3_2_004000D9
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040008C push es; iretd 3_2_0040008D
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004542E6 push ecx; ret 3_2_004542F9
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0045B4FD push esi; ret 3_2_0045B506
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00432BD6 push ecx; ret 3_2_00432BE9
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00454C08 push eax; ret 3_2_00454C26
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exeStatic PE information: section name: .text entropy: 7.897730360364982
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, J6XhibJTUUhBPsL2Qk.csHigh entropy of concatenated method names: 'Dispose', 'y6mMmxrfE9', 'mfOYacr8GX', 'PHTl0wW2wP', 'tVmMxPlaRp', 'GjkMzYTmcK', 'ProcessDialogKey', 'NnLYKvlswZ', 'R25YMfO6kO', 'nsTYYClOVR'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, u9rupWGRkTwk6Pg0Cm.csHigh entropy of concatenated method names: 'ToString', 'CuQqianULD', 'mj7qanqal7', 'KxRqUoQ0UT', 'DHgqh7kydG', 'lTWqs0vNjI', 'hW4qQ7wStv', 'd9CqTcGlBh', 'eW4q3GEdQk', 'GSHq1285Yu'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, ovwI08MMpqAVIskWkqn.csHigh entropy of concatenated method names: 'k9llx9ZXto', 'OTElzyD2LL', 'Yrh9KdmY2W', 'UA29M2icys', 'hG99Yjxhk2', 'snu9tjguHf', 'pjv9DHrhJI', 'nBt98EvlBu', 'wxV95HCkop', 'vC69J1M8WH'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, tn4jqgnV06rsQAC7Qh.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cK2YmuYMFS', 'zuFYx4SCmy', 'HshYz4qh9u', 'yG7tKdypsB', 'fXKtMPbqWr', 'OcTtYHa8jO', 'kyJtttgtAG', 'ouhdlecvv07mxas6nDb'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, zsiM0BzqSEy1HHtnfT.csHigh entropy of concatenated method names: 'aDZljBMw2a', 'K05lO28Ogc', 'Aesld5LY3P', 'zTGlewRqoD', 'UQolaH3InX', 'Y3Dlhx7R7k', 'nn4lsyS2Xk', 'fuYlZxD6tj', 'pLNlH1tUTn', 'pY7lX0gS6V'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, iYDUj7MKnWs6Y7tEtwC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MjAliOmcCd', 'FkIlv5nEZT', 'ITplSLvrlg', 'Y5Sl2nD75O', 'WbclVQrOki', 'aV4lGedfc3', 'CFGlo5hJdw'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, AlOVR5x1Joa7HNnZFg.csHigh entropy of concatenated method names: 'MtblnZSU2k', 'LOMlPBgEa3', 'UFqlbPkglk', 't3olptLhhZ', 'Qh9l4TyQoY', 'kNXl0Xxyxm', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, uEiW19THKfn7dlQKbp.csHigh entropy of concatenated method names: 'X51p5p82Rx', 'dGlpnnoS2c', 'tZ9pbBBNN7', 'JGfbx6COsC', 'Hydbz5Q1F8', 'QXMpKrX2Fd', 'CZEpMwWo7e', 'z6TpY5oPGv', 'FsXpt0OpdO', 'nxypDnj8q6'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, YEe08woVQ9CvmecFhO.csHigh entropy of concatenated method names: 'zaIcrWPwsc', 'VIhcgOMnYL', 'ToString', 'qOZc5iLlYG', 'p5xcJkUGwU', 'fascnrTepw', 'wi5cPr8BSF', 'hficbC5F0e', 'hE3cpT36cZ', 'jVOc02E8Jf'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, VvlswZm225fO6kO7sT.csHigh entropy of concatenated method names: 'zJN4efQ5a3', 'PrZ4aFbsnE', 'OCA4UpED4d', 'vaQ4hCvAq6', 'AoX4sJyrIu', 'oLQ4QS5n8J', 'DSH4Tnws8J', 'ncX43Uv391', 'nx341U0JjF', 'r5m46yYkDo'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, kEVatxDyaDBqZgvDgI.csHigh entropy of concatenated method names: 'bsyMpaiXiE', 'xsVM0j1lH9', 'U39MrHFuxa', 'gMOMgs4e8b', 'JsgMu4HZfk', 'QbHMqBbdMx', 'op9UCEUu3J7XxhRsJO', 'hGfQASsf0FUEspHjcR', 'sj4MMw68BH', 'HKOMt7FYP5'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, JqLG3SLr0SPaLZfBMX.csHigh entropy of concatenated method names: 'ORvcNb9b4y', 'kmhcxq4A0k', 'MPQIKyAmpW', 'Jy5IMQhREm', 'OrkciEr9Sw', 'ncJcvgeUc2', 'XbZcSi513T', 'SN1c2Hc2K6', 'nI8cVP11Fl', 'fG8cG5UfR6'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, ns1R1sMt6JslygQTXsm.csHigh entropy of concatenated method names: 'eGm9x4PJRV', 'M1d9zDmoVN', 'TmgEKdrkV3', 'S0ZHF3I6PIXOcOWFBje', 'FX5mJ4IIoS3pSf2DBve', 'VLmTaNIvEkrsClirj1b', 'MuYJLII2FkmgrU5XQM7'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, re8bDwwvVbj40ssg4H.csHigh entropy of concatenated method names: 'gWkPBL6NDe', 'ThOPkVmWO5', 'wtZnU0KUFq', 'F92nhIqGKe', 'zoknsy01HZ', 'PdVnQPkPJe', 'oa9nT2fZUe', 'CDYn3wH6lS', 'Ypmn1eXWKw', 'dF0n6S6BMd'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, laiXiEOHsVj1lH9DPO.csHigh entropy of concatenated method names: 'zcBJ2mKEhB', 'U49JVpHsde', 'mYwJG0fdZN', 'NKtJoajKO8', 'o07JWRtgK1', 'bUBJL8x4bR', 'bwVJfGAl01', 'xxWJNR4G2R', 'XWOJm3e7Yx', 'MJvJxKajxK'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, GafaLWd39HFuxaJMOs.csHigh entropy of concatenated method names: 'srqnCX5iM9', 'FQxnj3x1lZ', 'swYnOt6lvx', 'MVfndhnMlG', 'IdqnujW3Jb', 'th3nq83BTD', 'kV7ncp31Q5', 'FGSnInPdBX', 'G1Tn4CYkIc', 'mCDnlsRxjg'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, woR9Eg0Q9801FPuSXk.csHigh entropy of concatenated method names: 'Vlxt8kRllL', 'AQHt5LSqNL', 'dEgtJXrc5a', 'nBItn5vMIo', 'UgOtP67fbp', 'Bn8tbWNZr3', 'kbGtpB0r5c', 'p9Vt0Gtu72', 'A2VtyuK58Z', 'fBTtrBEwRP'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, Y4N0Ma1gJ7wjXTYPAR.csHigh entropy of concatenated method names: 'WDupH2LCdH', 'aOfpXQaiGQ', 'yJwpAYQ2Ob', 'ludpC61KMn', 'AIFpBqkIRf', 'B4DpjWNHkE', 'p6IpkCpJre', 'PH6pOrGrbJ', 'sebpdtnCxF', 'V3GpwIjbsf'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, SW0wbLfU8X6mxrfE99.csHigh entropy of concatenated method names: 'mBK4ubqe0X', 'yb64cCctlV', 'Dnb44nA6a4', 'Car494O4Ri', 't7Y4FXQ3rf', 'feB4ZFmgAF', 'Dispose', 'ogGI5Q5Gom', 'rFtIJIqwWO', 'yl8InwYD23'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, deVP7oSkkpR8HfRC18.csHigh entropy of concatenated method names: 'Efu7OLp4RI', 'bEU7dLqtaG', 'gir7ep8kFL', 'GMh7aBRi3J', 'fgq7hxqNdN', 'eUV7s8Dw0l', 'jbi7TUISRj', 'H3I7312XcU', 'fiP76VXlsw', 'Ap67ifH3X1'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, YLeJppMDbdQhk4vdwTI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PyhE4NarCT', 'lqoElGhlfI', 'TyVE95BHSD', 'R45EEVdRNI', 'Ly9EFKaABK', 'ujVERHYohV', 'mTfEZk8GSE'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, oYNaNTY63no1HPtwbj.csHigh entropy of concatenated method names: 'oYFAPtC2p', 'flcCtr3WC', 'E8pjX5oAV', 'WPEkHOrNf', 'SZFdQOOLE', 'TpNwmwfaW', 'S7MwpEjirjTpU6YBYe', 't1YLomMDwO9hWuwq1A', 'FMwIOdn4P', 'xtTlC55Hi'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4358328.3.raw.unpack, wfk2bHeBbdMx8MW0IW.csHigh entropy of concatenated method names: 'PLfb8o8jmS', 'h3ZbJpihG6', 'yVDbPyQLyQ', 'fPwbpUu9ik', 'bvsb0ohbDx', 'V96PWknOde', 'jAlPLldD2o', 'bt5Pf7cDX7', 'KrTPNxLrXi', 'GvZPm0rejA'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, J6XhibJTUUhBPsL2Qk.csHigh entropy of concatenated method names: 'Dispose', 'y6mMmxrfE9', 'mfOYacr8GX', 'PHTl0wW2wP', 'tVmMxPlaRp', 'GjkMzYTmcK', 'ProcessDialogKey', 'NnLYKvlswZ', 'R25YMfO6kO', 'nsTYYClOVR'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, u9rupWGRkTwk6Pg0Cm.csHigh entropy of concatenated method names: 'ToString', 'CuQqianULD', 'mj7qanqal7', 'KxRqUoQ0UT', 'DHgqh7kydG', 'lTWqs0vNjI', 'hW4qQ7wStv', 'd9CqTcGlBh', 'eW4q3GEdQk', 'GSHq1285Yu'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, ovwI08MMpqAVIskWkqn.csHigh entropy of concatenated method names: 'k9llx9ZXto', 'OTElzyD2LL', 'Yrh9KdmY2W', 'UA29M2icys', 'hG99Yjxhk2', 'snu9tjguHf', 'pjv9DHrhJI', 'nBt98EvlBu', 'wxV95HCkop', 'vC69J1M8WH'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, tn4jqgnV06rsQAC7Qh.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cK2YmuYMFS', 'zuFYx4SCmy', 'HshYz4qh9u', 'yG7tKdypsB', 'fXKtMPbqWr', 'OcTtYHa8jO', 'kyJtttgtAG', 'ouhdlecvv07mxas6nDb'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, zsiM0BzqSEy1HHtnfT.csHigh entropy of concatenated method names: 'aDZljBMw2a', 'K05lO28Ogc', 'Aesld5LY3P', 'zTGlewRqoD', 'UQolaH3InX', 'Y3Dlhx7R7k', 'nn4lsyS2Xk', 'fuYlZxD6tj', 'pLNlH1tUTn', 'pY7lX0gS6V'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, iYDUj7MKnWs6Y7tEtwC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MjAliOmcCd', 'FkIlv5nEZT', 'ITplSLvrlg', 'Y5Sl2nD75O', 'WbclVQrOki', 'aV4lGedfc3', 'CFGlo5hJdw'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, AlOVR5x1Joa7HNnZFg.csHigh entropy of concatenated method names: 'MtblnZSU2k', 'LOMlPBgEa3', 'UFqlbPkglk', 't3olptLhhZ', 'Qh9l4TyQoY', 'kNXl0Xxyxm', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, uEiW19THKfn7dlQKbp.csHigh entropy of concatenated method names: 'X51p5p82Rx', 'dGlpnnoS2c', 'tZ9pbBBNN7', 'JGfbx6COsC', 'Hydbz5Q1F8', 'QXMpKrX2Fd', 'CZEpMwWo7e', 'z6TpY5oPGv', 'FsXpt0OpdO', 'nxypDnj8q6'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, YEe08woVQ9CvmecFhO.csHigh entropy of concatenated method names: 'zaIcrWPwsc', 'VIhcgOMnYL', 'ToString', 'qOZc5iLlYG', 'p5xcJkUGwU', 'fascnrTepw', 'wi5cPr8BSF', 'hficbC5F0e', 'hE3cpT36cZ', 'jVOc02E8Jf'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, VvlswZm225fO6kO7sT.csHigh entropy of concatenated method names: 'zJN4efQ5a3', 'PrZ4aFbsnE', 'OCA4UpED4d', 'vaQ4hCvAq6', 'AoX4sJyrIu', 'oLQ4QS5n8J', 'DSH4Tnws8J', 'ncX43Uv391', 'nx341U0JjF', 'r5m46yYkDo'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, kEVatxDyaDBqZgvDgI.csHigh entropy of concatenated method names: 'bsyMpaiXiE', 'xsVM0j1lH9', 'U39MrHFuxa', 'gMOMgs4e8b', 'JsgMu4HZfk', 'QbHMqBbdMx', 'op9UCEUu3J7XxhRsJO', 'hGfQASsf0FUEspHjcR', 'sj4MMw68BH', 'HKOMt7FYP5'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, JqLG3SLr0SPaLZfBMX.csHigh entropy of concatenated method names: 'ORvcNb9b4y', 'kmhcxq4A0k', 'MPQIKyAmpW', 'Jy5IMQhREm', 'OrkciEr9Sw', 'ncJcvgeUc2', 'XbZcSi513T', 'SN1c2Hc2K6', 'nI8cVP11Fl', 'fG8cG5UfR6'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, ns1R1sMt6JslygQTXsm.csHigh entropy of concatenated method names: 'eGm9x4PJRV', 'M1d9zDmoVN', 'TmgEKdrkV3', 'S0ZHF3I6PIXOcOWFBje', 'FX5mJ4IIoS3pSf2DBve', 'VLmTaNIvEkrsClirj1b', 'MuYJLII2FkmgrU5XQM7'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, re8bDwwvVbj40ssg4H.csHigh entropy of concatenated method names: 'gWkPBL6NDe', 'ThOPkVmWO5', 'wtZnU0KUFq', 'F92nhIqGKe', 'zoknsy01HZ', 'PdVnQPkPJe', 'oa9nT2fZUe', 'CDYn3wH6lS', 'Ypmn1eXWKw', 'dF0n6S6BMd'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, laiXiEOHsVj1lH9DPO.csHigh entropy of concatenated method names: 'zcBJ2mKEhB', 'U49JVpHsde', 'mYwJG0fdZN', 'NKtJoajKO8', 'o07JWRtgK1', 'bUBJL8x4bR', 'bwVJfGAl01', 'xxWJNR4G2R', 'XWOJm3e7Yx', 'MJvJxKajxK'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, GafaLWd39HFuxaJMOs.csHigh entropy of concatenated method names: 'srqnCX5iM9', 'FQxnj3x1lZ', 'swYnOt6lvx', 'MVfndhnMlG', 'IdqnujW3Jb', 'th3nq83BTD', 'kV7ncp31Q5', 'FGSnInPdBX', 'G1Tn4CYkIc', 'mCDnlsRxjg'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, woR9Eg0Q9801FPuSXk.csHigh entropy of concatenated method names: 'Vlxt8kRllL', 'AQHt5LSqNL', 'dEgtJXrc5a', 'nBItn5vMIo', 'UgOtP67fbp', 'Bn8tbWNZr3', 'kbGtpB0r5c', 'p9Vt0Gtu72', 'A2VtyuK58Z', 'fBTtrBEwRP'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, Y4N0Ma1gJ7wjXTYPAR.csHigh entropy of concatenated method names: 'WDupH2LCdH', 'aOfpXQaiGQ', 'yJwpAYQ2Ob', 'ludpC61KMn', 'AIFpBqkIRf', 'B4DpjWNHkE', 'p6IpkCpJre', 'PH6pOrGrbJ', 'sebpdtnCxF', 'V3GpwIjbsf'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, SW0wbLfU8X6mxrfE99.csHigh entropy of concatenated method names: 'mBK4ubqe0X', 'yb64cCctlV', 'Dnb44nA6a4', 'Car494O4Ri', 't7Y4FXQ3rf', 'feB4ZFmgAF', 'Dispose', 'ogGI5Q5Gom', 'rFtIJIqwWO', 'yl8InwYD23'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, deVP7oSkkpR8HfRC18.csHigh entropy of concatenated method names: 'Efu7OLp4RI', 'bEU7dLqtaG', 'gir7ep8kFL', 'GMh7aBRi3J', 'fgq7hxqNdN', 'eUV7s8Dw0l', 'jbi7TUISRj', 'H3I7312XcU', 'fiP76VXlsw', 'Ap67ifH3X1'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, YLeJppMDbdQhk4vdwTI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PyhE4NarCT', 'lqoElGhlfI', 'TyVE95BHSD', 'R45EEVdRNI', 'Ly9EFKaABK', 'ujVERHYohV', 'mTfEZk8GSE'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, oYNaNTY63no1HPtwbj.csHigh entropy of concatenated method names: 'oYFAPtC2p', 'flcCtr3WC', 'E8pjX5oAV', 'WPEkHOrNf', 'SZFdQOOLE', 'TpNwmwfaW', 'S7MwpEjirjTpU6YBYe', 't1YLomMDwO9hWuwq1A', 'FMwIOdn4P', 'xtTlC55Hi'
          Source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.7740000.5.raw.unpack, wfk2bHeBbdMx8MW0IW.csHigh entropy of concatenated method names: 'PLfb8o8jmS', 'h3ZbJpihG6', 'yVDbPyQLyQ', 'fPwbpUu9ik', 'bvsb0ohbDx', 'V96PWknOde', 'jAlPLldD2o', 'bt5Pf7cDX7', 'KrTPNxLrXi', 'GvZPm0rejA'
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004063C6 ShellExecuteW,URLDownloadToFileW,3_2_004063C6
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00418A00

          Hooking and other Techniques for Hiding and Protection

          barindex
          Uses an obfuscated file name to hide its real file extension (double extension)
          Source: Possible double extension: pdf.exeStatic PE information: 018292540-LetterReguranPPI-20230814215304.PDF.exe
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041A8DA
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 1224, type: MEMORYSTR
          Delayed program exit found
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040E18D Sleep,ExitProcess,3_2_0040E18D
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeMemory allocated: 1600000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeMemory allocated: 31D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeMemory allocated: 9350000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeMemory allocated: A350000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeMemory allocated: A550000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeMemory allocated: B550000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_004186FE
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeWindow / User API: threadDelayed 9337Jump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe TID: 7056Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe TID: 3840Thread sleep count: 232 > 30Jump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe TID: 3840Thread sleep time: -116000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe TID: 348Thread sleep count: 187 > 30Jump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe TID: 348Thread sleep time: -561000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe TID: 348Thread sleep count: 9337 > 30Jump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe TID: 348Thread sleep time: -28011000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041A01B
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040B28E
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_0040838E
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_004087A0
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_00407848
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004068CD FindFirstFileW,FindNextFileW,3_2_004068CD
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0044BA59 FindFirstFileExA,3_2_0044BA59
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040AA71
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00417AAB
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040AC78
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00406D28
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmp, 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563803924.00000000011DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563803924.00000000011DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWd
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeAPI call chain: ExitProcess graph end nodegraph_3-47843
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004327AE
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041A8DA
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004407B5 mov eax, dword ptr fs:[00000030h]3_2_004407B5
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,3_2_00410763
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004327AE
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004328FC SetUnhandledExceptionFilter,3_2_004328FC
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004398AC
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00432D5C
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeMemory written: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_00410B5C
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004175E1 mouse_event,3_2_004175E1
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeProcess created: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe "C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe"Jump to behavior
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNP\37
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNP\
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNP\71
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerL
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNP\
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNP\^
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC:\Prog
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNP\9
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNP\Y
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmp, 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
          Source: 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004329DA cpuid 3_2_004329DA
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: GetLocaleInfoA,3_2_0040E2BB
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: EnumSystemLocalesW,3_2_0044F17B
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: EnumSystemLocalesW,3_2_0044F130
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: EnumSystemLocalesW,3_2_0044F216
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_0044F2A3
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: GetLocaleInfoW,3_2_0044F4F3
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_0044F61C
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: GetLocaleInfoW,3_2_0044F723
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_0044F7F0
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: EnumSystemLocalesW,3_2_00445914
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: GetLocaleInfoW,3_2_00445E1C
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_0044EEB8
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeQueries volume information: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_00404F31 GetLocalTime,CreateEventA,CreateThread,3_2_00404F31
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004195F8 GetComputerNameExW,GetUserNameW,3_2_004195F8
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: 3_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,3_2_004466BF
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2121163899.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2121163899.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 1224, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 6380, type: MEMORYSTR
          Contains functionality to steal Chrome passwords or cookies
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040A953
          Contains functionality to steal Firefox passwords or cookies
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040AA71
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: \key3.db3_2_0040AA71

          Remote Access Functionality

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.4cd7ae0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.018292540-LetterReguranPPI-20230814215304.PDF.exe.429e908.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2121163899.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2121163899.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 1224, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: 018292540-LetterReguranPPI-20230814215304.PDF.exe PID: 6380, type: MEMORYSTR
          Source: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exeCode function: cmd.exe3_2_0040567A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services11
          Archive Collected Data          		12
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Command and Scripting Interpreter          		1
          Windows Service          		1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		211
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol211
          Input Capture          		2
          Encrypted Channel          		Exfiltration Over Bluetooth1
          Defacement
          Email AddressesDNS ServerDomain Accounts2
          Service Execution          		Logon Script (Windows)1
          Windows Service          		13
          Obfuscated Files or Information          		2
          Credentials In Files          		1
          System Service Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook122
          Process Injection          		12
          Software Packing          		NTDS2
          File and Directory Discovery          		Distributed Component Object ModelInput Capture2
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Timestomp          		LSA Secrets33
          System Information Discovery          		SSHKeylogging12
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials21
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
          Masquerading          		DCSync31
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
          Virtualization/Sandbox Evasion          		Proc Filesystem2
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Access Token Manipulation          		/etc/passwd and /etc/shadow1
          Application Window Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron122
          Process Injection          		Network Sniffing1
          System Owner/User Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          018292540-LetterReguranPPI-20230814215304.PDF.exe61%ReversingLabsByteCode-MSIL.Trojan.CrypterX
          018292540-LetterReguranPPI-20230814215304.PDF.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          oyo.work.gd100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          geoplugin.net
          		178.237.33.50
          		truefalse
            		high
            oyo.work.gd
            		154.216.20.185
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gpfalse
                		high
                oyo.work.gdtrue
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gp/C018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000000.00000002.2121163899.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000000.00000002.2121163899.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, 018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                  		high
                  http://geoplugin.net/json.gpl018292540-LetterReguranPPI-20230814215304.PDF.exe, 00000003.00000002.4563667041.00000000011B6000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    178.237.33.50
                    		geoplugin.netNetherlands
                    		8455ATOM86-ASATOM86NLfalse
                    154.216.20.185
                    		oyo.work.gdSeychelles
                    		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCofalse

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1560895
                    Start date and time:2024-11-22 14:16:09 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 43s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:6
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:018292540-LetterReguranPPI-20230814215304.PDF.exe
                    Detection:MAL
                    Classification:mal100.rans.troj.spyw.evad.winEXE@3/3@4/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 56
                    • Number of non-executed functions: 181
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: 018292540-LetterReguranPPI-20230814215304.PDF.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    08:17:05API Interceptor6799671x Sleep call for process: 018292540-LetterReguranPPI-20230814215304.PDF.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    178.237.33.50800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                    • geoplugin.net/json.gp
                    wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                    • geoplugin.net/json.gp
                    ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                    • geoplugin.net/json.gp
                    pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                    • geoplugin.net/json.gp
                    sostener.vbsGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    oyo.work.gd800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                    • 154.216.20.185
                    ungziped_file.exeGet hashmaliciousRemcosBrowse
                    • 154.216.20.185
                    file.exeGet hashmaliciousRemcosBrowse
                    • 154.216.20.185
                    ES20241104044200_1910049770.pdf.exeGet hashmaliciousRemcosBrowse
                    • 154.216.20.185
                    018292540-SuratTeguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                    • 154.216.20.185
                    file.exeGet hashmaliciousRemcosBrowse
                    • 154.216.20.185
                    file.exeGet hashmaliciousRemcosBrowse
                    • 154.216.20.185
                    ATH0000878718.pdf.exeGet hashmaliciousRemcosBrowse
                    • 154.216.20.185
                    geoplugin.net800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                    • 178.237.33.50
                    wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                    • 178.237.33.50
                    ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                    • 178.237.33.50
                    pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                    • 178.237.33.50
                    sostener.vbsGet hashmaliciousRemcosBrowse
                    • 178.237.33.50

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    SKHT-ASShenzhenKatherineHengTechnologyInformationCo800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                    • 154.216.20.185
                    vkjqpc.elfGet hashmaliciousMiraiBrowse
                    • 154.216.16.109
                    vsbeps.elfGet hashmaliciousMiraiBrowse
                    • 154.216.16.109
                    wnbw86.elfGet hashmaliciousMiraiBrowse
                    • 154.216.16.109
                    qkehusl.elfGet hashmaliciousMiraiBrowse
                    • 154.216.16.109
                    dwhdbg.elfGet hashmaliciousMiraiBrowse
                    • 154.216.16.109
                    iwir64.elfGet hashmaliciousMiraiBrowse
                    • 154.216.16.109
                    wriww68k.elfGet hashmaliciousMiraiBrowse
                    • 154.216.16.109
                    dvwkja7.elfGet hashmaliciousMiraiBrowse
                    • 154.216.16.109
                    wheiuwa4.elfGet hashmaliciousMiraiBrowse
                    • 154.216.16.109
                    ATOM86-ASATOM86NL800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                    • 178.237.33.50
                    wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                    • 178.237.33.50
                    ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                    • 178.237.33.50
                    pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                    • 178.237.33.50
                    sostener.vbsGet hashmaliciousRemcosBrowse
                    • 178.237.33.50

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\pdf\logs.dat

                    Download File
                    Process:C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):144
                    Entropy (8bit):6.687218230578943
                    Encrypted:false
                    SSDEEP:3:UT3Al0w0z8pypcu9AHYLf5UJg//LLnzQ3Zaw+3L:U7Auh8o1A4LmgjLhX
                    MD5:5117B7932944236D6EFBAB2A6CF51241
                    SHA1:7EDB4E557684756549D6962AF13B2D94D260D0C1
                    SHA-256:9962A13B39087E14DF739CB323DEA4931D9029D4A34DDC89F3AB8D319C2C4323
                    SHA-512:944EA4BD3F85F89A1AFEA470A8482BB6290A2287420F7DE95D5ECA71282D2FE9C31370CCE2B327FB0CA00021F7CE17C1F93B0FD7D34ECE57B5423583111AAEA5
                    Malicious:false
                    Reputation:low
                    Preview:6..6....y..S..LT.QO..T.u.A..Vr...w....0..r......I.l....l......Jb.=\.vv..S......pUq..'.."Us..*..}E.3.M..6i..-.P|.i.h=u.#.n....)...6.a..

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\018292540-LetterReguranPPI-20230814215304.PDF.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.34331486778365
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                    Download File
                    Process:C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):962
                    Entropy (8bit):5.01442467270497
                    Encrypted:false
                    SSDEEP:12:tkluQ+nd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluQydVauKyGX85jvXhNlT3/7AcV9Wro
                    MD5:4A8FAD17775993221C3AD2D68BB4B306
                    SHA1:DB42C3975A64E7B4CE2A93FF5AF91F2DF73C82BD
                    SHA-256:893F1B254D4EC2484868976F1B62D5A064909EA08E46F95193DBE79DB435E604
                    SHA-512:63252CFDC2CC7A32F86D9CB5D27E1695A8C138EBFBF476741C017EB349F20BDC72FF5856E0044DB189BAABDB1C3819C29FFC33A054810BD0354726300063D52C
                    Malicious:false
                    Reputation:low
                    Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.891244361216534
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    • Win32 Executable (generic) a (10002005/4) 49.78%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    File name:018292540-LetterReguranPPI-20230814215304.PDF.exe
                    File size:918'528 bytes
                    MD5:667060459d876845db2677ddc3d58488
                    SHA1:800f741383f4f4027d70a5942fe4b263b592eed5
                    SHA256:3e080ccb41529931481861828df6a2ca32b039ed0217adcecb832547d8da0566
                    SHA512:c9fce460c1b2de0e53782df4a84dc6c1d28bc4b8b8850b0adcbf3f87e72d156654760ebb32e52582a7adc4e3d58526959b51cdfd72fa947b314749c23492fee7
                    SSDEEP:24576:vMy1GyhxutkS+BwTCEGh0BV0i7OqD4uTfV:LFhxutkdeCEGmB6uD4uD
                    TLSH:65152268AE69EB63C85257FA0172D77643B59E5CE465C3078EEDECEB3405F1CB900282
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. .......................`............@................................

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x4e17ee
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0xE0A2DAA6 [Sun Jun 5 00:19:50 2089 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe179a0x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x618.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0xe00400x70.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xdf7f40xdf8001b9e66daff463fba33d7180570592bd5False0.9432599709871364data7.897730360364982IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0xe20000x6180x8006b769018ff03220ac470f1650a80b45dFalse0.3359375data3.438243403531537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0xe40000xc0x200afe8e11bc301a56f30c93b94c8ff9bd2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0xe20900x388data0.4258849557522124
                    RT_MANIFEST0xe24280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-11-22T14:17:12.355656+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549707154.216.20.1853142TCP
                    2024-11-22T14:17:15.161615+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549709178.237.33.5080TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 22, 2024 14:17:10.836816072 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:17:10.956549883 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:17:10.957338095 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:17:10.964832067 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:17:11.084624052 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:17:12.309032917 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:17:12.355655909 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:17:12.552423954 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:17:12.557760954 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:17:12.677318096 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:17:12.677392006 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:17:12.797384977 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:17:13.247701883 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:17:13.250430107 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:17:13.370073080 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:17:13.448879004 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:17:13.496340990 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:17:13.753684998 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:17:13.873265028 CET8049709178.237.33.50192.168.2.5
                    Nov 22, 2024 14:17:13.873357058 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:17:13.873653889 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:17:13.993125916 CET8049709178.237.33.50192.168.2.5
                    Nov 22, 2024 14:17:15.161542892 CET8049709178.237.33.50192.168.2.5
                    Nov 22, 2024 14:17:15.161614895 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:17:15.197668076 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:17:15.317410946 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:17:16.183183908 CET8049709178.237.33.50192.168.2.5
                    Nov 22, 2024 14:17:16.183303118 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:17:43.267896891 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:17:43.269510984 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:17:43.389174938 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:18:13.288134098 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:18:13.289591074 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:18:13.409198999 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:18:43.305385113 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:18:43.307948112 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:18:43.427726030 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:19:03.574608088 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:19:03.902376890 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:19:04.589881897 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:19:05.902609110 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:19:08.402360916 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:19:13.294544935 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:19:13.319679022 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:19:13.321423054 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:19:13.442704916 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:19:22.902442932 CET4970980192.168.2.5178.237.33.50
                    Nov 22, 2024 14:19:43.337701082 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:19:43.341115952 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:19:43.460908890 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:20:13.354460001 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:20:13.358073950 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:20:13.477554083 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:20:43.373963118 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:20:43.375412941 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:20:43.495126009 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:21:13.391819954 CET314249707154.216.20.185192.168.2.5
                    Nov 22, 2024 14:21:13.392405987 CET497073142192.168.2.5154.216.20.185
                    Nov 22, 2024 14:21:13.511914968 CET314249707154.216.20.185192.168.2.5

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 22, 2024 14:17:08.471030951 CET5947353192.168.2.51.1.1.1
                    Nov 22, 2024 14:17:09.481592894 CET5947353192.168.2.51.1.1.1
                    Nov 22, 2024 14:17:10.496855021 CET5947353192.168.2.51.1.1.1
                    Nov 22, 2024 14:17:10.830142975 CET53594731.1.1.1192.168.2.5
                    Nov 22, 2024 14:17:10.830204010 CET53594731.1.1.1192.168.2.5
                    Nov 22, 2024 14:17:10.830218077 CET53594731.1.1.1192.168.2.5
                    Nov 22, 2024 14:17:13.610543013 CET6142853192.168.2.51.1.1.1
                    Nov 22, 2024 14:17:13.749831915 CET53614281.1.1.1192.168.2.5

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Nov 22, 2024 14:17:08.471030951 CET192.168.2.51.1.1.10xccdaStandard query (0)oyo.work.gdA (IP address)IN (0x0001)false
                    Nov 22, 2024 14:17:09.481592894 CET192.168.2.51.1.1.10xccdaStandard query (0)oyo.work.gdA (IP address)IN (0x0001)false
                    Nov 22, 2024 14:17:10.496855021 CET192.168.2.51.1.1.10xccdaStandard query (0)oyo.work.gdA (IP address)IN (0x0001)false
                    Nov 22, 2024 14:17:13.610543013 CET192.168.2.51.1.1.10x4583Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Nov 22, 2024 14:17:10.830142975 CET1.1.1.1192.168.2.50xccdaNo error (0)oyo.work.gd154.216.20.185A (IP address)IN (0x0001)false
                    Nov 22, 2024 14:17:10.830204010 CET1.1.1.1192.168.2.50xccdaNo error (0)oyo.work.gd154.216.20.185A (IP address)IN (0x0001)false
                    Nov 22, 2024 14:17:10.830218077 CET1.1.1.1192.168.2.50xccdaNo error (0)oyo.work.gd154.216.20.185A (IP address)IN (0x0001)false
                    Nov 22, 2024 14:17:13.749831915 CET1.1.1.1192.168.2.50x4583No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • geoplugin.net

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.549709178.237.33.50806380C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe
                    TimestampBytes transferredDirectionData
                    Nov 22, 2024 14:17:13.873653889 CET71OUTGET /json.gp HTTP/1.1
                    Host: geoplugin.net
                    Cache-Control: no-cache
                    Nov 22, 2024 14:17:15.161542892 CET1170INHTTP/1.1 200 OK
                    date: Fri, 22 Nov 2024 13:17:14 GMT
                    server: Apache
                    content-length: 962
                    content-type: application/json; charset=utf-8
                    cache-control: public, max-age=300
                    access-control-allow-origin: *
                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                    Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:08:17:05
                    Start date:22/11/2024
                    Path:C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe"
                    Imagebase:0xdb0000
                    File size:918'528 bytes
                    MD5 hash:667060459D876845DB2677DDC3D58488
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2121163899.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2121163899.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2121163899.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2121163899.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:3
                    Start time:08:17:07
                    Start date:22/11/2024
                    Path:C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe"
                    Imagebase:0xb00000
                    File size:918'528 bytes
                    MD5 hash:667060459D876845DB2677DDC3D58488
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4563518017.000000000117A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:5%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:147
                      Total number of Limit Nodes:6
                      execution_graph 24329 160d3a0 24330 160d3e6 GetCurrentProcess 24329->24330 24332 160d431 24330->24332 24333 160d438 GetCurrentThread 24330->24333 24332->24333 24334 160d475 GetCurrentProcess 24333->24334 24335 160d46e 24333->24335 24336 160d4ab 24334->24336 24335->24334 24337 160d4d3 GetCurrentThreadId 24336->24337 24338 160d504 24337->24338 24348 160b010 24352 160b108 24348->24352 24357 160b0f9 24348->24357 24349 160b01f 24353 160b13c 24352->24353 24354 160b119 24352->24354 24353->24349 24354->24353 24355 160b340 GetModuleHandleW 24354->24355 24356 160b36d 24355->24356 24356->24349 24358 160b13c 24357->24358 24359 160b119 24357->24359 24358->24349 24359->24358 24360 160b340 GetModuleHandleW 24359->24360 24361 160b36d 24360->24361 24361->24349 24339 5cac988 24340 5cac9ae 24339->24340 24341 5cacb13 24339->24341 24340->24341 24343 5caa424 24340->24343 24344 5cacc08 PostMessageW 24343->24344 24345 5cacc74 24344->24345 24345->24340 24346 160d5e8 DuplicateHandle 24347 160d67e 24346->24347 24362 5caaf52 24363 5caaed1 24362->24363 24364 5caaf9a 24363->24364 24367 5cab788 24363->24367 24384 5cab798 24363->24384 24368 5cab7b2 24367->24368 24401 5cabe4a 24368->24401 24405 5cabeb4 24368->24405 24412 5cac456 24368->24412 24417 5cac0bd 24368->24417 24421 5cabcbd 24368->24421 24426 5cac0f9 24368->24426 24431 5cabfb8 24368->24431 24435 5cabefb 24368->24435 24440 5cabedb 24368->24440 24445 5cabd5a 24368->24445 24449 5cabdae 24368->24449 24456 5cabfe9 24368->24456 24460 5cac4cb 24368->24460 24467 5cabc4a 24368->24467 24385 5cab7b2 24384->24385 24387 5cabe4a 2 API calls 24385->24387 24388 5cabc4a 2 API calls 24385->24388 24389 5cac4cb 2 API calls 24385->24389 24390 5cabfe9 2 API calls 24385->24390 24391 5cabdae 4 API calls 24385->24391 24392 5cabd5a 2 API calls 24385->24392 24393 5cabedb 2 API calls 24385->24393 24394 5cabefb 2 API calls 24385->24394 24395 5cabfb8 2 API calls 24385->24395 24396 5cac0f9 2 API calls 24385->24396 24397 5cabcbd 2 API calls 24385->24397 24398 5cac0bd 2 API calls 24385->24398 24399 5cac456 2 API calls 24385->24399 24400 5cabeb4 4 API calls 24385->24400 24386 5cab7d6 24386->24363 24387->24386 24388->24386 24389->24386 24390->24386 24391->24386 24392->24386 24393->24386 24394->24386 24395->24386 24396->24386 24397->24386 24398->24386 24399->24386 24400->24386 24472 5caa188 24401->24472 24476 5caa180 24401->24476 24402 5cabde7 24402->24401 24407 5cabec3 24405->24407 24406 5cac0c1 24480 5caa338 24406->24480 24484 5caa330 24406->24484 24407->24406 24488 5caa0aa 24407->24488 24492 5caa0b0 24407->24492 24413 5cac110 24412->24413 24413->24412 24414 5cac46a 24413->24414 24496 5caa240 24413->24496 24500 5caa248 24413->24500 24418 5cac0c1 24417->24418 24419 5caa338 ReadProcessMemory 24418->24419 24420 5caa330 ReadProcessMemory 24418->24420 24419->24418 24420->24418 24422 5cabcd2 24421->24422 24424 5caa248 WriteProcessMemory 24422->24424 24425 5caa240 WriteProcessMemory 24422->24425 24423 5cabf67 24424->24423 24425->24423 24427 5cac0ff 24426->24427 24428 5cac46a 24427->24428 24429 5caa248 WriteProcessMemory 24427->24429 24430 5caa240 WriteProcessMemory 24427->24430 24429->24427 24430->24427 24432 5cabfbe 24431->24432 24433 5caa338 ReadProcessMemory 24432->24433 24434 5caa330 ReadProcessMemory 24432->24434 24433->24432 24434->24432 24436 5cabf0c 24435->24436 24504 5ca9ffa 24436->24504 24508 5caa000 24436->24508 24437 5cac1bc 24441 5cabee1 24440->24441 24443 5ca9ffa ResumeThread 24441->24443 24444 5caa000 ResumeThread 24441->24444 24442 5cac1bc 24443->24442 24444->24442 24447 5caa248 WriteProcessMemory 24445->24447 24448 5caa240 WriteProcessMemory 24445->24448 24446 5cabd7e 24447->24446 24448->24446 24452 5caa0aa Wow64SetThreadContext 24449->24452 24453 5caa0b0 Wow64SetThreadContext 24449->24453 24450 5cabdc8 24454 5ca9ffa ResumeThread 24450->24454 24455 5caa000 ResumeThread 24450->24455 24451 5cac1bc 24452->24450 24453->24450 24454->24451 24455->24451 24457 5cabfcf 24456->24457 24458 5caa338 ReadProcessMemory 24457->24458 24459 5caa330 ReadProcessMemory 24457->24459 24458->24457 24459->24457 24461 5cac4d1 24460->24461 24463 5caa338 ReadProcessMemory 24461->24463 24464 5caa330 ReadProcessMemory 24461->24464 24462 5cac4d2 24465 5caa338 ReadProcessMemory 24462->24465 24466 5caa330 ReadProcessMemory 24462->24466 24463->24462 24464->24462 24465->24462 24466->24462 24468 5cabc50 24467->24468 24512 5caa8d0 24468->24512 24516 5caa8c5 24468->24516 24473 5caa1c8 VirtualAllocEx 24472->24473 24475 5caa205 24473->24475 24475->24402 24477 5caa188 VirtualAllocEx 24476->24477 24479 5caa205 24477->24479 24479->24402 24481 5caa383 ReadProcessMemory 24480->24481 24483 5caa3c7 24481->24483 24483->24406 24485 5caa338 ReadProcessMemory 24484->24485 24487 5caa3c7 24485->24487 24487->24406 24489 5caa0b0 Wow64SetThreadContext 24488->24489 24491 5caa13d 24489->24491 24491->24407 24493 5caa0f5 Wow64SetThreadContext 24492->24493 24495 5caa13d 24493->24495 24495->24407 24497 5caa248 WriteProcessMemory 24496->24497 24499 5caa2e7 24497->24499 24499->24413 24501 5caa290 WriteProcessMemory 24500->24501 24503 5caa2e7 24501->24503 24503->24413 24505 5caa040 ResumeThread 24504->24505 24507 5caa071 24505->24507 24507->24437 24509 5caa040 ResumeThread 24508->24509 24511 5caa071 24509->24511 24511->24437 24513 5caa959 24512->24513 24513->24513 24514 5caaabe CreateProcessA 24513->24514 24515 5caab1b 24514->24515 24517 5caa959 24516->24517 24517->24517 24518 5caaabe CreateProcessA 24517->24518 24519 5caab1b 24518->24519 24519->24519

                      Executed Functions

                      Function 0160D390 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 0160D41E
                      • GetCurrentThread.KERNEL32 ref: 0160D45B
                      • GetCurrentProcess.KERNEL32 ref: 0160D498
                      • GetCurrentThreadId.KERNEL32 ref: 0160D4F1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2119722168.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: d812bcaa7384b1e4d96c279f00b811efc237a6e1f4891a29260cce2fb85b3cc7
                      • Instruction ID: 221950e134d59b2f79b034545ca20a3dd5569dd26a85deff2259da2b71235c49
                      • Opcode Fuzzy Hash: d812bcaa7384b1e4d96c279f00b811efc237a6e1f4891a29260cce2fb85b3cc7
                      • Instruction Fuzzy Hash: 7F5167B0901309DFDB19CFA9D948BAEBFF1EF88314F208559E409A7390DB346884CB65
                      Function 0160D3A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 0160D41E
                      • GetCurrentThread.KERNEL32 ref: 0160D45B
                      • GetCurrentProcess.KERNEL32 ref: 0160D498
                      • GetCurrentThreadId.KERNEL32 ref: 0160D4F1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2119722168.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: a03d1c53919dfaad78eafa1512fe61c10b0884379cfbd8804ff1fda8cf20fd57
                      • Instruction ID: 7e619aba2e1f8d02d5607047ee2ff0faf2f17b29a4a57a658c868e9c57c9d843
                      • Opcode Fuzzy Hash: a03d1c53919dfaad78eafa1512fe61c10b0884379cfbd8804ff1fda8cf20fd57
                      • Instruction Fuzzy Hash: 825157B09013099FDB18DFA9D948BEEBFF1EF88314F208559E409A7390DB346984CB65
                      Function 05CAA8C5 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 97 5caa8c5-5caa965 99 5caa99e-5caa9be 97->99 100 5caa967-5caa971 97->100 107 5caa9c0-5caa9ca 99->107 108 5caa9f7-5caaa26 99->108 100->99 101 5caa973-5caa975 100->101 102 5caa998-5caa99b 101->102 103 5caa977-5caa981 101->103 102->99 105 5caa983 103->105 106 5caa985-5caa994 103->106 105->106 106->106 110 5caa996 106->110 107->108 109 5caa9cc-5caa9ce 107->109 116 5caaa28-5caaa32 108->116 117 5caaa5f-5caab19 CreateProcessA 108->117 111 5caa9d0-5caa9da 109->111 112 5caa9f1-5caa9f4 109->112 110->102 114 5caa9de-5caa9ed 111->114 115 5caa9dc 111->115 112->108 114->114 118 5caa9ef 114->118 115->114 116->117 119 5caaa34-5caaa36 116->119 128 5caab1b-5caab21 117->128 129 5caab22-5caaba8 117->129 118->112 121 5caaa38-5caaa42 119->121 122 5caaa59-5caaa5c 119->122 123 5caaa46-5caaa55 121->123 124 5caaa44 121->124 122->117 123->123 126 5caaa57 123->126 124->123 126->122 128->129 139 5caabaa-5caabae 129->139 140 5caabb8-5caabbc 129->140 139->140 141 5caabb0 139->141 142 5caabbe-5caabc2 140->142 143 5caabcc-5caabd0 140->143 141->140 142->143 146 5caabc4 142->146 144 5caabd2-5caabd6 143->144 145 5caabe0-5caabe4 143->145 144->145 147 5caabd8 144->147 148 5caabf6-5caabfd 145->148 149 5caabe6-5caabec 145->149 146->143 147->145 150 5caabff-5caac0e 148->150 151 5caac14 148->151 149->148 150->151 153 5caac15 151->153 153->153
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05CAAB06
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 44e3888b8a0c8cfa39a6b894b8e2403b9465d3706e5ecf66326e8745b7cd1ace
                      • Instruction ID: 5ff57310fefe3439f626b7ec3826957e712d6d8a736b7a0e046361e4ff5580b3
                      • Opcode Fuzzy Hash: 44e3888b8a0c8cfa39a6b894b8e2403b9465d3706e5ecf66326e8745b7cd1ace
                      • Instruction Fuzzy Hash: FBA16E72D0021ADFDB24CFA8CC44BEDBBB2BF48314F148569D849A7294DB749A85CF91
                      Function 05CAA8D0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 154 5caa8d0-5caa965 156 5caa99e-5caa9be 154->156 157 5caa967-5caa971 154->157 164 5caa9c0-5caa9ca 156->164 165 5caa9f7-5caaa26 156->165 157->156 158 5caa973-5caa975 157->158 159 5caa998-5caa99b 158->159 160 5caa977-5caa981 158->160 159->156 162 5caa983 160->162 163 5caa985-5caa994 160->163 162->163 163->163 167 5caa996 163->167 164->165 166 5caa9cc-5caa9ce 164->166 173 5caaa28-5caaa32 165->173 174 5caaa5f-5caab19 CreateProcessA 165->174 168 5caa9d0-5caa9da 166->168 169 5caa9f1-5caa9f4 166->169 167->159 171 5caa9de-5caa9ed 168->171 172 5caa9dc 168->172 169->165 171->171 175 5caa9ef 171->175 172->171 173->174 176 5caaa34-5caaa36 173->176 185 5caab1b-5caab21 174->185 186 5caab22-5caaba8 174->186 175->169 178 5caaa38-5caaa42 176->178 179 5caaa59-5caaa5c 176->179 180 5caaa46-5caaa55 178->180 181 5caaa44 178->181 179->174 180->180 183 5caaa57 180->183 181->180 183->179 185->186 196 5caabaa-5caabae 186->196 197 5caabb8-5caabbc 186->197 196->197 198 5caabb0 196->198 199 5caabbe-5caabc2 197->199 200 5caabcc-5caabd0 197->200 198->197 199->200 203 5caabc4 199->203 201 5caabd2-5caabd6 200->201 202 5caabe0-5caabe4 200->202 201->202 204 5caabd8 201->204 205 5caabf6-5caabfd 202->205 206 5caabe6-5caabec 202->206 203->200 204->202 207 5caabff-5caac0e 205->207 208 5caac14 205->208 206->205 207->208 210 5caac15 208->210 210->210
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05CAAB06
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 2b551a6522ebda55809b1ce3ae393740fd141556f19be68f96b518e6cf91e8e8
                      • Instruction ID: 343d4228c68d03082a6417184bb9fa0f89102998999bc733b94adb39f866fb5e
                      • Opcode Fuzzy Hash: 2b551a6522ebda55809b1ce3ae393740fd141556f19be68f96b518e6cf91e8e8
                      • Instruction Fuzzy Hash: 5A916E72D0021ADFDB24CFA8CC45BEDBBB2BF48314F148569D809A7294DB749A85CF91
                      Function 0160B108 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 211 160b108-160b117 212 160b143-160b147 211->212 213 160b119-160b126 call 1609b80 211->213 214 160b149 212->214 215 160b15b-160b19c 212->215 218 160b128 213->218 219 160b13c 213->219 220 160b153 214->220 222 160b1a9-160b1b7 215->222 223 160b19e-160b1a6 215->223 269 160b12e call 160b3a0 218->269 270 160b12e call 160b391 218->270 219->212 220->215 225 160b1b9-160b1be 222->225 226 160b1db-160b1dd 222->226 223->222 224 160b134-160b136 224->219 227 160b278-160b338 224->227 229 160b1c0-160b1c7 call 160ad98 225->229 230 160b1c9 225->230 228 160b1e0-160b1e7 226->228 262 160b340-160b36b GetModuleHandleW 227->262 263 160b33a-160b33d 227->263 233 160b1f4-160b1fb 228->233 234 160b1e9-160b1f1 228->234 232 160b1cb-160b1d9 229->232 230->232 232->228 236 160b208-160b211 call 160ada8 233->236 237 160b1fd-160b205 233->237 234->233 242 160b213-160b21b 236->242 243 160b21e-160b223 236->243 237->236 242->243 244 160b241-160b245 243->244 245 160b225-160b22c 243->245 267 160b248 call 160b6a0 244->267 268 160b248 call 160b690 244->268 245->244 247 160b22e-160b23e call 160adb8 call 160adc8 245->247 247->244 250 160b24b-160b24e 252 160b250-160b26e 250->252 253 160b271-160b277 250->253 252->253 264 160b374-160b388 262->264 265 160b36d-160b373 262->265 263->262 265->264 267->250 268->250 269->224 270->224
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0160B35E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2119722168.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 975b26bcdcdc59c5afe07d2078866b61e1198c15e7ef0aa4f011e3afa020bece
                      • Instruction ID: d8ee6cf24c5a46d13356a0fadb1a57b7b2c4f532c250aa31cc8315c7e9d5a712
                      • Opcode Fuzzy Hash: 975b26bcdcdc59c5afe07d2078866b61e1198c15e7ef0aa4f011e3afa020bece
                      • Instruction Fuzzy Hash: C47133B0A00B058FD729DF6AD85575BBBF1FF88200F008A2DD45A9BB90D734E845CB90
                      Function 05CAA240 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 379 5caa240-5caa296 382 5caa298-5caa2a4 379->382 383 5caa2a6-5caa2e5 WriteProcessMemory 379->383 382->383 385 5caa2ee-5caa31e 383->385 386 5caa2e7-5caa2ed 383->386 386->385
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05CAA2D8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 6aee1027b98dbba8d547230adb88852998e710a1e62b66f89d39197aab0d08e1
                      • Instruction ID: 7e404c383080e2d476e8c991dc39cc9a3833130f61a8829e645ebbf9022c6dc3
                      • Opcode Fuzzy Hash: 6aee1027b98dbba8d547230adb88852998e710a1e62b66f89d39197aab0d08e1
                      • Instruction Fuzzy Hash: 71217A769003499FCB10CFA9C884BEEBFF5FF48310F10882AE919A7241D7749955DBA0
                      Function 05CAA248 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 390 5caa248-5caa296 392 5caa298-5caa2a4 390->392 393 5caa2a6-5caa2e5 WriteProcessMemory 390->393 392->393 395 5caa2ee-5caa31e 393->395 396 5caa2e7-5caa2ed 393->396 396->395
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05CAA2D8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: ab9d5b6f56653644cd8f57fae050fab8c09ad24876fc486009a43989a97dc9cf
                      • Instruction ID: a90416162d70001b2d8360a0feb7b4ed67586ae9b23bd5732fae46d4342df874
                      • Opcode Fuzzy Hash: ab9d5b6f56653644cd8f57fae050fab8c09ad24876fc486009a43989a97dc9cf
                      • Instruction Fuzzy Hash: 842139729003499FDB10CFA9C885BDEBFF5FF48314F10882AE919A7241D7799954DBA0
                      Function 05CAA0AA Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 400 5caa0aa-5caa0fb 403 5caa10b-5caa13b Wow64SetThreadContext 400->403 404 5caa0fd-5caa109 400->404 406 5caa13d-5caa143 403->406 407 5caa144-5caa174 403->407 404->403 406->407
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05CAA12E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: 715c1e6e6dc632c2d17f4ee4b89f410fa48de63e11ac3136d9d08c494a7f35f8
                      • Instruction ID: 45b7d58887a6539cae7d12be388458cdbdf94f16aa2feeb54ba712f8d1daffaf
                      • Opcode Fuzzy Hash: 715c1e6e6dc632c2d17f4ee4b89f410fa48de63e11ac3136d9d08c494a7f35f8
                      • Instruction Fuzzy Hash: D02139729002099FDB10DFAAC8857EEFFF4EF48324F54842AD559A7241DB789945CFA0
                      Function 05CAA330 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 411 5caa330-5caa3c5 ReadProcessMemory 415 5caa3ce-5caa3fe 411->415 416 5caa3c7-5caa3cd 411->416 416->415
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05CAA3B8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 9398230e6498f923d741046158c6bfaf631c1f816fcaee77036762528a5b238b
                      • Instruction ID: 3f357d4190a643403ced48d76f2094f00c9d8af6d4a7290f09795750f50d5d59
                      • Opcode Fuzzy Hash: 9398230e6498f923d741046158c6bfaf631c1f816fcaee77036762528a5b238b
                      • Instruction Fuzzy Hash: E72116B29002499FCB10CFAAC885AEEFFF5FF48310F54842AE959A7240D7349955DBA1
                      Function 0160D5E1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 420 160d5e1-160d5e6 421 160d5e8-160d67c DuplicateHandle 420->421 422 160d685-160d6a2 421->422 423 160d67e-160d684 421->423 423->422
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160D66F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2119722168.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 236f3fcf860c16a07c9352af64323cb27cfa725fa7932472ceea1dca35c2b86e
                      • Instruction ID: 0328f7ecfc77f11ffaf02046f760661eaf13647530156538faa217fbb3ee181d
                      • Opcode Fuzzy Hash: 236f3fcf860c16a07c9352af64323cb27cfa725fa7932472ceea1dca35c2b86e
                      • Instruction Fuzzy Hash: AF21E3B5900308AFDB10CFAAD984ADEBFF8EB48310F14841AE958A3350D374A950CFA5
                      Function 05CAA0B0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 426 5caa0b0-5caa0fb 428 5caa10b-5caa13b Wow64SetThreadContext 426->428 429 5caa0fd-5caa109 426->429 431 5caa13d-5caa143 428->431 432 5caa144-5caa174 428->432 429->428 431->432
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05CAA12E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: e11fcf22c14b18662433453383c37185875a3dc9f2ce6fd6aab0fdacaa4a6796
                      • Instruction ID: b26e348cbf4fec83e421eae2fceb19a9c7b41b17c780f282affc86c422421a59
                      • Opcode Fuzzy Hash: e11fcf22c14b18662433453383c37185875a3dc9f2ce6fd6aab0fdacaa4a6796
                      • Instruction Fuzzy Hash: D52129B29003099FDB10DFAAC8857EEBFF4EF48324F54842AD559A7241CB789945CFA1
                      Function 05CAA338 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 436 5caa338-5caa3c5 ReadProcessMemory 439 5caa3ce-5caa3fe 436->439 440 5caa3c7-5caa3cd 436->440 440->439
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05CAA3B8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: c9a2aa876fcf4386361628b4cb27471b13c0368496c79a567d5136e79eec4867
                      • Instruction ID: cbf4df7cd0fffe60379e3cbcc5ea713dd71f37a654f4b07bbf3d91915a51f563
                      • Opcode Fuzzy Hash: c9a2aa876fcf4386361628b4cb27471b13c0368496c79a567d5136e79eec4867
                      • Instruction Fuzzy Hash: D52128B29003499FCB10CFAAC884AEEFBF5FF48310F50842AE519A7240C7349945DBA0
                      Function 0160D5E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160D66F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2119722168.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 786dcd693ec29b8c0ba130812978487706676b434c8e221d4a4aac502dc5f0b1
                      • Instruction ID: f1a224fd09a0394844443d775af7a05b70a3df9c1ad04803b8987df2af932aec
                      • Opcode Fuzzy Hash: 786dcd693ec29b8c0ba130812978487706676b434c8e221d4a4aac502dc5f0b1
                      • Instruction Fuzzy Hash: DA21E4B59002089FDB10CFAAD984ADEBFF8EB48310F14841AE918A3350D374A940CF64
                      Function 05CAA180 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05CAA1F6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 0546397b79d5f07702eaf984d7e3a7e48efb5afebd315c22e652cbbed84907c2
                      • Instruction ID: cb497c9051ba5275fa2f613e562eaa7f5dc9834a7230b4e44d92225d22df110d
                      • Opcode Fuzzy Hash: 0546397b79d5f07702eaf984d7e3a7e48efb5afebd315c22e652cbbed84907c2
                      • Instruction Fuzzy Hash: 3B218C729002499FCB10CFA9C844AEFBFF5EF89310F148419E559A7240C7359541DFA0
                      Function 05CAA188 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05CAA1F6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: b771ff758c878397f5150aae27a84046a346f708d910ee85d5894373789107b5
                      • Instruction ID: 1d637af7b3ea88da70fca45035b94a258d91c3ccb484c1ac2ea131065f92eb0b
                      • Opcode Fuzzy Hash: b771ff758c878397f5150aae27a84046a346f708d910ee85d5894373789107b5
                      • Instruction Fuzzy Hash: 0E113A729002499FCB10DFAAC844ADFBFF5EF88324F148819D519A7250C7759944DFA0
                      Function 05CA9FFA Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 3aade373f41bd4481ef99c783c454af19e25e126f3757249c0c6951af57da6c7
                      • Instruction ID: f73e538eed2a5544b35d58735274e79f3644091721dca55c9f74ff39e5d15222
                      • Opcode Fuzzy Hash: 3aade373f41bd4481ef99c783c454af19e25e126f3757249c0c6951af57da6c7
                      • Instruction Fuzzy Hash: B61128B29002498FDB20DFAAD8457EEFFF4EF88324F14881AD559A7240CB756944CBA1
                      Function 05CAA000 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 859b0ab8e45fc6b51e2c8d665fa35d81a48ade18ab77343303575be0be13ca5a
                      • Instruction ID: 3552d056eadb100db2969f33922275355e0c4ce7b53913f7579d207568abb51a
                      • Opcode Fuzzy Hash: 859b0ab8e45fc6b51e2c8d665fa35d81a48ade18ab77343303575be0be13ca5a
                      • Instruction Fuzzy Hash: B71128B19003498BDB20DFAAC8457EFFFF4EF88324F148819D519A7240CB756944CBA0
                      Function 0160B2F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0160B35E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2119722168.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 0b7c23047ec3993a8340aaada62c3b23081df1a4753b48ad75ab18ac670b0955
                      • Instruction ID: e099a78b253122b7dd9307cd0f86dd5f64332c7278164bad997edc220e8a230c
                      • Opcode Fuzzy Hash: 0b7c23047ec3993a8340aaada62c3b23081df1a4753b48ad75ab18ac670b0955
                      • Instruction Fuzzy Hash: 7111D2B6D00249CFDB28CF9AD844A9FFBF4EB88214F14841AD919A7350C375A545CFA1
                      Function 05CAA424 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 05CACC65
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 036e4822f42062db98f5a8c8dd086cf8db6f298900f176ef8c86c10c3f3765f3
                      • Instruction ID: 5ac072699c23aa884efe22f7fb8a0989564d8390be9a12b5d8cb8d22e7e9695f
                      • Opcode Fuzzy Hash: 036e4822f42062db98f5a8c8dd086cf8db6f298900f176ef8c86c10c3f3765f3
                      • Instruction Fuzzy Hash: AA11F5B6800349DFDB10DF9AC988BDEBFF8EB48314F108819E554A7200C375A944CFA5
                      Function 05CACC00 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 05CACC65
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 4382bddf23e5bfdd00687be6fb177f34c3e04e7423b2e0de259f6b60e0ccfc86
                      • Instruction ID: 057fc556c69ff8f1ee5b7bf6949ca62e8fada46e984df27ab1fa97dca0a2fe7f
                      • Opcode Fuzzy Hash: 4382bddf23e5bfdd00687be6fb177f34c3e04e7423b2e0de259f6b60e0ccfc86
                      • Instruction Fuzzy Hash: 0A11E3B6900349DFDB20CF99D984BDEBFF4EB48314F10881AE558A7200C375A944CFA1

                      Non-executed Functions

                      Function 05CA7B60 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID:
                      • String ID: p_4l
                      • API String ID: 0-3535128713
                      • Opcode ID: 75800947613667212a8c047216c9d17460b52b11dc48656f45f681e128612784
                      • Instruction ID: 4cb246a07d570ffbb13bf763beb1767f095667804f92e730c37e3e66a19efa71
                      • Opcode Fuzzy Hash: 75800947613667212a8c047216c9d17460b52b11dc48656f45f681e128612784
                      • Instruction Fuzzy Hash: EEE1F6B4E051198FDB14CFA9C5809AEBBF2FF89304F248569E415AB356D734AD42CF60
                      Function 05CA97D8 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b9fb77722cf9ba23940bbe7db2cecfc0db77f8d2148c30150192c5b6a3eaeebe
                      • Instruction ID: dce277f1c9f6c4c7c3a929e049108e4eddc0b864068d1fe0f7c18398edb1aec6
                      • Opcode Fuzzy Hash: b9fb77722cf9ba23940bbe7db2cecfc0db77f8d2148c30150192c5b6a3eaeebe
                      • Instruction Fuzzy Hash: 02E119B4E051198FCB14CFA9C5819AEFBB2FF89304F248569E419AB355D734AD81CFA0
                      Function 05CA83D0 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5badf8623efb0973f6eea64e2795c80e448d8ad272db0587064b193fd31834a9
                      • Instruction ID: 835566cf1ff47e6ce50cb83ffbfeca63d164e43ff95505cfea3fdfa34a3a4b52
                      • Opcode Fuzzy Hash: 5badf8623efb0973f6eea64e2795c80e448d8ad272db0587064b193fd31834a9
                      • Instruction Fuzzy Hash: 27E117B4E051198FDB14CFA9C5909AEFBB2FF89304F248569E819AB355C734AD81CF60
                      Function 05CA7F98 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ba10ea4e1fe4115b8234cccfe93ac610d3e9391174819b8e2950cee34e535239
                      • Instruction ID: 829840b04c13501451e722e02b0e11c091b3704fafd3d27603d315045b786c58
                      • Opcode Fuzzy Hash: ba10ea4e1fe4115b8234cccfe93ac610d3e9391174819b8e2950cee34e535239
                      • Instruction Fuzzy Hash: 25E108B4E051198FCB14CFA9C5909AEFBB2FF89304F248569E415AB355D734AD81CFA0
                      Function 0160DED4 Relevance: .3, Instructions: 264COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2119722168.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6be531ccd9cbd6d2d89a08b83dada09e4ec19f2f2833096ced761957813c1dcb
                      • Instruction ID: 86a842cc4be8c6b1540411c81bdbc11b752872d26570caf57d31c420276e5494
                      • Opcode Fuzzy Hash: 6be531ccd9cbd6d2d89a08b83dada09e4ec19f2f2833096ced761957813c1dcb
                      • Instruction Fuzzy Hash: 6DA17531E10216CFCF1ADFB9D84059EBBB2FF84300B1585AEE905AB2A5DB71D945CB80
                      Function 05CA7728 Relevance: .2, Instructions: 244COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0ce15a8e3732aab292417050e186371306e948c2e1fc284be5b3f1f43669401e
                      • Instruction ID: 0e5a0428b2dcfc988a56ac3b50f19f4ec5cd4f616fe8e16d67aa2d0a1d377d9e
                      • Opcode Fuzzy Hash: 0ce15a8e3732aab292417050e186371306e948c2e1fc284be5b3f1f43669401e
                      • Instruction Fuzzy Hash: 6DB1F5B4E0511A8FCB14CFA9C5809AEBBF2FF89304F248569D419A7356D734AD42CFA1
                      Function 01606F90 Relevance: .1, Instructions: 137COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2119722168.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c487840935c1b8c908463dc441a80f00e7cfc19a4fe74736d6f8ab141ee13db7
                      • Instruction ID: 5991a725af462aff48f9f03eecf80236498fdd0d822aad9c1204d1383da145b5
                      • Opcode Fuzzy Hash: c487840935c1b8c908463dc441a80f00e7cfc19a4fe74736d6f8ab141ee13db7
                      • Instruction Fuzzy Hash: 9751D7B4E012498FCB09DFA9C855AEEBBF2FF88310F148569D404AB365DB346845CF90
                      Function 05CA7F88 Relevance: .1, Instructions: 135COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2123826931.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5ca0000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aa9a4b83e55b121c77802d0f8238ba99523a4712ad9399884cfb26f56c657dee
                      • Instruction ID: b19fada51cbfaa5039f186d6cf98e783cf808f614fa2c510acb1155d0a193524
                      • Opcode Fuzzy Hash: aa9a4b83e55b121c77802d0f8238ba99523a4712ad9399884cfb26f56c657dee
                      • Instruction Fuzzy Hash: 02513A75E052198FCB14CFA9C5809AEFBB2FF89304F24856AD418A7355D7349E42CFA0
                      Function 01604204 Relevance: .1, Instructions: 132COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2119722168.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed29d585d50df6daaf17593ca743ecf8db381f3f23ff17f459cd0e7cfbd0eea6
                      • Instruction ID: 559709be42c9367a5e5c7c98c8e169b2106998706396224f625234a911254526
                      • Opcode Fuzzy Hash: ed29d585d50df6daaf17593ca743ecf8db381f3f23ff17f459cd0e7cfbd0eea6
                      • Instruction Fuzzy Hash: A451A5B4E012098FDB09DFA9C984AEEBBF2FF88310F148469D415AB364DB359845CF90

                      Execution Graph

                      Execution Coverage:3.9%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:6%
                      Total number of Nodes:1520
                      Total number of Limit Nodes:56
                      execution_graph 45894 42d6a2 45895 42d6ad 45894->45895 45896 42d6c1 45895->45896 45898 430ca3 45895->45898 45899 430cb2 45898->45899 45900 430cae 45898->45900 45902 43b6c1 45899->45902 45900->45896 45903 443697 45902->45903 45904 4436a4 45903->45904 45905 4436af 45903->45905 45915 443649 45904->45915 45907 4436b7 45905->45907 45913 4436c0 __Getctype 45905->45913 45922 443c92 45907->45922 45909 4436c5 45928 43ad91 20 API calls _abort 45909->45928 45910 4436ea HeapReAlloc 45911 4436ac 45910->45911 45910->45913 45911->45900 45913->45909 45913->45910 45929 440480 7 API calls 2 library calls 45913->45929 45916 443687 45915->45916 45920 443657 __Getctype 45915->45920 45931 43ad91 20 API calls _abort 45916->45931 45917 443672 RtlAllocateHeap 45919 443685 45917->45919 45917->45920 45919->45911 45920->45916 45920->45917 45930 440480 7 API calls 2 library calls 45920->45930 45923 443c9d RtlFreeHeap 45922->45923 45924 443cc6 _free 45922->45924 45923->45924 45925 443cb2 45923->45925 45924->45911 45932 43ad91 20 API calls _abort 45925->45932 45927 443cb8 GetLastError 45927->45924 45928->45911 45929->45913 45930->45920 45931->45919 45932->45927 45933 424a00 45938 424a7d send 45933->45938 45939 41bd72 45941 41bd87 ctype ___scrt_fastfail 45939->45941 45940 41bf8a 45947 41bf3e 45940->45947 45953 41b917 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 45940->45953 45941->45940 45943 430c79 21 API calls 45941->45943 45946 41bf37 ___scrt_fastfail 45943->45946 45944 41bf9b 45944->45947 45954 430c79 45944->45954 45946->45947 45948 430c79 21 API calls 45946->45948 45951 41bf64 ___scrt_fastfail 45948->45951 45949 41bfd4 ___scrt_fastfail 45949->45947 45959 4312ff 45949->45959 45951->45947 45952 430c79 21 API calls 45951->45952 45952->45940 45953->45944 45955 430c83 45954->45955 45956 430c87 45954->45956 45955->45949 45962 439adb 45956->45962 45971 43121e 45959->45971 45961 431307 45961->45947 45967 443649 __Getctype 45962->45967 45963 443687 45970 43ad91 20 API calls _abort 45963->45970 45964 443672 RtlAllocateHeap 45966 430c8c 45964->45966 45964->45967 45966->45949 45967->45963 45967->45964 45969 440480 7 API calls 2 library calls 45967->45969 45969->45967 45970->45966 45972 431237 45971->45972 45976 43122d 45971->45976 45973 430c79 21 API calls 45972->45973 45972->45976 45974 431258 45973->45974 45974->45976 45977 4315ec CryptAcquireContextA 45974->45977 45976->45961 45978 43160d CryptGenRandom 45977->45978 45980 431608 45977->45980 45979 431622 CryptReleaseContext 45978->45979 45978->45980 45979->45980 45980->45976 45981 424991 45987 424a66 recv 45981->45987 45988 42479b 45989 4247b0 45988->45989 45995 424842 45988->45995 45990 4248d2 45989->45990 45991 4248f9 45989->45991 45992 4247fd 45989->45992 45993 424872 45989->45993 45989->45995 45998 4248a7 45989->45998 46001 424832 45989->46001 46016 422c92 48 API calls ctype 45989->46016 45990->45991 45990->45995 46004 423896 45990->46004 45991->45995 46021 423f0a 28 API calls 45991->46021 45992->45995 45992->46001 46017 41d921 51 API calls 45992->46017 45993->45995 45993->45998 46019 41d921 51 API calls 45993->46019 45998->45990 46020 4234a5 21 API calls 45998->46020 46001->45993 46001->45995 46018 422c92 48 API calls ctype 46001->46018 46005 4238b5 ___scrt_fastfail 46004->46005 46007 4238c4 46005->46007 46010 4238e9 46005->46010 46022 41c970 21 API calls 46005->46022 46007->46010 46015 4238c9 46007->46015 46023 41e38d 45 API calls 46007->46023 46010->45991 46011 4238d2 46011->46010 46025 422aba 21 API calls 2 library calls 46011->46025 46013 42396c 46013->46010 46014 430c79 21 API calls 46013->46014 46014->46015 46015->46010 46015->46011 46024 41b814 48 API calls 46015->46024 46016->45992 46017->45992 46018->45993 46019->45993 46020->45990 46021->45995 46022->46007 46023->46013 46024->46011 46025->46010 46026 439be8 46028 439bf4 _swprintf ___BuildCatchObject 46026->46028 46027 439c02 46042 43ad91 20 API calls _abort 46027->46042 46028->46027 46031 439c2c 46028->46031 46030 439c07 ___BuildCatchObject __cftoe 46037 442d9a EnterCriticalSection 46031->46037 46033 439c37 46038 439cd8 46033->46038 46037->46033 46040 439ce6 46038->46040 46039 439c42 46043 439c5f LeaveCriticalSection std::_Lockit::~_Lockit 46039->46043 46040->46039 46044 446c9b 36 API calls 2 library calls 46040->46044 46042->46030 46043->46030 46044->46040 46045 4146ff 46060 41936b 46045->46060 46047 414708 46071 4020d6 46047->46071 46051 414723 46052 415654 46051->46052 46078 401fb8 46051->46078 46081 401e6d 46052->46081 46056 401fb8 11 API calls 46057 415669 46056->46057 46058 401fb8 11 API calls 46057->46058 46059 415675 46058->46059 46087 4020bf 46060->46087 46063 439adb ___std_exception_copy 21 API calls 46064 419389 InternetOpenW InternetOpenUrlW 46063->46064 46065 4193b0 InternetReadFile 46064->46065 46068 4193d3 46065->46068 46067 419400 InternetCloseHandle InternetCloseHandle 46069 419412 46067->46069 46068->46065 46068->46067 46070 401fb8 11 API calls 46068->46070 46091 402097 46068->46091 46069->46047 46070->46068 46072 4020ec 46071->46072 46073 4023ae 11 API calls 46072->46073 46074 402106 46073->46074 46075 402549 28 API calls 46074->46075 46076 402114 46075->46076 46077 404a81 60 API calls ctype 46076->46077 46077->46051 46079 4023ae 11 API calls 46078->46079 46080 401fc1 46079->46080 46080->46052 46083 402143 46081->46083 46082 40217f 46082->46056 46083->46082 46129 402710 11 API calls 46083->46129 46085 402164 46130 4026f2 11 API calls std::_Deallocate 46085->46130 46088 4020c7 46087->46088 46097 4023ae 46088->46097 46090 4020d2 46090->46063 46092 40209f 46091->46092 46093 4023ae 11 API calls 46092->46093 46094 4020aa 46093->46094 46102 4024ea 46094->46102 46096 4020b9 46096->46068 46098 402408 46097->46098 46099 4023b8 46097->46099 46098->46090 46099->46098 46101 402787 11 API calls std::_Deallocate 46099->46101 46101->46098 46103 4024fa 46102->46103 46104 402515 46103->46104 46105 402500 46103->46105 46119 4028c8 28 API calls 46104->46119 46109 402549 46105->46109 46108 402513 46108->46096 46120 402868 46109->46120 46111 40255d 46112 402572 46111->46112 46113 402587 46111->46113 46125 402a14 22 API calls 46112->46125 46127 4028c8 28 API calls 46113->46127 46116 40257b 46126 4029ba 22 API calls 46116->46126 46118 402585 46118->46108 46119->46108 46121 402870 46120->46121 46122 402878 46121->46122 46128 402c83 22 API calls 46121->46128 46122->46111 46125->46116 46126->46118 46127->46118 46129->46085 46130->46082 46131 43263c 46132 432648 ___BuildCatchObject 46131->46132 46158 43234b 46132->46158 46134 43264f 46136 432678 46134->46136 46428 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46134->46428 46140 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46136->46140 46429 441763 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46136->46429 46138 432691 46141 432697 ___BuildCatchObject 46138->46141 46430 441707 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 46138->46430 46147 432717 46140->46147 46431 4408e7 35 API calls 5 library calls 46140->46431 46169 4328c9 46147->46169 46159 432354 46158->46159 46436 4329da IsProcessorFeaturePresent 46159->46436 46161 432360 46437 436cd1 10 API calls 4 library calls 46161->46437 46163 432365 46168 432369 46163->46168 46438 4415bf 46163->46438 46166 432380 46166->46134 46168->46134 46503 434c30 46169->46503 46172 43271d 46173 4416b4 46172->46173 46505 44c239 46173->46505 46175 432726 46178 40d3f0 46175->46178 46176 4416bd 46176->46175 46509 443d25 35 API calls 46176->46509 46511 41a8da LoadLibraryA GetProcAddress 46178->46511 46180 40d40c 46518 40dd83 46180->46518 46182 40d415 46183 4020d6 28 API calls 46182->46183 46184 40d424 46183->46184 46185 4020d6 28 API calls 46184->46185 46186 40d433 46185->46186 46533 419d87 46186->46533 46190 40d445 46191 401e6d 11 API calls 46190->46191 46192 40d44e 46191->46192 46193 40d461 46192->46193 46194 40d4b8 46192->46194 46812 40e609 116 API calls 46193->46812 46559 401e45 46194->46559 46197 40d4c6 46201 401e45 22 API calls 46197->46201 46198 40d473 46199 401e45 22 API calls 46198->46199 46200 40d47f 46199->46200 46813 40f98d 36 API calls __EH_prolog 46200->46813 46202 40d4e5 46201->46202 46564 4052fe 46202->46564 46205 40d4f4 46569 408209 46205->46569 46206 40d491 46814 40e5ba 77 API calls 46206->46814 46210 40d49a 46815 40dd70 70 API calls 46210->46815 46215 401fb8 11 API calls 46217 40d517 46215->46217 46219 401fb8 11 API calls 46217->46219 46220 40d520 46219->46220 46221 401e45 22 API calls 46220->46221 46222 40d529 46221->46222 46583 401fa0 46222->46583 46224 40d534 46225 401e45 22 API calls 46224->46225 46226 40d54f 46225->46226 46227 401e45 22 API calls 46226->46227 46228 40d569 46227->46228 46229 40d5cf 46228->46229 46816 40822a 46228->46816 46230 401e45 22 API calls 46229->46230 46236 40d5dc 46230->46236 46232 40d594 46233 401fc2 28 API calls 46232->46233 46234 40d5a0 46233->46234 46237 401fb8 11 API calls 46234->46237 46235 40d650 46241 40d660 CreateMutexA GetLastError 46235->46241 46236->46235 46239 401e45 22 API calls 46236->46239 46238 40d5a9 46237->46238 46821 411f34 RegOpenKeyExA 46238->46821 46240 40d5f5 46239->46240 46246 40d5fc OpenMutexA 46240->46246 46242 40d991 46241->46242 46243 40d67f GetModuleFileNameW 46241->46243 46244 401fb8 11 API calls 46242->46244 46587 4192ae 46243->46587 46271 40d99a ___scrt_fastfail 46244->46271 46250 40d622 46246->46250 46251 40d60f WaitForSingleObject CloseHandle 46246->46251 46254 411f34 3 API calls 46250->46254 46251->46250 46252 40d6a0 46255 40d6f5 46252->46255 46256 401e45 22 API calls 46252->46256 46253 40dd0f 46898 41239a 30 API calls 46253->46898 46262 40d63b 46254->46262 46258 401e45 22 API calls 46255->46258 46266 40d6bf 46256->46266 46260 40d720 46258->46260 46259 40dd22 46899 410eda 65 API calls ___scrt_fastfail 46259->46899 46263 40d731 46260->46263 46264 40d72c 46260->46264 46262->46235 46824 41239a 30 API calls 46262->46824 46268 401e45 22 API calls 46263->46268 46828 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46264->46828 46266->46255 46272 40d6f7 46266->46272 46276 40d6db 46266->46276 46278 40d73a 46268->46278 46269 402073 28 API calls 46270 40dd3a 46269->46270 46714 4052dd 46270->46714 46890 4120e8 RegOpenKeyExA 46271->46890 46826 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 46272->46826 46275 40dd4a 46277 402073 28 API calls 46275->46277 46276->46255 46825 4067a0 36 API calls ___scrt_fastfail 46276->46825 46281 40dd59 46277->46281 46285 401e45 22 API calls 46278->46285 46284 4194da 79 API calls 46281->46284 46282 40d70d 46282->46255 46286 40d712 46282->46286 46283 40d9ec 46287 401e45 22 API calls 46283->46287 46288 40dd5e 46284->46288 46289 40d755 46285->46289 46827 4066a6 58 API calls 46286->46827 46291 40da10 46287->46291 46292 401fb8 11 API calls 46288->46292 46295 401e45 22 API calls 46289->46295 46614 402073 46291->46614 46293 40dd6a 46292->46293 46716 413980 46293->46716 46298 40d76f 46295->46298 46297 40dd6f 46300 401e45 22 API calls 46298->46300 46299 40da22 46620 41215f RegCreateKeyA 46299->46620 46301 40d789 46300->46301 46305 401e45 22 API calls 46301->46305 46304 401e45 22 API calls 46306 40da44 46304->46306 46310 40d7a3 46305->46310 46626 439867 46306->46626 46309 40d810 46309->46271 46313 40d828 46309->46313 46350 40d8a7 ___scrt_fastfail 46309->46350 46310->46309 46312 401e45 22 API calls 46310->46312 46311 40da61 46893 41aa4f 81 API calls ___scrt_fastfail 46311->46893 46322 40d7b8 _wcslen 46312->46322 46315 401e45 22 API calls 46313->46315 46314 40da7e 46317 402073 28 API calls 46314->46317 46318 40d831 46315->46318 46320 40da8d 46317->46320 46324 401e45 22 API calls 46318->46324 46319 40da70 CreateThread 46319->46314 46321 402073 28 API calls 46320->46321 46323 40da9c 46321->46323 46322->46309 46326 401e45 22 API calls 46322->46326 46630 4194da 46323->46630 46327 40d843 46324->46327 46330 40d7d3 46326->46330 46332 401e45 22 API calls 46327->46332 46329 401e45 22 API calls 46331 40daad 46329->46331 46333 401e45 22 API calls 46330->46333 46335 401e45 22 API calls 46331->46335 46334 40d855 46332->46334 46336 40d7e8 46333->46336 46338 401e45 22 API calls 46334->46338 46337 40dabf 46335->46337 46829 40c5ed 46336->46829 46341 401e45 22 API calls 46337->46341 46339 40d87e 46338->46339 46345 401e45 22 API calls 46339->46345 46343 40dad5 46341->46343 46349 401e45 22 API calls 46343->46349 46344 401ef3 28 API calls 46346 40d807 46344->46346 46347 40d88f 46345->46347 46348 401ee9 11 API calls 46346->46348 46887 40b871 46 API calls _wcslen 46347->46887 46348->46309 46351 40daf5 46349->46351 46604 412338 46350->46604 46356 439867 _strftime 39 API calls 46351->46356 46354 40d942 ctype 46359 401e45 22 API calls 46354->46359 46355 40d89f 46355->46350 46357 40db02 46356->46357 46358 401e45 22 API calls 46357->46358 46360 40db0d 46358->46360 46361 40d959 46359->46361 46362 401e45 22 API calls 46360->46362 46361->46283 46363 40d96d 46361->46363 46364 40db1e 46362->46364 46365 401e45 22 API calls 46363->46365 46654 408f1f 46364->46654 46366 40d976 46365->46366 46888 419bca 28 API calls 46366->46888 46369 40d982 46889 40de34 88 API calls 46369->46889 46372 401e45 22 API calls 46374 40db3c 46372->46374 46373 40d987 46373->46242 46373->46283 46375 40db83 46374->46375 46376 40db4a 46374->46376 46378 401e45 22 API calls 46375->46378 46894 43229f 22 API calls 3 library calls 46376->46894 46380 40db91 46378->46380 46379 40db53 46381 401e45 22 API calls 46379->46381 46383 40dbd9 46380->46383 46384 40db9c 46380->46384 46382 40db65 46381->46382 46386 40db6c CreateThread 46382->46386 46385 401e45 22 API calls 46383->46385 46895 43229f 22 API calls 3 library calls 46384->46895 46388 40dbe2 46385->46388 46386->46375 47844 417f6a 101 API calls 2 library calls 46386->47844 46392 40dc4c 46388->46392 46393 40dbed 46388->46393 46389 40dba5 46390 401e45 22 API calls 46389->46390 46391 40dbb6 46390->46391 46394 40dbbd CreateThread 46391->46394 46395 401e45 22 API calls 46392->46395 46396 401e45 22 API calls 46393->46396 46394->46383 47848 417f6a 101 API calls 2 library calls 46394->47848 46397 40dc55 46395->46397 46398 40dbfc 46396->46398 46399 40dc60 46397->46399 46400 40dc99 46397->46400 46401 401e45 22 API calls 46398->46401 46403 401e45 22 API calls 46399->46403 46691 4195f8 GetComputerNameExW GetUserNameW 46400->46691 46404 40dc11 46401->46404 46406 40dc69 46403->46406 46896 40c5a1 31 API calls 46404->46896 46410 401e45 22 API calls 46406->46410 46413 40dc7e 46410->46413 46411 40dc24 46414 401ef3 28 API calls 46411->46414 46424 439867 _strftime 39 API calls 46413->46424 46416 40dc30 46414->46416 46421 401ee9 11 API calls 46416->46421 46417 40dcc1 SetProcessDEPPolicy 46418 40dcc4 CreateThread 46417->46418 46419 40dce5 46418->46419 46420 40dcd9 CreateThread 46418->46420 47817 40e18d 46418->47817 46422 40dcfa 46419->46422 46423 40dcee CreateThread 46419->46423 46420->46419 47845 410b5c 137 API calls 46420->47845 46425 40dc39 CreateThread 46421->46425 46422->46269 46422->46293 46423->46422 47846 411140 38 API calls ___scrt_fastfail 46423->47846 46426 40dc8b 46424->46426 46425->46392 47847 401bc9 49 API calls _strftime 46425->47847 46897 40b0a3 7 API calls 46426->46897 46428->46134 46429->46138 46430->46140 46431->46147 46436->46161 46437->46163 46442 44cd48 46438->46442 46441 436cfa 8 API calls 3 library calls 46441->46168 46445 44cd65 46442->46445 46446 44cd61 46442->46446 46444 432372 46444->46166 46444->46441 46445->46446 46448 4475a6 46445->46448 46460 432d4b 46446->46460 46449 4475b2 ___BuildCatchObject 46448->46449 46467 442d9a EnterCriticalSection 46449->46467 46451 4475b9 46468 44d363 46451->46468 46453 4475c8 46459 4475d7 46453->46459 46479 44743a 23 API calls 46453->46479 46456 4475d2 46480 4474f0 GetStdHandle GetFileType 46456->46480 46457 4475e8 ___BuildCatchObject 46457->46445 46481 4475f3 LeaveCriticalSection std::_Lockit::~_Lockit 46459->46481 46461 432d56 IsProcessorFeaturePresent 46460->46461 46462 432d54 46460->46462 46464 432d98 46461->46464 46462->46444 46502 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46464->46502 46466 432e7b 46466->46444 46467->46451 46469 44d36f ___BuildCatchObject 46468->46469 46470 44d393 46469->46470 46471 44d37c 46469->46471 46482 442d9a EnterCriticalSection 46470->46482 46490 43ad91 20 API calls _abort 46471->46490 46474 44d3cb 46491 44d3f2 LeaveCriticalSection std::_Lockit::~_Lockit 46474->46491 46475 44d381 ___BuildCatchObject __cftoe 46475->46453 46476 44d39f 46476->46474 46483 44d2b4 46476->46483 46479->46456 46480->46459 46481->46457 46482->46476 46492 443005 46483->46492 46485 44d2d3 46487 443c92 _free 20 API calls 46485->46487 46486 44d2c6 46486->46485 46499 445fb3 11 API calls 2 library calls 46486->46499 46489 44d325 46487->46489 46489->46476 46490->46475 46491->46475 46497 443012 __Getctype 46492->46497 46493 443052 46501 43ad91 20 API calls _abort 46493->46501 46494 44303d RtlAllocateHeap 46495 443050 46494->46495 46494->46497 46495->46486 46497->46493 46497->46494 46500 440480 7 API calls 2 library calls 46497->46500 46499->46486 46500->46497 46501->46495 46502->46466 46504 4328dc GetStartupInfoW 46503->46504 46504->46172 46506 44c24b 46505->46506 46507 44c242 46505->46507 46506->46176 46510 44c138 48 API calls 4 library calls 46507->46510 46509->46176 46510->46506 46512 41a919 LoadLibraryA GetProcAddress 46511->46512 46513 41a909 GetModuleHandleA GetProcAddress 46511->46513 46514 41a947 GetModuleHandleA GetProcAddress 46512->46514 46515 41a937 GetModuleHandleA GetProcAddress 46512->46515 46513->46512 46516 41a973 24 API calls 46514->46516 46517 41a95f GetModuleHandleA GetProcAddress 46514->46517 46515->46514 46516->46180 46517->46516 46900 419493 FindResourceA 46518->46900 46521 439adb ___std_exception_copy 21 API calls 46522 40ddad ctype 46521->46522 46523 402097 28 API calls 46522->46523 46524 40ddc8 46523->46524 46525 401fc2 28 API calls 46524->46525 46526 40ddd3 46525->46526 46527 401fb8 11 API calls 46526->46527 46528 40dddc 46527->46528 46529 439adb ___std_exception_copy 21 API calls 46528->46529 46530 40dded ctype 46529->46530 46903 4062ee 46530->46903 46532 40de20 46532->46182 46534 4020bf 11 API calls 46533->46534 46535 419d9a 46534->46535 46539 419e0c 46535->46539 46547 401fc2 28 API calls 46535->46547 46549 401fb8 11 API calls 46535->46549 46554 419e0a 46535->46554 46906 404182 46535->46906 46909 41ab9a 28 API calls 46535->46909 46536 401fb8 11 API calls 46537 419e3c 46536->46537 46538 401fb8 11 API calls 46537->46538 46540 419e44 46538->46540 46541 404182 28 API calls 46539->46541 46543 401fb8 11 API calls 46540->46543 46544 419e18 46541->46544 46545 40d43c 46543->46545 46546 401fc2 28 API calls 46544->46546 46555 40e563 46545->46555 46548 419e21 46546->46548 46547->46535 46550 401fb8 11 API calls 46548->46550 46549->46535 46551 419e29 46550->46551 46910 41ab9a 28 API calls 46551->46910 46554->46536 46556 40e56f 46555->46556 46558 40e576 46555->46558 46917 402143 11 API calls 46556->46917 46558->46190 46560 401e4d 46559->46560 46561 401e55 46560->46561 46918 402138 22 API calls 46560->46918 46561->46197 46565 4020bf 11 API calls 46564->46565 46566 40530a 46565->46566 46919 403280 46566->46919 46568 405326 46568->46205 46924 4051cf 46569->46924 46571 408217 46928 402035 46571->46928 46574 401fc2 46575 401fd1 46574->46575 46576 402019 46574->46576 46577 4023ae 11 API calls 46575->46577 46576->46215 46578 401fda 46577->46578 46579 40201c 46578->46579 46581 401ff5 46578->46581 46580 40265a 11 API calls 46579->46580 46580->46576 46962 403078 28 API calls 46581->46962 46584 401fb2 46583->46584 46585 401fa9 46583->46585 46584->46224 46963 4025c0 28 API calls 46585->46963 46964 419f23 46587->46964 46592 401fc2 28 API calls 46593 4192ea 46592->46593 46594 401fb8 11 API calls 46593->46594 46595 4192f2 46594->46595 46596 411f91 31 API calls 46595->46596 46598 419348 46595->46598 46597 41931b 46596->46597 46599 419326 StrToIntA 46597->46599 46598->46252 46600 41933d 46599->46600 46601 419334 46599->46601 46603 401fb8 11 API calls 46600->46603 46972 41accf 22 API calls 46601->46972 46603->46598 46605 412356 46604->46605 46606 4062ee 28 API calls 46605->46606 46607 41236b 46606->46607 46608 4020d6 28 API calls 46607->46608 46609 41237b 46608->46609 46610 41215f 14 API calls 46609->46610 46611 412385 46610->46611 46612 401fb8 11 API calls 46611->46612 46613 412392 46612->46613 46613->46354 46615 40207b 46614->46615 46616 4023ae 11 API calls 46615->46616 46617 402086 46616->46617 46973 4024cd 46617->46973 46621 4121af 46620->46621 46623 412178 46620->46623 46622 401fb8 11 API calls 46621->46622 46624 40da38 46622->46624 46625 41218a RegSetValueExA RegCloseKey 46623->46625 46624->46304 46625->46621 46627 439880 _strftime 46626->46627 46977 438bbe 46627->46977 46629 40da51 46629->46311 46629->46314 46631 4194f0 GetLocalTime 46630->46631 46632 41958b 46630->46632 46633 4052fe 28 API calls 46631->46633 46634 401fb8 11 API calls 46632->46634 46635 419532 46633->46635 46636 419593 46634->46636 46637 408209 28 API calls 46635->46637 46638 401fb8 11 API calls 46636->46638 46639 41953e 46637->46639 46640 40daa1 46638->46640 47005 402ef0 46639->47005 46640->46329 46643 408209 28 API calls 46644 419556 46643->46644 47010 41928b 76 API calls 46644->47010 46646 419564 46647 401fb8 11 API calls 46646->46647 46648 419570 46647->46648 46649 401fb8 11 API calls 46648->46649 46650 419579 46649->46650 46651 401fb8 11 API calls 46650->46651 46652 419582 46651->46652 46653 401fb8 11 API calls 46652->46653 46653->46632 47014 401f66 46654->47014 46656 408f36 _wcslen 46657 408f60 46656->46657 46658 408f49 46656->46658 46659 40c5ed 31 API calls 46657->46659 46660 40c5ed 31 API calls 46658->46660 46662 408f68 46659->46662 46661 408f51 46660->46661 46663 401ef3 28 API calls 46661->46663 46664 401ef3 28 API calls 46662->46664 46665 408f5b 46663->46665 46666 408f76 46664->46666 46668 401ee9 11 API calls 46665->46668 46667 401ee9 11 API calls 46666->46667 46669 408f7e 46667->46669 46670 408fb5 46668->46670 47046 4081c7 28 API calls 46669->47046 46672 408ffb 46670->46672 46673 408fdc 46670->46673 47018 408098 46672->47018 46675 408fe1 46673->46675 46676 409013 46673->46676 46674 408f90 47047 402ff4 46674->47047 46680 408098 28 API calls 46675->46680 46679 401ee9 11 API calls 46676->46679 46683 40901b 46679->46683 46684 408fef 46680->46684 46683->46372 47052 4092ba 29 API calls 46684->47052 46686 401ef3 28 API calls 46688 408fa5 46686->46688 46689 401ee9 11 API calls 46688->46689 46689->46665 46690 408ff9 46690->46676 47241 40415e 46691->47241 46696 402ff4 28 API calls 46697 41965d 46696->46697 46698 401ee9 11 API calls 46697->46698 46699 419666 46698->46699 46700 401ee9 11 API calls 46699->46700 46701 40dca2 46700->46701 46702 401ef3 46701->46702 46703 401f02 46702->46703 46704 401f4a 46702->46704 46705 402232 11 API calls 46703->46705 46711 401ee9 46704->46711 46706 401f0b 46705->46706 46707 401f4d 46706->46707 46708 401f26 46706->46708 46709 402316 11 API calls 46707->46709 47337 40303c 28 API calls 46708->47337 46709->46704 46712 402232 11 API calls 46711->46712 46713 401ef2 46712->46713 46713->46417 46713->46418 47338 40533f 28 API calls 46714->47338 46717 4020bf 11 API calls 46716->46717 46718 413994 46717->46718 47339 419894 46718->47339 46721 4020bf 11 API calls 46722 4139aa 46721->46722 46723 401e45 22 API calls 46722->46723 46724 4139b8 46723->46724 46725 439867 _strftime 39 API calls 46724->46725 46726 4139c5 46725->46726 46727 4139d7 46726->46727 46728 4139ca Sleep 46726->46728 46729 402073 28 API calls 46727->46729 46728->46727 46730 4139e6 46729->46730 46731 401e45 22 API calls 46730->46731 46732 4139ef 46731->46732 46733 4020d6 28 API calls 46732->46733 46734 4139fa 46733->46734 46735 419d87 28 API calls 46734->46735 46736 413a02 46735->46736 47343 40487e WSAStartup 46736->47343 46738 413a0c 46739 401e45 22 API calls 46738->46739 46740 413a15 46739->46740 46741 401e45 22 API calls 46740->46741 46788 413a94 46740->46788 46742 413a2e 46741->46742 46743 401e45 22 API calls 46742->46743 46745 413a3f 46743->46745 46744 4020d6 28 API calls 46744->46788 46747 401e45 22 API calls 46745->46747 46746 419d87 28 API calls 46746->46788 46748 413a50 46747->46748 46750 401e45 22 API calls 46748->46750 46749 40822a 28 API calls 46749->46788 46751 413a61 46750->46751 46753 401e45 22 API calls 46751->46753 46752 401fc2 28 API calls 46752->46788 46754 413a72 46753->46754 46755 401e45 22 API calls 46754->46755 46757 413a84 46755->46757 46756 401fb8 11 API calls 46756->46788 47472 40471d 88 API calls 46757->47472 46759 4052fe 28 API calls 46759->46788 46760 408209 28 API calls 46760->46788 46761 401e45 22 API calls 46761->46788 46763 413be2 WSAGetLastError 47473 41a86b 30 API calls 46763->47473 46766 4052dd 28 API calls 46810 413bf2 46766->46810 46767 402073 28 API calls 46767->46810 46770 4194da 79 API calls 46770->46810 46772 401e45 22 API calls 46772->46810 46773 401e6d 11 API calls 46773->46810 46774 439867 _strftime 39 API calls 46775 4144bf Sleep 46774->46775 46775->46810 46776 402ef0 28 API calls 46776->46788 46777 402073 28 API calls 46777->46788 46778 4194da 79 API calls 46778->46788 46781 408098 28 API calls 46781->46788 46782 43f34f 20 API calls 46782->46788 46783 4120e8 3 API calls 46783->46788 46784 411f91 31 API calls 46784->46788 46785 40415e 28 API calls 46785->46788 46787 419b16 28 API calls 46787->46788 46788->46744 46788->46746 46788->46749 46788->46752 46788->46756 46788->46759 46788->46760 46788->46761 46788->46763 46788->46776 46788->46777 46788->46778 46788->46781 46788->46782 46788->46783 46788->46784 46788->46785 46788->46787 46789 401e45 22 API calls 46788->46789 46788->46810 47344 41393f 46788->47344 47349 40480d 46788->47349 47356 404f31 46788->47356 47371 4048a8 connect 46788->47371 47431 4197c1 46788->47431 47434 413013 46788->47434 47437 419c8a 46788->47437 46790 413e7b GetTickCount 46789->46790 46791 419b16 28 API calls 46790->46791 46805 413e98 46791->46805 46793 419b16 28 API calls 46793->46805 46795 419c8a 28 API calls 46795->46805 46798 408209 28 API calls 46798->46805 46800 402e81 28 API calls 46800->46805 46801 402ef0 28 API calls 46801->46805 46803 401fb8 11 API calls 46803->46805 46804 401ee9 11 API calls 46804->46805 46805->46793 46805->46795 46805->46798 46805->46800 46805->46801 46805->46803 46805->46804 47441 419ac6 46805->47441 47443 419a77 46805->47443 47448 40e2bb GetLocaleInfoA 46805->47448 47451 402f11 28 API calls 46805->47451 47452 40826c 28 API calls 46805->47452 47453 404bf0 46805->47453 47474 404a81 60 API calls ctype 46805->47474 46808 414461 CreateThread 46808->46810 46809 401fb8 11 API calls 46809->46810 46810->46766 46810->46767 46810->46770 46810->46772 46810->46773 46810->46774 46810->46788 46810->46808 46810->46809 46811 401ee9 11 API calls 46810->46811 47475 409f9a 84 API calls 46810->47475 47476 404e06 98 API calls 46810->47476 46811->46810 46812->46198 46813->46206 46814->46210 46817 4020bf 11 API calls 46816->46817 46818 408236 46817->46818 46819 403280 28 API calls 46818->46819 46820 408253 46819->46820 46820->46232 46822 411f5e RegQueryValueExA RegCloseKey 46821->46822 46823 40d5c5 46821->46823 46822->46823 46823->46229 46823->46253 46824->46235 46825->46255 46826->46282 46827->46255 46828->46263 46830 401f66 11 API calls 46829->46830 46831 40c609 46830->46831 46832 40c629 46831->46832 46833 40c65e 46831->46833 46834 40c61f 46831->46834 47811 41959f 29 API calls 46832->47811 46837 419f23 GetCurrentProcess 46833->46837 46836 40c752 GetLongPathNameW 46834->46836 46839 40415e 28 API calls 46836->46839 46840 40c663 46837->46840 46838 40c632 46841 401ef3 28 API calls 46838->46841 46842 40c767 46839->46842 46843 40c667 46840->46843 46844 40c6b9 46840->46844 46845 40c63c 46841->46845 46846 40415e 28 API calls 46842->46846 46848 40415e 28 API calls 46843->46848 46847 40415e 28 API calls 46844->46847 46852 401ee9 11 API calls 46845->46852 46849 40c776 46846->46849 46850 40c6c7 46847->46850 46851 40c675 46848->46851 47814 40c7f9 28 API calls 46849->47814 46855 40415e 28 API calls 46850->46855 46856 40415e 28 API calls 46851->46856 46852->46834 46854 40c789 47815 402f85 28 API calls 46854->47815 46859 40c6dd 46855->46859 46860 40c68b 46856->46860 46858 40c794 47816 402f85 28 API calls 46858->47816 47813 402f85 28 API calls 46859->47813 47812 402f85 28 API calls 46860->47812 46864 40c79e 46867 401ee9 11 API calls 46864->46867 46865 40c6e8 46868 401ef3 28 API calls 46865->46868 46866 40c696 46869 401ef3 28 API calls 46866->46869 46870 40c7a8 46867->46870 46871 40c6f3 46868->46871 46872 40c6a1 46869->46872 46873 401ee9 11 API calls 46870->46873 46874 401ee9 11 API calls 46871->46874 46875 401ee9 11 API calls 46872->46875 46876 40c7b1 46873->46876 46877 40c6fc 46874->46877 46878 40c6aa 46875->46878 46879 401ee9 11 API calls 46876->46879 46880 401ee9 11 API calls 46877->46880 46881 401ee9 11 API calls 46878->46881 46882 40c7ba 46879->46882 46880->46845 46881->46845 46883 401ee9 11 API calls 46882->46883 46884 40c7c3 46883->46884 46885 401ee9 11 API calls 46884->46885 46886 40c7cc 46885->46886 46886->46344 46887->46355 46888->46369 46889->46373 46891 41210e RegQueryValueExA RegCloseKey 46890->46891 46892 412132 46890->46892 46891->46892 46892->46283 46893->46319 46894->46379 46895->46389 46896->46411 46897->46400 46898->46259 46901 4194b0 LoadResource LockResource SizeofResource 46900->46901 46902 40dd9e 46900->46902 46901->46902 46902->46521 46904 402097 28 API calls 46903->46904 46905 406302 46904->46905 46905->46532 46911 40421a 46906->46911 46909->46535 46910->46554 46912 404223 46911->46912 46913 4023ae 11 API calls 46912->46913 46914 40422e 46913->46914 46915 402549 28 API calls 46914->46915 46916 404195 46915->46916 46916->46535 46917->46558 46921 40328a 46919->46921 46920 4032a9 46920->46568 46921->46920 46923 4028c8 28 API calls 46921->46923 46923->46920 46925 4051db 46924->46925 46934 405254 46925->46934 46927 4051e8 46927->46571 46929 402041 46928->46929 46930 4023ae 11 API calls 46929->46930 46931 40205b 46930->46931 46958 40265a 46931->46958 46935 405262 46934->46935 46936 405268 46935->46936 46937 40527e 46935->46937 46945 4025d0 46936->46945 46939 4052d5 46937->46939 46940 405296 46937->46940 46955 402884 22 API calls 46939->46955 46944 40527c 46940->46944 46954 4028c8 28 API calls 46940->46954 46944->46927 46946 402868 22 API calls 46945->46946 46947 4025e2 46946->46947 46948 402652 46947->46948 46949 402609 46947->46949 46957 402884 22 API calls 46948->46957 46953 40261b 46949->46953 46956 4028c8 28 API calls 46949->46956 46953->46944 46954->46944 46956->46953 46959 40266b 46958->46959 46960 4023ae 11 API calls 46959->46960 46961 40206d 46960->46961 46961->46574 46962->46576 46963->46584 46965 419f30 GetCurrentProcess 46964->46965 46966 4192bc 46964->46966 46965->46966 46967 411f91 RegOpenKeyExA 46966->46967 46968 411fbf RegQueryValueExA RegCloseKey 46967->46968 46969 411fe9 46967->46969 46968->46969 46970 402073 28 API calls 46969->46970 46971 411ffe 46970->46971 46971->46592 46972->46600 46974 4024d9 46973->46974 46975 4024ea 28 API calls 46974->46975 46976 402091 46975->46976 46976->46299 46993 4397c5 46977->46993 46979 438c0b 46999 438557 35 API calls 2 library calls 46979->46999 46980 438bd0 46980->46979 46981 438be5 46980->46981 46992 438bea __cftoe 46980->46992 46998 43ad91 20 API calls _abort 46981->46998 46985 438c17 46986 438c46 46985->46986 47000 43980a 39 API calls __Toupper 46985->47000 46987 438cb2 46986->46987 47001 439771 20 API calls 2 library calls 46986->47001 47002 439771 20 API calls 2 library calls 46987->47002 46990 438d79 _strftime 46990->46992 47003 43ad91 20 API calls _abort 46990->47003 46992->46629 46994 4397ca 46993->46994 46995 4397dd 46993->46995 47004 43ad91 20 API calls _abort 46994->47004 46995->46980 46997 4397cf __cftoe 46997->46980 46998->46992 46999->46985 47000->46985 47001->46987 47002->46990 47003->46992 47004->46997 47011 401f90 47005->47011 47007 402efe 47008 402035 11 API calls 47007->47008 47009 402f0d 47008->47009 47009->46643 47010->46646 47012 4025d0 28 API calls 47011->47012 47013 401f9d 47012->47013 47013->47007 47015 401f6e 47014->47015 47053 402232 47015->47053 47017 401f79 47017->46656 47019 4080ae 47018->47019 47020 402232 11 API calls 47019->47020 47021 4080c8 47020->47021 47058 404247 47021->47058 47023 4080d6 47024 409203 47023->47024 47071 40a83c 47024->47071 47027 409257 47030 402073 28 API calls 47027->47030 47028 40922f 47029 402073 28 API calls 47028->47029 47031 409239 47029->47031 47032 409262 47030->47032 47075 419bca 28 API calls 47031->47075 47034 402073 28 API calls 47032->47034 47036 409271 47034->47036 47035 409247 47076 40a0b0 31 API calls ___std_exception_copy 47035->47076 47038 4194da 79 API calls 47036->47038 47039 409276 CreateThread 47038->47039 47041 409291 CreateThread 47039->47041 47042 40929d CreateThread 47039->47042 47078 409305 47039->47078 47040 40924e 47043 401fb8 11 API calls 47040->47043 47041->47042 47084 4092ef 47041->47084 47044 401ee9 11 API calls 47042->47044 47081 409311 47042->47081 47043->47027 47045 4092b1 47044->47045 47045->46676 47046->46674 47212 403202 47047->47212 47049 403002 47216 403242 47049->47216 47052->46690 47240 4092fb 162 API calls 47052->47240 47054 40228c 47053->47054 47055 40223c 47053->47055 47054->47017 47055->47054 47057 402759 11 API calls std::_Deallocate 47055->47057 47057->47054 47059 402868 22 API calls 47058->47059 47060 40425b 47059->47060 47061 404270 47060->47061 47062 404285 47060->47062 47068 4042bf 22 API calls 47061->47068 47070 4027c6 28 API calls 47062->47070 47065 404279 47069 402c28 22 API calls 47065->47069 47067 404283 47067->47023 47068->47065 47069->47067 47070->47067 47072 40a845 47071->47072 47073 409221 47071->47073 47077 40a8bc 28 API calls 47072->47077 47073->47027 47073->47028 47075->47035 47076->47040 47077->47073 47087 40971e 47078->47087 47138 409c1f 47081->47138 47192 409340 47084->47192 47088 409733 Sleep 47087->47088 47112 40966d 47088->47112 47090 40930e 47091 409773 CreateDirectoryW 47099 409745 47091->47099 47092 409784 GetFileAttributesW 47092->47099 47093 40979b SetFileAttributesW 47093->47099 47094 4020bf 11 API calls 47094->47099 47096 409815 PathFileExistsW 47096->47099 47103 409820 47096->47103 47097 401e45 22 API calls 47097->47099 47098 4020bf 11 API calls 47098->47103 47099->47088 47099->47090 47099->47091 47099->47092 47099->47093 47099->47094 47099->47096 47099->47097 47100 402097 28 API calls 47099->47100 47101 409915 47099->47101 47106 401fb8 11 API calls 47099->47106 47109 4062ee 28 API calls 47099->47109 47125 41a17b 47099->47125 47136 41a27c CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 47099->47136 47100->47099 47104 40991e SetFileAttributesW 47101->47104 47103->47098 47105 401fb8 11 API calls 47103->47105 47107 4062ee 28 API calls 47103->47107 47108 401fc2 28 API calls 47103->47108 47110 401fb8 11 API calls 47103->47110 47135 41a20f 32 API calls 47103->47135 47104->47099 47105->47099 47106->47099 47107->47103 47108->47103 47109->47099 47110->47103 47113 40971a 47112->47113 47116 409683 47112->47116 47113->47099 47114 4096a2 CreateFileW 47115 4096b0 GetFileSize 47114->47115 47114->47116 47115->47116 47117 4096e5 CloseHandle 47115->47117 47116->47114 47116->47117 47118 4096d3 47116->47118 47119 4096da Sleep 47116->47119 47120 4096f7 47116->47120 47117->47116 47137 40a025 83 API calls 47118->47137 47119->47117 47120->47113 47122 408098 28 API calls 47120->47122 47123 409713 47122->47123 47124 409203 123 API calls 47123->47124 47124->47113 47126 41a18e CreateFileW 47125->47126 47128 41a1c7 47126->47128 47129 41a1cb 47126->47129 47128->47099 47130 41a1d2 SetFilePointer 47129->47130 47131 41a1eb WriteFile 47129->47131 47130->47131 47132 41a1e2 CloseHandle 47130->47132 47133 41a200 CloseHandle 47131->47133 47134 41a1fe 47131->47134 47132->47128 47133->47128 47134->47133 47135->47103 47136->47099 47137->47119 47167 409c2d 47138->47167 47139 40931a 47140 409c87 Sleep GetForegroundWindow GetWindowTextLengthW 47168 40a854 47140->47168 47143 401f66 11 API calls 47143->47167 47146 409ccd GetWindowTextW 47146->47167 47148 40a83c 28 API calls 47148->47167 47149 409e25 47151 401ee9 11 API calls 47149->47151 47150 419ac6 GetTickCount 47150->47167 47151->47139 47152 409d92 Sleep 47152->47167 47155 402073 28 API calls 47155->47167 47156 409d1a 47158 408098 28 API calls 47156->47158 47156->47167 47178 40a0b0 31 API calls ___std_exception_copy 47156->47178 47157 4052dd 28 API calls 47157->47167 47158->47156 47160 408209 28 API calls 47160->47167 47162 402ff4 28 API calls 47162->47167 47164 401ee9 11 API calls 47164->47167 47165 40962e 12 API calls 47165->47167 47166 401fb8 11 API calls 47166->47167 47167->47139 47167->47140 47167->47143 47167->47146 47167->47148 47167->47149 47167->47150 47167->47152 47167->47155 47167->47156 47167->47157 47167->47160 47167->47162 47167->47164 47167->47165 47167->47166 47174 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 47167->47174 47175 432525 23 API calls __onexit 47167->47175 47176 43215c SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 47167->47176 47177 408080 28 API calls 47167->47177 47179 40a8cc 28 API calls 47167->47179 47180 40a694 40 API calls 2 library calls 47167->47180 47181 43f34f 47167->47181 47185 419bca 28 API calls 47167->47185 47169 40a85c 47168->47169 47170 402232 11 API calls 47169->47170 47171 40a867 47170->47171 47186 40a87c 28 API calls 47171->47186 47173 40a876 47173->47167 47175->47167 47176->47167 47177->47167 47178->47156 47179->47167 47180->47167 47182 43f35b 47181->47182 47187 43f14b 47182->47187 47184 43f37c 47184->47167 47185->47167 47186->47173 47188 43f162 47187->47188 47190 43f199 __cftoe 47188->47190 47191 43ad91 20 API calls _abort 47188->47191 47190->47184 47191->47190 47193 409359 GetModuleHandleA SetWindowsHookExA 47192->47193 47194 4093bb GetMessageA 47192->47194 47193->47194 47196 409375 GetLastError 47193->47196 47195 4093cd TranslateMessage DispatchMessageA 47194->47195 47206 4092f8 47194->47206 47195->47194 47195->47206 47207 419b16 47196->47207 47199 4052dd 28 API calls 47200 409396 47199->47200 47201 402073 28 API calls 47200->47201 47202 4093a5 47201->47202 47203 4194da 79 API calls 47202->47203 47204 4093aa 47203->47204 47205 401fb8 11 API calls 47204->47205 47205->47206 47208 43f34f 20 API calls 47207->47208 47209 419b3a 47208->47209 47210 402073 28 API calls 47209->47210 47211 409386 47210->47211 47211->47199 47213 40320e 47212->47213 47222 4035f8 47213->47222 47215 40321b 47215->47049 47217 40324e 47216->47217 47218 402232 11 API calls 47217->47218 47219 403268 47218->47219 47236 402316 47219->47236 47223 403606 47222->47223 47224 403624 47223->47224 47225 40360c 47223->47225 47227 40363c 47224->47227 47228 40367e 47224->47228 47233 403686 28 API calls 47225->47233 47232 403622 47227->47232 47234 4027c6 28 API calls 47227->47234 47235 402884 22 API calls 47228->47235 47232->47215 47233->47232 47234->47232 47237 402327 47236->47237 47238 402232 11 API calls 47237->47238 47239 4023a7 47238->47239 47239->46686 47242 404166 47241->47242 47243 402232 11 API calls 47242->47243 47244 404171 47243->47244 47252 40419c 47244->47252 47247 4042dc 47264 404333 47247->47264 47249 4042ea 47250 403242 11 API calls 47249->47250 47251 4042f9 47250->47251 47251->46696 47253 4041a8 47252->47253 47256 4041b9 47253->47256 47255 40417c 47255->47247 47257 4041c9 47256->47257 47258 4041e6 47257->47258 47259 4041cf 47257->47259 47263 4027c6 28 API calls 47258->47263 47261 404247 28 API calls 47259->47261 47262 4041e4 47261->47262 47262->47255 47263->47262 47265 40433f 47264->47265 47268 404351 47265->47268 47267 40434d 47267->47249 47269 40435f 47268->47269 47270 404365 47269->47270 47271 40437e 47269->47271 47334 4034c6 28 API calls 47270->47334 47272 402868 22 API calls 47271->47272 47273 404386 47272->47273 47275 4043f9 47273->47275 47276 40439f 47273->47276 47336 402884 22 API calls 47275->47336 47287 40437c 47276->47287 47335 4027c6 28 API calls 47276->47335 47287->47267 47334->47287 47335->47287 47337->46704 47342 4198da ctype ___scrt_fastfail 47339->47342 47340 402073 28 API calls 47341 41399f 47340->47341 47341->46721 47342->47340 47343->46738 47345 413958 getaddrinfo WSASetLastError 47344->47345 47346 41394e 47344->47346 47345->46788 47477 4137dc 29 API calls ___std_exception_copy 47346->47477 47348 413953 47348->47345 47350 404826 socket 47349->47350 47351 404819 47349->47351 47353 404840 CreateEventW 47350->47353 47354 404822 47350->47354 47478 40487e WSAStartup 47351->47478 47353->46788 47354->46788 47355 40481e 47355->47350 47355->47354 47357 404f45 47356->47357 47358 404fca 47356->47358 47359 404f4e 47357->47359 47360 404fa0 CreateEventA CreateThread 47357->47360 47361 404f5d GetLocalTime 47357->47361 47358->46788 47359->47360 47360->47358 47479 405130 47360->47479 47362 419b16 28 API calls 47361->47362 47363 404f71 47362->47363 47364 4052dd 28 API calls 47363->47364 47365 404f81 47364->47365 47366 402073 28 API calls 47365->47366 47367 404f90 47366->47367 47368 4194da 79 API calls 47367->47368 47369 404f95 47368->47369 47370 401fb8 11 API calls 47369->47370 47370->47360 47372 4049fb 47371->47372 47373 4048ce 47371->47373 47374 40495e 47372->47374 47375 404a01 WSAGetLastError 47372->47375 47373->47374 47378 4052fe 28 API calls 47373->47378 47394 404903 47373->47394 47374->46788 47375->47374 47376 404a11 47375->47376 47379 404a16 47376->47379 47385 404912 47376->47385 47381 4048ef 47378->47381 47488 41a86b 30 API calls 47379->47488 47380 40490b 47384 404921 47380->47384 47380->47385 47387 402073 28 API calls 47381->47387 47383 404a20 47388 4052dd 28 API calls 47383->47388 47396 404930 47384->47396 47397 404967 47384->47397 47386 402073 28 API calls 47385->47386 47389 404a60 47386->47389 47390 4048fe 47387->47390 47392 404a30 47388->47392 47393 402073 28 API calls 47389->47393 47391 4194da 79 API calls 47390->47391 47391->47394 47395 402073 28 API calls 47392->47395 47398 404a6f 47393->47398 47483 41ea15 27 API calls 47394->47483 47399 404a3f 47395->47399 47401 402073 28 API calls 47396->47401 47485 41f7f5 53 API calls 47397->47485 47402 4194da 79 API calls 47398->47402 47403 4194da 79 API calls 47399->47403 47405 40493f 47401->47405 47402->47374 47406 404a44 47403->47406 47404 40496f 47407 4049a4 47404->47407 47408 404974 47404->47408 47409 402073 28 API calls 47405->47409 47411 401fb8 11 API calls 47406->47411 47487 41ebbb 28 API calls 47407->47487 47412 402073 28 API calls 47408->47412 47413 40494e 47409->47413 47411->47374 47415 404983 47412->47415 47416 4194da 79 API calls 47413->47416 47414 4049ac 47417 4049d9 CreateEventW CreateEventW 47414->47417 47420 402073 28 API calls 47414->47420 47418 402073 28 API calls 47415->47418 47419 404953 47416->47419 47417->47374 47421 404992 47418->47421 47484 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47419->47484 47423 4049c2 47420->47423 47424 4194da 79 API calls 47421->47424 47425 402073 28 API calls 47423->47425 47426 404997 47424->47426 47427 4049d1 47425->47427 47486 41ee67 51 API calls 47426->47486 47429 4194da 79 API calls 47427->47429 47430 4049d6 47429->47430 47430->47417 47489 419797 GlobalMemoryStatusEx 47431->47489 47433 4197d6 47433->46788 47490 412fd6 47434->47490 47438 419c97 47437->47438 47439 402097 28 API calls 47438->47439 47440 419ca9 47439->47440 47440->46788 47442 419adc GetTickCount 47441->47442 47442->46805 47444 434c30 ___scrt_fastfail 47443->47444 47445 419a98 GetForegroundWindow GetWindowTextW 47444->47445 47446 40415e 28 API calls 47445->47446 47447 419abe 47446->47447 47447->46805 47449 402073 28 API calls 47448->47449 47450 40e2e0 47449->47450 47450->46805 47451->46805 47452->46805 47454 4020bf 11 API calls 47453->47454 47455 404c07 47454->47455 47456 4020bf 11 API calls 47455->47456 47458 404c10 47456->47458 47457 439adb ___std_exception_copy 21 API calls 47457->47458 47458->47457 47460 402097 28 API calls 47458->47460 47461 404c76 47458->47461 47463 401fc2 28 API calls 47458->47463 47466 401fb8 11 API calls 47458->47466 47520 404ca3 47458->47520 47532 404b76 56 API calls 47458->47532 47460->47458 47461->47458 47462 404c81 47461->47462 47533 404e06 98 API calls 47462->47533 47463->47458 47465 404c88 47467 401fb8 11 API calls 47465->47467 47466->47458 47468 404c91 47467->47468 47469 401fb8 11 API calls 47468->47469 47470 404c9a 47469->47470 47470->46810 47472->46788 47473->46810 47474->46805 47475->46810 47476->46810 47477->47348 47478->47355 47482 40513c 101 API calls 47479->47482 47481 405139 47482->47481 47483->47380 47484->47374 47485->47404 47486->47419 47487->47414 47488->47383 47489->47433 47493 412fa9 47490->47493 47494 412fbe ___scrt_initialize_default_local_stdio_options 47493->47494 47497 43eea0 47494->47497 47500 43c3e3 47497->47500 47501 43c423 47500->47501 47502 43c40b 47500->47502 47501->47502 47504 43c42b 47501->47504 47515 43ad91 20 API calls _abort 47502->47515 47516 438557 35 API calls 2 library calls 47504->47516 47506 43c43b 47517 43cb38 20 API calls 2 library calls 47506->47517 47507 43c410 __cftoe 47508 432d4b __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 47507->47508 47510 412fcc 47508->47510 47510->46788 47511 43c4b3 47518 43d0e9 50 API calls 3 library calls 47511->47518 47514 43c4be 47519 43cba2 20 API calls _free 47514->47519 47515->47507 47516->47506 47517->47511 47518->47514 47519->47507 47521 4020bf 11 API calls 47520->47521 47529 404cbe 47521->47529 47522 404df3 47523 401fb8 11 API calls 47522->47523 47524 404dfc 47523->47524 47524->47461 47525 404182 28 API calls 47525->47529 47526 4020d6 28 API calls 47526->47529 47527 401fa0 28 API calls 47528 404d8d CreateEventA CreateThread WaitForSingleObject CloseHandle 47527->47528 47528->47529 47534 4144da 47528->47534 47529->47522 47529->47525 47529->47526 47529->47527 47530 401fc2 28 API calls 47529->47530 47531 401fb8 11 API calls 47529->47531 47530->47529 47531->47529 47532->47458 47533->47465 47535 4020d6 28 API calls 47534->47535 47536 4144f9 SetEvent 47535->47536 47537 41450e 47536->47537 47538 404182 28 API calls 47537->47538 47539 414528 47538->47539 47540 4020d6 28 API calls 47539->47540 47541 414538 47540->47541 47542 4020d6 28 API calls 47541->47542 47543 41454a 47542->47543 47544 419d87 28 API calls 47543->47544 47545 414553 47544->47545 47546 415281 47545->47546 47547 414563 47545->47547 47550 4152c1 47546->47550 47551 4152e6 47546->47551 47552 4154e6 47546->47552 47553 415506 47546->47553 47554 4153ca 47546->47554 47555 4155ad 47546->47555 47556 41548f 47546->47556 47557 41558f 47546->47557 47558 415510 47546->47558 47559 415412 47546->47559 47560 415432 47546->47560 47561 415452 47546->47561 47562 4155f5 47546->47562 47563 415599 47546->47563 47564 41555d 47546->47564 47565 41535f 47546->47565 47566 41529e 47546->47566 47646 4152b9 47546->47646 47548 414569 47547->47548 47549 415188 47547->47549 47589 41457c GetTickCount 47548->47589 47548->47646 47778 4146de 47548->47778 47786 4157e1 14 API calls 47549->47786 47586 401e45 22 API calls 47550->47586 47571 401e45 22 API calls 47551->47571 47572 401e45 22 API calls 47552->47572 47801 418e33 215 API calls 47553->47801 47578 401e45 22 API calls 47554->47578 47806 4066a6 58 API calls 47555->47806 47582 401e45 22 API calls 47556->47582 47804 418ccd 104 API calls 47557->47804 47579 415519 47558->47579 47580 41553e ShowWindow SetForegroundWindow 47558->47580 47587 401e45 22 API calls 47559->47587 47570 401e45 22 API calls 47560->47570 47575 401e45 22 API calls 47561->47575 47807 405b0b 48 API calls 47562->47807 47805 418dec 60 API calls 47563->47805 47584 401e45 22 API calls 47564->47584 47794 407ba0 14 API calls 47565->47794 47583 401e45 22 API calls 47566->47583 47568 401e6d 11 API calls 47576 41565d 47568->47576 47590 41543d 47570->47590 47591 4152f1 47571->47591 47599 4154f1 47572->47599 47574 415194 47593 401e45 22 API calls 47574->47593 47594 41545f 47575->47594 47595 401fb8 11 API calls 47576->47595 47600 4153e5 47578->47600 47802 41aa4f 81 API calls ___scrt_fastfail 47579->47802 47580->47646 47597 41549b 47582->47597 47602 4152a9 47583->47602 47603 41556a 47584->47603 47604 4152cc 47586->47604 47605 41541d 47587->47605 47606 419b16 28 API calls 47589->47606 47609 4020d6 28 API calls 47590->47609 47621 4152f8 StrToIntA 47591->47621 47592 4155b2 47611 401e45 22 API calls 47592->47611 47612 41519f 47593->47612 47634 402073 28 API calls 47594->47634 47613 415669 47595->47613 47596 4155fe 47615 401e45 22 API calls 47596->47615 47638 4154b0 47597->47638 47639 4154c7 47597->47639 47598 41536b 47617 401e45 22 API calls 47598->47617 47610 4020d6 28 API calls 47599->47610 47636 401e45 22 API calls 47600->47636 47616 4020d6 28 API calls 47602->47616 47641 401e45 22 API calls 47603->47641 47643 439867 _strftime 39 API calls 47604->47643 47618 4020d6 28 API calls 47605->47618 47607 41458d 47606->47607 47619 419ac6 GetTickCount 47607->47619 47620 415448 47609->47620 47626 4154fc 47610->47626 47622 4155bf 47611->47622 47649 439867 _strftime 39 API calls 47612->47649 47623 401fb8 11 API calls 47613->47623 47614 415520 CreateThread 47614->47646 47810 41b212 10 API calls 47614->47810 47624 415609 47615->47624 47627 4152b4 47616->47627 47625 415376 47617->47625 47628 415428 47618->47628 47629 414599 47619->47629 47798 403f08 215 API calls 47620->47798 47631 401e45 22 API calls 47621->47631 47633 419b16 28 API calls 47622->47633 47635 415675 47623->47635 47637 401e45 22 API calls 47624->47637 47642 4020d6 28 API calls 47625->47642 47800 4159ba 125 API calls 47626->47800 47627->47646 47790 406bda 215 API calls 47627->47790 47797 417a63 215 API calls 47628->47797 47645 419b16 28 API calls 47629->47645 47647 41530c 47631->47647 47648 4155d5 47633->47648 47650 415471 47634->47650 47656 4153f8 47636->47656 47651 415616 47637->47651 47652 401e45 22 API calls 47638->47652 47654 401e45 22 API calls 47639->47654 47657 415581 47641->47657 47653 415381 47642->47653 47658 4152d9 47643->47658 47659 4145a4 47645->47659 47646->47568 47677 40c5ed 31 API calls 47647->47677 47660 402ef0 28 API calls 47648->47660 47661 4151ac 47649->47661 47680 41215f 14 API calls 47650->47680 47808 402f11 28 API calls 47651->47808 47663 4154b5 47652->47663 47665 401e45 22 API calls 47653->47665 47666 4154cc 47654->47666 47655 415501 47681 439867 _strftime 39 API calls 47656->47681 47803 418dcb 28 API calls 47657->47803 47791 408a88 22 API calls 47658->47791 47668 419a77 30 API calls 47659->47668 47669 4155e0 47660->47669 47787 415ceb 28 API calls 47661->47787 47672 4020d6 28 API calls 47663->47672 47673 41538c 47665->47673 47674 4020d6 28 API calls 47666->47674 47676 4145b2 47668->47676 47678 402ef0 28 API calls 47669->47678 47671 415621 47682 402ef0 28 API calls 47671->47682 47675 4154c0 47672->47675 47683 4020d6 28 API calls 47673->47683 47674->47675 47799 4157f2 121 API calls 47675->47799 47684 419c8a 28 API calls 47676->47684 47685 41531f 47677->47685 47686 4155ea 47678->47686 47679 4151c6 47695 401e45 22 API calls 47679->47695 47680->47646 47689 415405 SetWindowTextW 47681->47689 47687 41562d 47682->47687 47688 415397 47683->47688 47692 4145c0 47684->47692 47700 401e45 22 API calls 47685->47700 47686->47562 47809 405e74 118 API calls 47687->47809 47690 401e45 22 API calls 47688->47690 47689->47559 47697 4153a2 47690->47697 47694 401e45 22 API calls 47692->47694 47699 4145ce 47694->47699 47701 4151d9 47695->47701 47696 415639 47702 401fb8 11 API calls 47696->47702 47698 4020d6 28 API calls 47697->47698 47707 4153ad 47698->47707 47779 402f11 28 API calls 47699->47779 47704 415336 47700->47704 47705 4020d6 28 API calls 47701->47705 47706 415642 47702->47706 47792 41a27c CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 47704->47792 47712 4151e4 47705->47712 47708 401fb8 11 API calls 47706->47708 47795 40631d 215 API calls 47707->47795 47715 41564b 47708->47715 47710 4145dc 47780 402e81 28 API calls 47710->47780 47714 401e45 22 API calls 47712->47714 47719 4151ef 47714->47719 47715->47646 47723 401fb8 11 API calls 47715->47723 47716 4153b9 47796 407bae 98 API calls 47716->47796 47718 4145eb 47720 402ef0 28 API calls 47718->47720 47722 4020d6 28 API calls 47719->47722 47724 4145fa 47720->47724 47721 41533f 47793 41a76c 32 API calls 47721->47793 47726 4151fa 47722->47726 47723->47646 47781 402e81 28 API calls 47724->47781 47729 401e45 22 API calls 47726->47729 47728 415351 47732 401ee9 11 API calls 47728->47732 47731 415205 47729->47731 47730 414609 47733 402ef0 28 API calls 47730->47733 47736 40415e 28 API calls 47731->47736 47732->47646 47734 414615 47733->47734 47782 402e81 28 API calls 47734->47782 47738 415217 47736->47738 47737 41461f 47783 404a81 60 API calls ctype 47737->47783 47740 401e45 22 API calls 47738->47740 47741 415222 47740->47741 47746 40415e 28 API calls 47741->47746 47742 41462e 47743 401fb8 11 API calls 47742->47743 47744 414637 47743->47744 47745 401fb8 11 API calls 47744->47745 47748 414643 47745->47748 47747 415234 47746->47747 47788 40838e 126 API calls 2 library calls 47747->47788 47749 401fb8 11 API calls 47748->47749 47751 41464f 47749->47751 47752 401fb8 11 API calls 47751->47752 47753 41465b 47752->47753 47755 401fb8 11 API calls 47753->47755 47758 414667 47755->47758 47756 415240 47789 408ae3 98 API calls 47756->47789 47757 4146c2 47757->47646 47759 401fb8 11 API calls 47758->47759 47760 414673 47759->47760 47761 401ee9 11 API calls 47760->47761 47762 41467f 47761->47762 47763 401fb8 11 API calls 47762->47763 47764 414688 47763->47764 47765 401fb8 11 API calls 47764->47765 47766 414691 47765->47766 47767 401e45 22 API calls 47766->47767 47768 41469c 47767->47768 47769 439867 _strftime 39 API calls 47768->47769 47770 4146a9 47769->47770 47771 4146d4 47770->47771 47772 4146ae 47770->47772 47773 401e45 22 API calls 47771->47773 47774 4146c7 47772->47774 47775 4146bc 47772->47775 47773->47778 47777 404f31 104 API calls 47774->47777 47784 404fd4 81 API calls 47775->47784 47777->47757 47778->47646 47785 4050c4 83 API calls 47778->47785 47779->47710 47780->47718 47781->47730 47782->47737 47783->47742 47784->47757 47785->47757 47786->47574 47787->47679 47788->47756 47789->47757 47790->47646 47791->47646 47792->47721 47793->47728 47794->47598 47795->47716 47796->47646 47799->47646 47800->47655 47801->47646 47802->47614 47803->47646 47804->47757 47805->47646 47806->47592 47807->47596 47808->47671 47809->47696 47811->46838 47812->46866 47813->46865 47814->46854 47815->46858 47816->46864 47819 40e1a8 47817->47819 47818 411f34 3 API calls 47818->47819 47819->47818 47821 40e24e 47819->47821 47823 40e1da 47819->47823 47824 40e23e Sleep 47819->47824 47820 408098 28 API calls 47820->47823 47822 408098 28 API calls 47821->47822 47826 40e25b 47822->47826 47823->47820 47823->47824 47832 401ee9 11 API calls 47823->47832 47835 402073 28 API calls 47823->47835 47839 41215f 14 API calls 47823->47839 47849 40bc59 111 API calls ___scrt_fastfail 47823->47849 47850 419bca 28 API calls 47823->47850 47851 412204 14 API calls 47823->47851 47824->47819 47852 419bca 28 API calls 47826->47852 47829 40e267 47853 412204 14 API calls 47829->47853 47832->47823 47833 40e27a 47834 401ee9 11 API calls 47833->47834 47836 40e286 47834->47836 47835->47823 47837 402073 28 API calls 47836->47837 47838 40e297 47837->47838 47840 41215f 14 API calls 47838->47840 47839->47823 47841 40e2aa 47840->47841 47854 4112b5 TerminateProcess WaitForSingleObject 47841->47854 47843 40e2b2 ExitProcess 47855 411253 61 API calls 47845->47855 47850->47823 47851->47823 47852->47829 47853->47833 47854->47843

                      Executed Functions

                      Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                      • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                      • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                      • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                      • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                      • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                      • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                      • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                      • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                      • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                      • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                      • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                      • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$HandleModule$LibraryLoad
                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                      • API String ID: 551388010-2474455403
                      • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                      • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                      • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                      • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                      Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1531 409340-409357 1532 409359-409373 GetModuleHandleA SetWindowsHookExA 1531->1532 1533 4093bb-4093cb GetMessageA 1531->1533 1532->1533 1536 409375-4093b9 GetLastError call 419b16 call 4052dd call 402073 call 4194da call 401fb8 1532->1536 1534 4093e7 1533->1534 1535 4093cd-4093e5 TranslateMessage DispatchMessageA 1533->1535 1537 4093e9-4093ee 1534->1537 1535->1533 1535->1534 1536->1537
                      APIs
                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                      • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                      • GetLastError.KERNEL32 ref: 00409375
                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                      • TranslateMessage.USER32(?), ref: 004093D2
                      • DispatchMessageA.USER32(?), ref: 004093DD
                      Strings
                      • Keylogger initialization failure: error , xrefs: 00409389
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                      • String ID: Keylogger initialization failure: error
                      • API String ID: 3219506041-952744263
                      • Opcode ID: ae81bad82633740cfd3b1ee72ad186b026eea02700e8765fb6a7155286d8ffc9
                      • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                      • Opcode Fuzzy Hash: ae81bad82633740cfd3b1ee72ad186b026eea02700e8765fb6a7155286d8ffc9
                      • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                      Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00411F34: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00411F54
                        • Part of subcall function 00411F34: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00472200), ref: 00411F72
                        • Part of subcall function 00411F34: RegCloseKey.KERNELBASE(?), ref: 00411F7D
                      • Sleep.KERNELBASE(00000BB8), ref: 0040E243
                      • ExitProcess.KERNEL32 ref: 0040E2B4
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseExitOpenProcessQuerySleepValue
                      • String ID: 3.8.0 Pro$override$pth_unenc$!G
                      • API String ID: 2281282204-1386060931
                      • Opcode ID: 10fe23117be218520d4d35d35fe488e5683950f633b047ce3d9e2e305ea30a6a
                      • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                      • Opcode Fuzzy Hash: 10fe23117be218520d4d35d35fe488e5683950f633b047ce3d9e2e305ea30a6a
                      • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                      Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1595 41936b-4193ae call 4020bf call 439adb InternetOpenW InternetOpenUrlW 1600 4193b0-4193d1 InternetReadFile 1595->1600 1601 4193d3-4193f3 call 402097 call 403356 call 401fb8 1600->1601 1602 4193f7-4193fa 1600->1602 1601->1602 1604 419400-41940d InternetCloseHandle * 2 call 439ad6 1602->1604 1605 4193fc-4193fe 1602->1605 1609 419412-41941c 1604->1609 1605->1600 1605->1604
                      APIs
                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                      • InternetCloseHandle.WININET(00000000), ref: 00419407
                      • InternetCloseHandle.WININET(00000000), ref: 0041940A
                      Strings
                      • http://geoplugin.net/json.gp, xrefs: 004193A2
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleOpen$FileRead
                      • String ID: http://geoplugin.net/json.gp
                      • API String ID: 3121278467-91888290
                      • Opcode ID: 14f08038d1c959d89c898f40a9c33d36caebe0842b9b391160761e468c54faf4
                      • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                      • Opcode Fuzzy Hash: 14f08038d1c959d89c898f40a9c33d36caebe0842b9b391160761e468c54faf4
                      • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                      Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(00000001,00471E78,004724A8,?,?,?,?,004146CF,?,00000001), ref: 00404F61
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E78,004724A8,?,?,?,?,004146CF,?,00000001), ref: 00404FAD
                      • CreateThread.KERNELBASE(00000000,00000000,Function_00005130,?,00000000,00000000), ref: 00404FC0
                      Strings
                      • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Create$EventLocalThreadTime
                      • String ID: Connection KeepAlive | Enabled | Timeout:
                      • API String ID: 2532271599-507513762
                      • Opcode ID: 4fe99452319c18cd9fdfc33eb9207e1e06689e646172ec3d575129186b5c5eec
                      • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                      • Opcode Fuzzy Hash: 4fe99452319c18cd9fdfc33eb9207e1e06689e646172ec3d575129186b5c5eec
                      • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                      Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,01189300), ref: 004315FE
                      • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                      • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Crypt$Context$AcquireRandomRelease
                      • String ID:
                      • API String ID: 1815803762-0
                      • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                      • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                      • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                      • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                      Function 004195F8 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • GetComputerNameExW.KERNELBASE(00000001,?,00000037,00471FFC), ref: 00419615
                      • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Name$ComputerUser
                      • String ID:
                      • API String ID: 4229901323-0
                      • Opcode ID: df11981a8253a9f6cfa01e36e72ce3640b108b9b137393204108e0effccf0179
                      • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                      • Opcode Fuzzy Hash: df11981a8253a9f6cfa01e36e72ce3640b108b9b137393204108e0effccf0179
                      • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                      Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoLocale
                      • String ID:
                      • API String ID: 2299586839-0
                      • Opcode ID: 7bc4823d4125eefc11c0bf4c413f8d2ee48cbd7ba6f22e3d5f25b7b09068aca4
                      • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                      • Opcode Fuzzy Hash: 7bc4823d4125eefc11c0bf4c413f8d2ee48cbd7ba6f22e3d5f25b7b09068aca4
                      • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                      Function 0040D3F0 Relevance: 72.5, APIs: 17, Strings: 24, Instructions: 774COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 80 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->80 81 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->81 91 40d991-40d99a call 401fb8 80->91 92 40d67f-40d686 80->92 101 40d622-40d63f call 401f8b call 411f34 81->101 102 40d60f-40d61c WaitForSingleObject CloseHandle 81->102 109 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 91->109 96 40d688 92->96 97 40d68a-40d6a7 GetModuleFileNameW call 4192ae 92->97 96->97 107 40d6b0-40d6b4 97->107 108 40d6a9-40d6ab 97->108 122 40d651 101->122 123 40d641-40d650 call 401f8b call 41239a 101->123 102->101 137 40dd2c 105->137 113 40d6b6-40d6c9 call 401e45 call 401f8b 107->113 114 40d717-40d72a call 401e45 call 401f8b 107->114 108->107 175 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 109->175 113->114 142 40d6cb-40d6d1 113->142 138 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 114->138 139 40d72c call 40e501 114->139 122->80 123->122 143 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 137->143 217 40d815-40d819 138->217 218 40d7af-40d7c8 call 401e45 call 401f8b call 439891 138->218 139->138 142->114 148 40d6d3-40d6d9 142->148 188 40dd6a-40dd6f call 413980 143->188 153 40d6f7-40d710 call 401f8b call 411eea 148->153 154 40d6db-40d6ee call 4060ea 148->154 153->114 179 40d712 call 4066a6 153->179 154->114 166 40d6f0-40d6f5 call 4067a0 154->166 166->114 220 40da61-40da63 175->220 221 40da65-40da67 175->221 179->114 217->109 219 40d81f-40d826 217->219 218->217 247 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 218->247 223 40d8a7-40d8b1 call 408093 219->223 224 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 219->224 225 40da6b-40da7c call 41aa4f CreateThread 220->225 226 40da69 221->226 227 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 221->227 236 40d8b6-40d8de call 40245c call 43254d 223->236 224->236 225->227 226->225 349 40db83-40db9a call 401e45 call 401f8b 227->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 227->350 255 40d8f0 236->255 256 40d8e0-40d8ee call 434c30 236->256 247->217 262 40d8f2-40d93d call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 255->262 256->262 316 40d942-40d967 call 432556 call 401e45 call 40fbab 262->316 316->175 332 40d96d-40d98c call 401e45 call 419bca call 40de34 316->332 332->175 345 40d98e-40d990 332->345 345->91 360 40dbd9-40dbeb call 401e45 call 401f8b 349->360 361 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->361 350->349 372 40dc4c-40dc5e call 401e45 call 401f8b 360->372 373 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 360->373 361->360 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 372->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 372->384 373->372 383->384 406 40dcc1-40dcc2 SetProcessDEPPolicy 384->406 407 40dcc4-40dcd7 CreateThread 384->407 406->407 408 40dce5-40dcec 407->408 409 40dcd9-40dce3 CreateThread 407->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->137 416 40dd03-40dd06 412->416 413->412 416->188 418 40dd08-40dd0d 416->418 418->143
                      APIs
                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                        • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                        • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                        • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                        • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                      • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                      • API String ID: 1529173511-2442441308
                      • Opcode ID: 55791d191c46cfdaed0cd67acf0084f4175deaa222aee3a7d09ed25e5019e2d8
                      • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                      • Opcode Fuzzy Hash: 55791d191c46cfdaed0cd67acf0084f4175deaa222aee3a7d09ed25e5019e2d8
                      • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                      Function 00413980 Relevance: 37.5, APIs: 5, Strings: 16, Instructions: 785sleepnetworkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 420 413980-4139c8 call 4020bf call 419894 call 4020bf call 401e45 call 401f8b call 439867 433 4139d7-413a23 call 402073 call 401e45 call 4020d6 call 419d87 call 40487e call 401e45 call 40fbab 420->433 434 4139ca-4139d1 Sleep 420->434 449 413a25-413a94 call 401e45 call 40245c call 401e45 call 401f8b call 401e45 call 40245c call 401e45 call 401f8b call 401e45 call 40245c call 401e45 call 401f8b call 40471d 433->449 450 413a97-413b32 call 402073 call 401e45 call 4020d6 call 419d87 call 401e45 * 2 call 40822a call 402ef0 call 401fc2 call 401fb8 * 2 call 401e45 call 405ae5 433->450 434->433 449->450 503 413b42-413b49 450->503 504 413b34-413b40 450->504 505 413b4e-413be0 call 405a86 call 4052fe call 408209 call 402ef0 call 402073 call 4194da call 401fb8 * 2 call 401e45 call 401f8b call 401e45 call 401f8b call 41393f 503->505 504->505 532 413be2-413c26 WSAGetLastError call 41a86b call 4052dd call 402073 call 4194da call 401fb8 505->532 533 413c2b-413c39 call 40480d 505->533 556 414493-4144a5 call 404e06 call 4021da 532->556 539 413c66-413c7b call 404f31 call 4048a8 533->539 540 413c3b-413c61 call 402073 * 2 call 4194da 533->540 555 413c81-413dd4 call 401e45 * 2 call 4052fe call 408209 call 402ef0 call 408209 call 402ef0 call 402073 call 4194da call 401fb8 * 4 call 4197c1 call 413013 call 408098 call 43f34f call 401e45 call 4020d6 call 40245c call 401f8b * 2 call 4120e8 539->555 539->556 540->556 620 413dd6-413de3 call 405a86 555->620 621 413de8-413e0f call 401f8b call 411f91 555->621 569 4144a7-4144c7 call 401e45 call 401f8b call 439867 Sleep 556->569 570 4144cd-4144d5 call 401e6d 556->570 569->570 570->450 620->621 627 413e11-413e13 621->627 628 413e16-41419b call 40415e call 419c8a call 419b16 call 401e45 GetTickCount call 419b16 call 419ac6 call 419b16 call 419a77 call 419c8a * 5 call 40e2bb call 419c8a call 402f11 call 402e81 call 402ef0 call 402e81 call 402ef0 * 3 call 402e81 call 402ef0 call 408209 call 402ef0 call 408209 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 40826c call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 408209 call 402ef0 * 5 call 402e81 call 402ef0 call 402e81 call 402ef0 * 6 621->628 627->628 744 41419d call 404a81 628->744 745 4141a2-4143fa call 401fb8 * 48 call 401ee9 call 401fb8 * 4 call 401ee9 call 404bf0 744->745 855 4143ff-414406 745->855 856 414408-41440f 855->856 857 41441a-414421 855->857 856->857 858 414411-414413 856->858 859 414423-414428 call 409f9a 857->859 860 41442d-41445f call 405a4b call 402073 * 2 call 4194da 857->860 858->857 859->860 871 414461-41446d CreateThread 860->871 872 414473-41448e call 401fb8 * 2 call 401ee9 860->872 871->872 872->556
                      APIs
                      • Sleep.KERNEL32(00000000,00000029,75920F10,00471FFC,00000000), ref: 004139D1
                      • WSAGetLastError.WS2_32(00000000,00000001), ref: 00413BE2
                      • Sleep.KERNEL32(00000000,00000002), ref: 004144C7
                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$ErrorLastLocalTime
                      • String ID: | $%I64u$3.8.0 Pro$C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$H"G$TLS Off$TLS On $`"G$hlight$name$!G
                      • API String ID: 524882891-3658318265
                      • Opcode ID: ffd9ea930ddcdedd8f6f255969be3fc2866dfa6fff902adfb9ffb678aad07c51
                      • Instruction ID: 5f58eceae2704c6c0e376aa481a0c6a7ef3cc820e2c63ea8d389b44db61c6c97
                      • Opcode Fuzzy Hash: ffd9ea930ddcdedd8f6f255969be3fc2866dfa6fff902adfb9ffb678aad07c51
                      • Instruction Fuzzy Hash: 9F42AE31A001055BCB18F765DDA6AEEB3699F90308F1041BFF40A721E2EF785F868A5D
                      Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • connect.WS2_32(?,?,?), ref: 004048C0
                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                      • WSAGetLastError.WS2_32 ref: 00404A01
                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                      • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                      • API String ID: 994465650-2151626615
                      • Opcode ID: c47823f5d81b8fcd8c44ffe76240809f8c8049aa42c9dfd8a5859606e97f7b5b
                      • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                      • Opcode Fuzzy Hash: c47823f5d81b8fcd8c44ffe76240809f8c8049aa42c9dfd8a5859606e97f7b5b
                      • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                      Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • __Init_thread_footer.LIBCMT ref: 00409C81
                      • Sleep.KERNELBASE(000001F4), ref: 00409C8C
                      • GetForegroundWindow.USER32 ref: 00409C92
                      • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                      • Sleep.KERNEL32(000003E8), ref: 00409D9D
                        • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                      • String ID: [${ User has been idle for $ minutes }$]
                      • API String ID: 911427763-3954389425
                      • Opcode ID: ee9b949ba4685117d773663a634f46785a27bf3fcb47f19481d588488b50e058
                      • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                      • Opcode Fuzzy Hash: ee9b949ba4685117d773663a634f46785a27bf3fcb47f19481d588488b50e058
                      • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                      Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1034 40c5ed-40c612 call 401f66 1037 40c618 1034->1037 1038 40c73c-40c762 call 401ee4 GetLongPathNameW call 40415e 1034->1038 1040 40c711-40c716 1037->1040 1041 40c654-40c659 1037->1041 1042 40c727 1037->1042 1043 40c718-40c71d call 439e5f 1037->1043 1044 40c629-40c637 call 41959f call 401ef3 1037->1044 1045 40c64a-40c64f 1037->1045 1046 40c70a-40c70f 1037->1046 1047 40c65e-40c665 call 419f23 1037->1047 1048 40c61f-40c624 1037->1048 1062 40c767-40c7d4 call 40415e call 40c7f9 call 402f85 * 2 call 401ee9 * 5 1038->1062 1049 40c72c-40c731 call 439e5f 1040->1049 1041->1049 1042->1049 1058 40c722-40c725 1043->1058 1065 40c63c 1044->1065 1045->1049 1046->1049 1063 40c667-40c6b7 call 40415e call 439e5f call 40415e call 402f85 call 401ef3 call 401ee9 * 2 1047->1063 1064 40c6b9-40c705 call 40415e call 439e5f call 40415e call 402f85 call 401ef3 call 401ee9 * 2 1047->1064 1048->1049 1059 40c732-40c737 call 408093 1049->1059 1058->1042 1058->1059 1059->1038 1070 40c640-40c645 call 401ee9 1063->1070 1064->1065 1065->1070 1070->1038
                      APIs
                      • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040C753
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: LongNamePath
                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                      • API String ID: 82841172-425784914
                      • Opcode ID: f14e1be72a0680fbe39d61d121e9cc05331f57ab813806ef295ab36cc5fa3876
                      • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                      • Opcode Fuzzy Hash: f14e1be72a0680fbe39d61d121e9cc05331f57ab813806ef295ab36cc5fa3876
                      • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                      Function 004144DA Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 510COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1116 4144da-41455d call 4020d6 SetEvent call 401f8b call 404182 call 4020d6 * 2 call 419d87 1129 415281-41528a 1116->1129 1130 414563 1116->1130 1131 415290-415297 1129->1131 1132 415654-41567d call 401e6d call 401fb8 * 2 1129->1132 1133 414569-41456d 1130->1133 1134 415188-415248 call 4157e1 call 401e45 call 401f8b call 439867 call 415ceb call 408b5f call 401e45 call 4020d6 call 401e45 call 4020d6 call 401e45 call 401f8b call 40415e call 401e45 call 401f8b call 40415e call 40838e 1130->1134 1131->1132 1135 4152c1-4152e1 call 401e45 call 401f8b call 439867 call 408a88 1131->1135 1136 4155a3-4155a8 call 418e2b 1131->1136 1137 4152e6-41535a call 401e45 call 401f8b StrToIntA call 401e45 call 401f8b call 40c5ed call 401ee4 call 401e45 call 41a27c call 401ee4 call 41a76c call 401ee9 1131->1137 1138 4154e6-415501 call 401e45 call 4020d6 call 4159ba 1131->1138 1139 415506-41550b call 418e33 1131->1139 1140 4153ca 1131->1140 1141 4155ad-4155eb call 4066a6 call 401e45 call 419b16 call 402ef0 * 2 1131->1141 1142 41548f-4154ae call 401e45 call 405ae5 1131->1142 1143 41558f-415594 call 418ccd 1131->1143 1144 4153d1-4153d4 1131->1144 1145 415510-415517 1131->1145 1146 415412-41542d call 401e45 call 4020d6 call 417a63 1131->1146 1147 415432-41544d call 401e45 call 4020d6 call 403f08 1131->1147 1148 415452-41548a call 401e45 call 401f8b call 402073 call 401f8b call 41215f 1131->1148 1149 4155f5-41564f call 405b0b call 401e45 * 2 call 402f11 call 402ef0 call 405e74 call 401fb8 * 2 1131->1149 1150 415599-41559e call 418dec 1131->1150 1151 4153da-415407 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 SetWindowTextW 1131->1151 1152 41555d-41558a call 401e45 call 4051c3 call 401e45 call 418dcb 1131->1152 1153 41535f-4153c5 call 407ba0 call 401e45 call 4020d6 call 401e45 call 4020d6 call 401e45 call 4020d6 call 40631d call 407bae 1131->1153 1154 41529e-4152b4 call 401e45 call 4020d6 1131->1154 1133->1132 1157 414573-414575 1133->1157 1392 415270-41527c call 408ae3 1134->1392 1393 41524a-41526b call 408b73 call 408aee call 408b0f 1134->1393 1135->1132 1136->1132 1137->1132 1139->1132 1140->1144 1141->1149 1248 4154b0-4154c5 call 401e45 call 4020d6 1142->1248 1249 4154c7-4154d7 call 401e45 call 4020d6 1142->1249 1143->1132 1144->1151 1169 415519-415539 call 41aa4f CreateThread 1145->1169 1170 41553e-415558 ShowWindow SetForegroundWindow 1145->1170 1250 4152b9-4152bc 1146->1250 1147->1250 1148->1132 1149->1132 1354 41564f call 401fb8 1149->1354 1150->1132 1151->1146 1152->1132 1153->1132 1154->1250 1251 4152b4 call 406bda 1154->1251 1179 414728-41472f 1157->1179 1180 41457c-4145ad GetTickCount call 419b16 call 419ac6 call 419b16 call 419a77 1157->1180 1169->1132 1170->1132 1185 4146f5-4146fa call 4050c4 1179->1185 1296 4145b2-4146ac call 419c8a call 401e45 call 402f11 call 402e81 call 402ef0 call 402e81 call 402ef0 call 402e81 call 404a81 call 401fb8 * 6 call 401ee9 call 401fb8 * 2 call 401e45 call 401f8b call 439867 1180->1296 1185->1132 1311 4154dc-4154e1 call 4157f2 1248->1311 1249->1311 1250->1132 1251->1250 1418 4146d4-4146ec call 401e45 call 405ae5 1296->1418 1419 4146ae-4146ba call 4046d3 1296->1419 1311->1132 1354->1132 1392->1132 1393->1392 1418->1132 1432 4146f2-4146f3 1418->1432 1424 4146c7-4146cf call 404f31 1419->1424 1425 4146bc-4146c2 call 404fd4 1419->1425 1424->1132 1425->1132 1432->1185
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountEventTick
                      • String ID: hlight
                      • API String ID: 180926312-4166879102
                      • Opcode ID: d92810f2f26e808a5f051695a0e0b397e735a852c162185f6c7661d82b6f7017
                      • Instruction ID: 7f41fae5545cdca8eca7c99371018f0a574a5a1f26b79566ba600277ca1907d5
                      • Opcode Fuzzy Hash: d92810f2f26e808a5f051695a0e0b397e735a852c162185f6c7661d82b6f7017
                      • Instruction Fuzzy Hash: 02F1A0316043009BC614FB72D957AEE72A9AF90308F50093FB546A71E2EE7C9949C79F
                      Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • Sleep.KERNELBASE(00001388), ref: 00409738
                        • Part of subcall function 0040966D: CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                        • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                        • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                        • Part of subcall function 0040966D: CloseHandle.KERNELBASE(00000000,?,?,?,00409745), ref: 004096E6
                      • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 00409774
                      • GetFileAttributesW.KERNELBASE(00000000), ref: 00409785
                      • SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 0040979C
                      • PathFileExistsW.KERNELBASE(00000000,00000000,00000000,00000012), ref: 00409816
                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228
                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,?,00000000,00000000,00000000,00000000,00000000), ref: 0040991F
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                      • String ID: H"G$H"G
                      • API String ID: 3795512280-1424798214
                      • Opcode ID: b8336bd786565f66fdc5ece92215671476f6ca181f44d705e0a27e626737db20
                      • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                      • Opcode Fuzzy Hash: b8336bd786565f66fdc5ece92215671476f6ca181f44d705e0a27e626737db20
                      • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                      Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1613 4192ae-419305 call 419f23 call 411f91 call 401fc2 call 401fb8 call 4060ea 1624 419307-419316 call 411f91 1613->1624 1625 419348-419351 1613->1625 1630 41931b-419332 call 401f8b StrToIntA 1624->1630 1626 419353-419358 1625->1626 1627 41935a 1625->1627 1629 41935f-41936a call 40535d 1626->1629 1627->1629 1635 419340-419343 call 401fb8 1630->1635 1636 419334-41933d call 41accf 1630->1636 1635->1625 1636->1635
                      APIs
                        • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                        • Part of subcall function 00411F91: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,00000000,00000000,00000000), ref: 00411FB5
                        • Part of subcall function 00411F91: RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,00000400), ref: 00411FD2
                        • Part of subcall function 00411F91: RegCloseKey.KERNELBASE(00000000), ref: 00411FDD
                      • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCurrentOpenProcessQueryValue
                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                      • API String ID: 1866151309-2070987746
                      • Opcode ID: 0802035b950ed000d9a10129efeec30dbf5645d1e0bd6e921da0c017b2021ac7
                      • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                      • Opcode Fuzzy Hash: 0802035b950ed000d9a10129efeec30dbf5645d1e0bd6e921da0c017b2021ac7
                      • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                      Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1640 40966d-40967d 1641 409683-409685 1640->1641 1642 40971a-40971d 1640->1642 1643 409688-4096ae call 401ee4 CreateFileW 1641->1643 1646 4096b0-4096be GetFileSize 1643->1646 1647 4096ee 1643->1647 1649 4096c0 1646->1649 1650 4096e5-4096ec CloseHandle 1646->1650 1648 4096f1-4096f5 1647->1648 1648->1643 1651 4096f7-4096fa 1648->1651 1652 4096c2-4096c8 1649->1652 1653 4096ca-4096d1 1649->1653 1650->1648 1651->1642 1654 4096fc-409703 1651->1654 1652->1650 1652->1653 1655 4096d3-4096d5 call 40a025 1653->1655 1656 4096da-4096df Sleep 1653->1656 1654->1642 1657 409705-409715 call 408098 call 409203 1654->1657 1655->1656 1656->1650 1657->1642
                      APIs
                      • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                      • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                      • CloseHandle.KERNELBASE(00000000,?,?,?,00409745), ref: 004096E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseCreateHandleSizeSleep
                      • String ID: h G
                      • API String ID: 1958988193-3300504347
                      • Opcode ID: 13e975a3868741cffac1d73112577800afb55aac81ce9bb8c63aa5aacad1b37c
                      • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                      • Opcode Fuzzy Hash: 13e975a3868741cffac1d73112577800afb55aac81ce9bb8c63aa5aacad1b37c
                      • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                      Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1662 41a17b-41a18c 1663 41a1a4-41a1ab 1662->1663 1664 41a18e-41a191 1662->1664 1667 41a1ac-41a1c5 CreateFileW 1663->1667 1665 41a193-41a198 1664->1665 1666 41a19a-41a1a2 1664->1666 1665->1667 1666->1667 1668 41a1c7-41a1c9 1667->1668 1669 41a1cb-41a1d0 1667->1669 1672 41a209-41a20e 1668->1672 1670 41a1d2-41a1e0 SetFilePointer 1669->1670 1671 41a1eb-41a1fc WriteFile 1669->1671 1670->1671 1673 41a1e2-41a1e9 CloseHandle 1670->1673 1674 41a200-41a207 CloseHandle 1671->1674 1675 41a1fe 1671->1675 1673->1668 1674->1672 1675->1674
                      APIs
                      • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041A29A,00000000,00000000,?), ref: 0041A1BA
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,004098DF,?,00000000,00000000), ref: 0041A1D7
                      • CloseHandle.KERNEL32(00000000,?,004098DF,?,00000000,00000000), ref: 0041A1E3
                      • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,004098DF,?,00000000,00000000), ref: 0041A1F4
                      • CloseHandle.KERNEL32(00000000,?,004098DF,?,00000000,00000000), ref: 0041A201
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseHandle$CreatePointerWrite
                      • String ID:
                      • API String ID: 1852769593-0
                      • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                      • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                      • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                      • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                      Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • CreateThread.KERNELBASE(00000000,00000000,00409305,?,00000000,00000000), ref: 0040928B
                      • CreateThread.KERNELBASE(00000000,00000000,004092EF,?,00000000,00000000), ref: 0040929B
                      • CreateThread.KERNELBASE(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 004092A7
                        • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
                        • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateThread$LocalTimewsprintf
                      • String ID: Offline Keylogger Started
                      • API String ID: 465354869-4114347211
                      • Opcode ID: 4f413bfeddc20b053a911010c7dd0c78c6d83759768fb02ef20824c4023f4b57
                      • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                      • Opcode Fuzzy Hash: 4f413bfeddc20b053a911010c7dd0c78c6d83759768fb02ef20824c4023f4b57
                      • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                      Function 0041215F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004630C0), ref: 0041216E
                      • RegSetValueExA.KERNELBASE(004630C0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041A83B,WallpaperStyle,004630C0), ref: 00412196
                      • RegCloseKey.KERNELBASE(004630C0,?,?,0041A83B,WallpaperStyle,004630C0), ref: 004121A1
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateValue
                      • String ID: Control Panel\Desktop
                      • API String ID: 1818849710-27424756
                      • Opcode ID: bb05d805405002c9ea24476e63677667bc427e1baa708286b474a2e763bb1422
                      • Instruction ID: 4e2890e51e7d784523b6c6e9c9a916a8daaabc2f4381c7e0ff06ecafce147d70
                      • Opcode Fuzzy Hash: bb05d805405002c9ea24476e63677667bc427e1baa708286b474a2e763bb1422
                      • Instruction Fuzzy Hash: 5AF0F632100208BFCB00EFA0DD45DEE373CEF04751F104226BD09A61A2D7359E10DB94
                      Function 00411F34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00411F54
                      • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00472200), ref: 00411F72
                      • RegCloseKey.KERNELBASE(?), ref: 00411F7D
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID: pth_unenc
                      • API String ID: 3677997916-4028850238
                      • Opcode ID: 57758b6d0601c7ca4cdc37a1c8378ac71baf4d5830b0c502524eb489cf77768e
                      • Instruction ID: 6ec0a72befc52f1c009cc632a5b728b25634ffaa8485c37bac66e7b8b5c78dc5
                      • Opcode Fuzzy Hash: 57758b6d0601c7ca4cdc37a1c8378ac71baf4d5830b0c502524eb489cf77768e
                      • Instruction Fuzzy Hash: 31F01D7694020CBFDF109FA09C45FEE7BBCEB04B11F1041A5BA04E6191D2359A54DB94
                      Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                      • CreateThread.KERNELBASE(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                      • CloseHandle.KERNELBASE(?,?,00000000), ref: 00404DBB
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                      • String ID:
                      • API String ID: 3360349984-0
                      • Opcode ID: 065d974023d608d9e5a1c7ca2dcb3521b24bc23c5e7a56f3f776532f1b505451
                      • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                      • Opcode Fuzzy Hash: 065d974023d608d9e5a1c7ca2dcb3521b24bc23c5e7a56f3f776532f1b505451
                      • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                      Function 00411F91 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,00000000,00000000,00000000), ref: 00411FB5
                      • RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,00000400), ref: 00411FD2
                      • RegCloseKey.KERNELBASE(00000000), ref: 00411FDD
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: bd819641beb65f800504f4ea07b1b85b9b2ddc2993f1f77fdff934dbeb1127c7
                      • Instruction ID: 7c5a36a74d232ee299d7294234303f181ef10811f7d8c913f13e4634b011a18e
                      • Opcode Fuzzy Hash: bd819641beb65f800504f4ea07b1b85b9b2ddc2993f1f77fdff934dbeb1127c7
                      • Instruction Fuzzy Hash: 2D01D676900218BBCB209B95DD08DEF7F7DDB84751F000166BB05A3150DB748E46D7B8
                      Function 004120E8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00472200), ref: 00412104
                      • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041211D
                      • RegCloseKey.KERNELBASE(00000000), ref: 00412128
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: 08dfe5805927a3105be2cef522098962c51c3fb91925cefe59c604f33ef5df72
                      • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                      • Opcode Fuzzy Hash: 08dfe5805927a3105be2cef522098962c51c3fb91925cefe59c604f33ef5df72
                      • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                      Function 00443649 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeap
                      • String ID: P@
                      • API String ID: 1279760036-676759640
                      • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                      • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                      • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                      • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD
                      Function 00419797 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                      Download Yara Rule
                      APIs
                      • GlobalMemoryStatusEx.KERNELBASE(?), ref: 004197AB
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: GlobalMemoryStatus
                      • String ID: @
                      • API String ID: 1890195054-2766056989
                      • Opcode ID: 257335e8d7f90f302e1c63bcee3e650057a1d083b4c07430f2bdd1a346c4e461
                      • Instruction ID: 916baa9f79c233f702b1e805244b950efce88069b4bce771f790cc973d6f5f79
                      • Opcode Fuzzy Hash: 257335e8d7f90f302e1c63bcee3e650057a1d083b4c07430f2bdd1a346c4e461
                      • Instruction Fuzzy Hash: 6DD017B58023189FC720DFA8E904A8DBBFCFB08214F00026AEC49E3300E770A8008B84
                      Function 00443697 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 004436B8
                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B
                      • HeapReAlloc.KERNEL32(00000000,00000000,?,?,0000000F,00000000,00430CB7,00000000,0000000F,0042D6C1,?,?,0042F768,?,?,00000000), ref: 004436F4
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocAllocate_free
                      • String ID:
                      • API String ID: 2447670028-0
                      • Opcode ID: 7a24a503362ce6b0d8a8277bf03f94e4b882e5a9fcc2e03a2aeb4a458e56015f
                      • Instruction ID: 1ca59af56198d509cf9e402e21e9c8c5a276ccba14ddaf673a50935c82dc1d11
                      • Opcode Fuzzy Hash: 7a24a503362ce6b0d8a8277bf03f94e4b882e5a9fcc2e03a2aeb4a458e56015f
                      • Instruction Fuzzy Hash: F0F062322012177AFB312E27AC05A6B37599F81F77F23412BF954A6391EA3CDA01456E
                      Function 0040480D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WS2_32(?,00000001,00000006), ref: 00404832
                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,004052EB,?,?,00000000,00000000,?,?,00000000,004051E8,?,00000000), ref: 0040486E
                        • Part of subcall function 0040487E: WSAStartup.WS2_32(00000202,00000000), ref: 00404893
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateEventStartupsocket
                      • String ID:
                      • API String ID: 1953588214-0
                      • Opcode ID: d0890d6b9dbf7aa10081a8f0c48d4e4836abc09c18ec6d90db35a2a0ad95277d
                      • Instruction ID: 6a7ca6a32121b389846a28cffc2ecd87dee0ffbb862a0929ff73aad7f5bc5f79
                      • Opcode Fuzzy Hash: d0890d6b9dbf7aa10081a8f0c48d4e4836abc09c18ec6d90db35a2a0ad95277d
                      • Instruction Fuzzy Hash: 3301B1B14087809FD7349F28B8446877FE0AB15300F048D6EF1CA93BA1D3B1A444CB18
                      Function 00419A77 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(?,004724A0), ref: 00419A9B
                      • GetWindowTextW.USER32(00000000,?,00000200), ref: 00419AAA
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$ForegroundText
                      • String ID:
                      • API String ID: 29597999-0
                      • Opcode ID: 1f1045fbb1326304bb9d2aba07e73948de2e411708f4164bbb64d7074dfbb319
                      • Instruction ID: cf2e52be04f8ec8d08d18c914cdb682983edf2912a2e664b649e3c091a1f3b93
                      • Opcode Fuzzy Hash: 1f1045fbb1326304bb9d2aba07e73948de2e411708f4164bbb64d7074dfbb319
                      • Instruction Fuzzy Hash: 8FE09B76D0031867EB2067A5EC4DFEBB77CEB84711F0401AEF918D3142E974990486E4
                      Function 0041393F Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                      Download Yara Rule
                      APIs
                      • getaddrinfo.WS2_32(00000000,00000000,00000000,0046FACC,00471FFC,00000000,00413BDE,00000000,00000001), ref: 00413961
                      • WSASetLastError.WS2_32(00000000), ref: 00413966
                        • Part of subcall function 004137DC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                        • Part of subcall function 004137DC: LoadLibraryA.KERNEL32(?), ref: 0041386D
                        • Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                        • Part of subcall function 004137DC: FreeLibrary.KERNEL32(00000000), ref: 00413894
                        • Part of subcall function 004137DC: LoadLibraryA.KERNEL32(?), ref: 004138CC
                        • Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                        • Part of subcall function 004137DC: FreeLibrary.KERNEL32(00000000), ref: 004138E5
                        • Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                      • String ID:
                      • API String ID: 1170566393-0
                      • Opcode ID: 446cd1a75fef60d2dbb194a89db87c245147481f39af62d49fc0052fbde1f552
                      • Instruction ID: 06324504dbe977c901379e35fefec32dabdef79d564ed510376fbe661015aea4
                      • Opcode Fuzzy Hash: 446cd1a75fef60d2dbb194a89db87c245147481f39af62d49fc0052fbde1f552
                      • Instruction Fuzzy Hash: FFD02B723001213B9310AB5DAC01FB76B9CDFD27227050037F409C3110D7948D4147AD
                      Function 00408F1F Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 00408F39
                        • Part of subcall function 00409203: CreateThread.KERNELBASE(00000000,00000000,00409305,?,00000000,00000000), ref: 0040928B
                        • Part of subcall function 00409203: CreateThread.KERNELBASE(00000000,00000000,004092EF,?,00000000,00000000), ref: 0040929B
                        • Part of subcall function 00409203: CreateThread.KERNELBASE(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 004092A7
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateThread$_wcslen
                      • String ID:
                      • API String ID: 1119755333-0
                      • Opcode ID: a4cf6233b645aec8069e012e89874406b6158c7e2554cf9ff51d1662effb5250
                      • Instruction ID: bde1965b6f08766bd400bb9d626b3f4fd5e121562736213e95ba31f4244dc5e2
                      • Opcode Fuzzy Hash: a4cf6233b645aec8069e012e89874406b6158c7e2554cf9ff51d1662effb5250
                      • Instruction Fuzzy Hash: 86218F719040899ACB09FFB5DD528EE7BB5AE51308F00003FF941722E2DE785A49DA99
                      Function 0044D2B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00443005: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,00000000,00439A11,00000000,00000000,?,00439A95,00000000), ref: 00443046
                      • _free.LIBCMT ref: 0044D320
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeap_free
                      • String ID:
                      • API String ID: 614378929-0
                      • Opcode ID: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                      • Instruction ID: 6435cefd8bbe106a332e767b8e47ea9a619cae55f612b2c95de9f127ac4edb1d
                      • Opcode Fuzzy Hash: 3263e86e01d89d9b2c949f26067d012f8e3513974416179447fc4125dbbefc63
                      • Instruction Fuzzy Hash: 260149736003056BF321CF69D885E5AFBE8FB89374F25061EE585832C0EA34A905C738
                      Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,00000000,00439A11,00000000,00000000,?,00439A95,00000000), ref: 00443046
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                      • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                      • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                      • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                      Function 0040487E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                      Download Yara Rule
                      APIs
                      • WSAStartup.WS2_32(00000202,00000000), ref: 00404893
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Startup
                      • String ID:
                      • API String ID: 724789610-0
                      • Opcode ID: a39f64238678d40d2918f9ecd5b136492fe542bf64fe6c2875bf53ab9f510d38
                      • Instruction ID: a9c8eddc0db4f5dff40e6a71866b0cfb015b1534c728beba927ba249e589f683
                      • Opcode Fuzzy Hash: a39f64238678d40d2918f9ecd5b136492fe542bf64fe6c2875bf53ab9f510d38
                      • Instruction Fuzzy Hash: C2D0123255860C4ED610ABB4AD0F8A5775CC313A16F4003BAACB9835D3F640571CC2AB
                      Function 00424A66 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: recv
                      • String ID:
                      • API String ID: 1507349165-0
                      • Opcode ID: 3ba0adabb739ddff39a3f19a3894bbfe9ce5bc94458df24d68493e41c2bfa472
                      • Instruction ID: 0df3b2746f7319e4a339c8fc0296cb6b5099ceb5184c402daa9575d879af207d
                      • Opcode Fuzzy Hash: 3ba0adabb739ddff39a3f19a3894bbfe9ce5bc94458df24d68493e41c2bfa472
                      • Instruction Fuzzy Hash: 81B09B75105201BFC6150750CD0486E7DA597C8381B40491CB14641171C535C4505715
                      Function 00424A7D Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: send
                      • String ID:
                      • API String ID: 2809346765-0
                      • Opcode ID: 01e24c4520a6d3c4395155137d096ef59c3bb50acc7407598b25046a660799bf
                      • Instruction ID: 7b6f63586de962cf13c642be8f044126cb3c52731424b67aaf056de8313b57d0
                      • Opcode Fuzzy Hash: 01e24c4520a6d3c4395155137d096ef59c3bb50acc7407598b25046a660799bf
                      • Instruction Fuzzy Hash: 41B092B9108302BFCA160B60CC0887A7EA6ABC8786B00882CF546421B0C636C460AB2A

                      Non-executed Functions

                      Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                        • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                        • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                        • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                      • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                      • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                      • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                      • API String ID: 3018269243-1736093966
                      • Opcode ID: 49c56e30f16afa7b236da27895c5c70f34eeff9bf263767f02d9655acb58ee55
                      • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                      • Opcode Fuzzy Hash: 49c56e30f16afa7b236da27895c5c70f34eeff9bf263767f02d9655acb58ee55
                      • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                      Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                      Download Yara Rule
                      APIs
                      • SetEvent.KERNEL32(?,?), ref: 00406D4A
                      • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                      • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                        • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A076
                        • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0A6
                        • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0FB
                        • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A15C
                        • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A163
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                        • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B27
                        • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00471E90,?,?,?,?,?,?,0040545D), ref: 00404B55
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                      • DeleteFileA.KERNEL32(?), ref: 0040768E
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                      • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                      • API String ID: 1385304114-1507758755
                      • Opcode ID: bcbc7a8fec79140df11dfd3a1e47c1959cfb185fcf455be1189bd28367375646
                      • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                      • Opcode Fuzzy Hash: bcbc7a8fec79140df11dfd3a1e47c1959cfb185fcf455be1189bd28367375646
                      • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                      Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 004056C6
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      • __Init_thread_footer.LIBCMT ref: 00405703
                      • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                      • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                        • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                      • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                      • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                      • CloseHandle.KERNEL32 ref: 00405A03
                      • CloseHandle.KERNEL32 ref: 00405A0B
                      • CloseHandle.KERNEL32 ref: 00405A1D
                      • CloseHandle.KERNEL32 ref: 00405A25
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                      • String ID: SystemDrive$cmd.exe
                      • API String ID: 2994406822-3633465311
                      • Opcode ID: 895c10629996ea00f30b132a8d6a0ed3c2cc0d603d4d2870df71394b7888cb0f
                      • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                      • Opcode Fuzzy Hash: 895c10629996ea00f30b132a8d6a0ed3c2cc0d603d4d2870df71394b7888cb0f
                      • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                      Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                      • FindClose.KERNEL32(00000000), ref: 0040AB0A
                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                      • FindClose.KERNEL32(00000000), ref: 0040AC53
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$CloseFile$FirstNext
                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                      • API String ID: 1164774033-3681987949
                      • Opcode ID: a020e11340127684296a5dec1f59da99f0b8311f4653163e0ba6c10d3973d13c
                      • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                      • Opcode Fuzzy Hash: a020e11340127684296a5dec1f59da99f0b8311f4653163e0ba6c10d3973d13c
                      • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                      Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                      • FindClose.KERNEL32(00000000), ref: 0040AD0A
                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                      • FindClose.KERNEL32(00000000), ref: 0040ADF0
                      • FindClose.KERNEL32(00000000), ref: 0040AE11
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$Close$File$FirstNext
                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                      • API String ID: 3527384056-432212279
                      • Opcode ID: 051afc5ab64b8879b9b7a46cadaf8c8d05a6d0522a74f3520d4db6abcb3a3bf1
                      • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                      • Opcode Fuzzy Hash: 051afc5ab64b8879b9b7a46cadaf8c8d05a6d0522a74f3520d4db6abcb3a3bf1
                      • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                      Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32 ref: 00414EC2
                      • EmptyClipboard.USER32 ref: 00414ED0
                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                      • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                      • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                      • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                      • CloseClipboard.USER32 ref: 00414F55
                      • OpenClipboard.USER32 ref: 00414F5C
                      • GetClipboardData.USER32(0000000D), ref: 00414F6C
                      • GlobalLock.KERNEL32(00000000), ref: 00414F75
                      • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                      • CloseClipboard.USER32 ref: 00414F84
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                      • String ID:
                      • API String ID: 3520204547-0
                      • Opcode ID: 225a970afa4932c8de6465126e6a4b6a6b0313af119945552a448f0396d6411b
                      • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                      • Opcode Fuzzy Hash: 225a970afa4932c8de6465126e6a4b6a6b0313af119945552a448f0396d6411b
                      • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                      Function 0041A01B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A076
                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0A6
                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00472200,00000001), ref: 0041A118
                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00472200,00000001), ref: 0041A125
                        • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0FB
                      • GetLastError.KERNEL32(?,?,?,?,?,?,00472200,00000001), ref: 0041A146
                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A15C
                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A163
                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A16C
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                      • String ID: pth_unenc
                      • API String ID: 2341273852-4028850238
                      • Opcode ID: 6646849479acfbb23c7f6e30dece2f39408b91799c0e2f504d1e8212b579ce47
                      • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                      • Opcode Fuzzy Hash: 6646849479acfbb23c7f6e30dece2f39408b91799c0e2f504d1e8212b579ce47
                      • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                      Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0$1$2$3$4$5$6$7
                      • API String ID: 0-3177665633
                      • Opcode ID: 05f2545c527969495595f266b9e9e19f26da2af4dc4ec233c9d36f06689b886f
                      • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                      • Opcode Fuzzy Hash: 05f2545c527969495595f266b9e9e19f26da2af4dc4ec233c9d36f06689b886f
                      • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                      Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                      • GetLastError.KERNEL32 ref: 00418771
                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                      • String ID:
                      • API String ID: 3587775597-0
                      • Opcode ID: 03fb13f99ff74262376bcb8e0e2b8818b3d84db82caedad3532b4687e7d87b02
                      • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                      • Opcode Fuzzy Hash: 03fb13f99ff74262376bcb8e0e2b8818b3d84db82caedad3532b4687e7d87b02
                      • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                      Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000,?,?), ref: 0040B2DC
                      • FindNextFileW.KERNEL32(00000000,?,?,?), ref: 0040B3AF
                      • FindClose.KERNEL32(00000000,?,?), ref: 0040B3BE
                      • FindClose.KERNEL32(00000000,?,?), ref: 0040B3E9
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$CloseFile$FirstNext
                      • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                      • API String ID: 1164774033-405221262
                      • Opcode ID: 541780f21c7242fcae788b17a0f2845b2004f92ac30ce3fbff80c0217293d7dc
                      • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                      • Opcode Fuzzy Hash: 541780f21c7242fcae788b17a0f2845b2004f92ac30ce3fbff80c0217293d7dc
                      • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                      Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                      • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressCloseCreateLibraryLoadProcsend
                      • String ID: SHDeleteKeyW$Shlwapi.dll
                      • API String ID: 2127411465-314212984
                      • Opcode ID: 6fb8b5d7da67bba09b3de0b17c0b2a35d4b4e0660ac0ab47494f40b6d4df68cd
                      • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                      • Opcode Fuzzy Hash: 6fb8b5d7da67bba09b3de0b17c0b2a35d4b4e0660ac0ab47494f40b6d4df68cd
                      • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                      Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00446741
                      • _free.LIBCMT ref: 00446765
                      • _free.LIBCMT ref: 004468EC
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                      • _free.LIBCMT ref: 00446AB8
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                      • String ID:
                      • API String ID: 314583886-0
                      • Opcode ID: b6ce01f18caf2b4f3a4168f7a8c7154d6d0f0df60ccbbcf6cd28c9f5ad89be15
                      • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
                      • Opcode Fuzzy Hash: b6ce01f18caf2b4f3a4168f7a8c7154d6d0f0df60ccbbcf6cd28c9f5ad89be15
                      • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
                      Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                      • GetLastError.KERNEL32 ref: 0040A999
                      Strings
                      • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                      • UserProfile, xrefs: 0040A95F
                      • [Chrome StoredLogins not found], xrefs: 0040A9B3
                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteErrorFileLast
                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • API String ID: 2018770650-1062637481
                      • Opcode ID: e2dc748f8a2f2c202dc5dfde2945bc6c5171a76981be289e4bc3f19e588866b0
                      • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                      • Opcode Fuzzy Hash: e2dc748f8a2f2c202dc5dfde2945bc6c5171a76981be289e4bc3f19e588866b0
                      • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                      Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                      • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                      • GetLastError.KERNEL32 ref: 00415CDB
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                      • String ID: SeShutdownPrivilege
                      • API String ID: 3534403312-3733053543
                      • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                      • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                      • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                      • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                      Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00408393
                        • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                      • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                        • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E18
                        • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E23
                        • Part of subcall function 00404E06: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E2C
                      • FindClose.KERNEL32(00000000), ref: 004086F4
                        • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B27
                        • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00471E90,?,?,?,?,?,?,0040545D), ref: 00404B55
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                      • String ID:
                      • API String ID: 1824512719-0
                      • Opcode ID: ec8458d17bdc53f7f2a354f9d2f28928e38656fc3ee44d0073de126596356183
                      • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                      • Opcode Fuzzy Hash: ec8458d17bdc53f7f2a354f9d2f28928e38656fc3ee44d0073de126596356183
                      • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                      Function 00410763 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                      • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                      • GetNativeSystemInfo.KERNEL32(?,0040BE60,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                      • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 0041082E
                        • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000004,00000004,00000004,00000004,0041084C,?,00000000,00003000,00000004,00000000,?,?), ref: 00410718
                      • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00410875
                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0041087C
                      • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041098F
                        • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C,?,?,?,?,?), ref: 00410B4C
                        • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00410B53
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                      • String ID:
                      • API String ID: 3950776272-0
                      • Opcode ID: 97c9471a4feb21372bfec3f691305eac3cca21be586dff8f661e5b3b360a5f75
                      • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                      • Opcode Fuzzy Hash: 97c9471a4feb21372bfec3f691305eac3cca21be586dff8f661e5b3b360a5f75
                      • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                      Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(00472008,?,00472008), ref: 0040949C
                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                      • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                      • GetKeyState.USER32(00000010), ref: 004094B8
                      • GetKeyboardState.USER32(?), ref: 004094C5
                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                      • String ID:
                      • API String ID: 3566172867-0
                      • Opcode ID: b347f1a6ebd5a27a3c62a6440ea9f983a5eff6272c066a99259600f45f129da1
                      • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                      • Opcode Fuzzy Hash: b347f1a6ebd5a27a3c62a6440ea9f983a5eff6272c066a99259600f45f129da1
                      • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                      Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                      • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                      • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                      • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ManagerStart
                      • String ID:
                      • API String ID: 276877138-0
                      • Opcode ID: 637da124ebd858597763fdc0195e491a5d188b8048d228e092eb7bdd2ad61358
                      • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                      • Opcode Fuzzy Hash: 637da124ebd858597763fdc0195e491a5d188b8048d228e092eb7bdd2ad61358
                      • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                      Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Find$CreateFirstNext
                      • String ID: H"G$`'G$`'G
                      • API String ID: 341183262-2774397156
                      • Opcode ID: 57ee6005862cc81b3a45a30f45896271537ebd53e20e4079dc7d49eddf11d444
                      • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                      • Opcode Fuzzy Hash: 57ee6005862cc81b3a45a30f45896271537ebd53e20e4079dc7d49eddf11d444
                      • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                      Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                        • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                        • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                        • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                        • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                      • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                      • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                      • String ID: PowrProf.dll$SetSuspendState
                      • API String ID: 1589313981-1420736420
                      • Opcode ID: 17cf6758eb2c2054c5282ca271a9faabb757e674f29873d187fc5e8afb77bb72
                      • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                      • Opcode Fuzzy Hash: 17cf6758eb2c2054c5282ca271a9faabb757e674f29873d187fc5e8afb77bb72
                      • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                      Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
                      • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
                      • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoLocale
                      • String ID: ACP$OCP
                      • API String ID: 2299586839-711371036
                      • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                      • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                      • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                      • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                      Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                      • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                      • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                      • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Resource$FindLoadLockSizeof
                      • String ID: SETTINGS
                      • API String ID: 3473537107-594951305
                      • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                      • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                      • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                      • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                      Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 004087A5
                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstH_prologNext
                      • String ID:
                      • API String ID: 1157919129-0
                      • Opcode ID: 2e71961cec25391ebbb7e1a70996e42e3db4d1c5cdad913aed2fc17b20c8d8cc
                      • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                      • Opcode Fuzzy Hash: 2e71961cec25391ebbb7e1a70996e42e3db4d1c5cdad913aed2fc17b20c8d8cc
                      • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                      Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                        • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791
                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
                      • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                      • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                      • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                      • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                      • String ID:
                      • API String ID: 745075371-0
                      • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                      • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                      • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                      • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                      Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 0040784D
                      • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                      • String ID:
                      • API String ID: 1771804793-0
                      • Opcode ID: 11d20b60ac49935fc5575683e5e557c5dcccdb0915203e6978057b8ef5f72254
                      • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                      • Opcode Fuzzy Hash: 11d20b60ac49935fc5575683e5e557c5dcccdb0915203e6978057b8ef5f72254
                      • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                      Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                      • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                        • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                        • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                      • String ID:
                      • API String ID: 1735047541-0
                      • Opcode ID: 8bd51d8584b97cc885867124c5bad1c0f2569ec35f654b9f455fc912ba92ee5a
                      • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                      • Opcode Fuzzy Hash: 8bd51d8584b97cc885867124c5bad1c0f2569ec35f654b9f455fc912ba92ee5a
                      • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                      Function 004063C6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: DownloadExecuteFileShell
                      • String ID: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe$open
                      • API String ID: 2825088817-874494591
                      • Opcode ID: cb2d606b194e9227e6d5417aab1780576867f1ac8b9c76d318350498adcf2657
                      • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                      • Opcode Fuzzy Hash: cb2d606b194e9227e6d5417aab1780576867f1ac8b9c76d318350498adcf2657
                      • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                      Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                        • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004630C0), ref: 0041216E
                        • Part of subcall function 0041215F: RegSetValueExA.KERNELBASE(004630C0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041A83B,WallpaperStyle,004630C0), ref: 00412196
                        • Part of subcall function 0041215F: RegCloseKey.KERNELBASE(004630C0,?,?,0041A83B,WallpaperStyle,004630C0), ref: 004121A1
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateInfoParametersSystemValue
                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                      • API String ID: 4127273184-3576401099
                      • Opcode ID: b8e930e406a51c142911afe7d42b80e3a9af200f2f362c56483f6d5d18d4ce76
                      • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                      • Opcode Fuzzy Hash: b8e930e406a51c142911afe7d42b80e3a9af200f2f362c56483f6d5d18d4ce76
                      • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                      Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
                      • _wcschr.LIBVCRUNTIME ref: 0044F02A
                      • _wcschr.LIBVCRUNTIME ref: 0044F038
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                      • String ID:
                      • API String ID: 4212172061-0
                      • Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                      • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                      • Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                      • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                      Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                        • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorInfoLastLocale$_free$_abort
                      • String ID:
                      • API String ID: 2829624132-0
                      • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                      • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                      • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                      • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                      Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32 ref: 004399A4
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                      • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                      • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                      • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                      Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,0044078B,?), ref: 004407D6
                      • TerminateProcess.KERNEL32(00000000,?,0044078B,?), ref: 004407DD
                      • ExitProcess.KERNEL32 ref: 004407EF
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                      • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                      • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                      • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                      Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32(00000000), ref: 0040A65D
                      • GetClipboardData.USER32(0000000D), ref: 0040A669
                      • CloseClipboard.USER32 ref: 0040A671
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Clipboard$CloseDataOpen
                      • String ID:
                      • API String ID: 2058664381-0
                      • Opcode ID: fc42fbe939e34f95e3da0c1deb258c5860a889e64c116dd0334dc6fce6b72752
                      • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                      • Opcode Fuzzy Hash: fc42fbe939e34f95e3da0c1deb258c5860a889e64c116dd0334dc6fce6b72752
                      • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                      Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: FeaturePresentProcessor
                      • String ID: P@
                      • API String ID: 2325560087-676759640
                      • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                      • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                      • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                      • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                      Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: .
                      • API String ID: 0-248832578
                      • Opcode ID: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
                      • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
                      • Opcode Fuzzy Hash: 2bd3453bf6b0042b978c63341e7d52c868cd539d71c5d82670adc25c3f96db7e
                      • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
                      Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoLocale
                      • String ID: GetLocaleInfoEx
                      • API String ID: 2299586839-2904428671
                      • Opcode ID: f9893d92672fa9c5b6d787f9f7f2d4c4b9fbd30947df5498ead6f72c32f4f3f0
                      • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                      • Opcode Fuzzy Hash: f9893d92672fa9c5b6d787f9f7f2d4c4b9fbd30947df5498ead6f72c32f4f3f0
                      • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                      Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileFind$FirstNextsend
                      • String ID:
                      • API String ID: 4113138495-0
                      • Opcode ID: 524338967388813fc8de9abe5b724c15e3da4b0921d1e3068b839a4adec35387
                      • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                      • Opcode Fuzzy Hash: 524338967388813fc8de9abe5b724c15e3da4b0921d1e3068b839a4adec35387
                      • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                      Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                        • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$_free$InfoLocale_abort
                      • String ID:
                      • API String ID: 1663032902-0
                      • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                      • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                      • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                      • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                      Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                      • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                      • String ID:
                      • API String ID: 1084509184-0
                      • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                      • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                      • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                      • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                      Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$InfoLocale_abort_free
                      • String ID:
                      • API String ID: 2692324296-0
                      • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                      • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                      • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                      • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                      Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                      • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                      • String ID:
                      • API String ID: 1084509184-0
                      • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                      • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                      • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                      • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                      Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(-0006A42D,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                      • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalEnterEnumLocalesSectionSystem
                      • String ID:
                      • API String ID: 1272433827-0
                      • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                      • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                      • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                      • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                      Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                      • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                      • String ID:
                      • API String ID: 1084509184-0
                      • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                      • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                      • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                      • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                      Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                      • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                      • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                      • Instruction Fuzzy Hash:
                      Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                      • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                        • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                      • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                      • DeleteDC.GDI32(00000000), ref: 00416F32
                      • DeleteDC.GDI32(00000000), ref: 00416F35
                      • DeleteObject.GDI32(00000000), ref: 00416F38
                      • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                      • DeleteDC.GDI32(00000000), ref: 00416F6A
                      • DeleteDC.GDI32(00000000), ref: 00416F6D
                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                      • GetIconInfo.USER32(?,?), ref: 00416FC5
                      • DeleteObject.GDI32(?), ref: 00416FF4
                      • DeleteObject.GDI32(?), ref: 00417001
                      • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                      • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                      • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                      • DeleteDC.GDI32(?), ref: 0041713C
                      • DeleteDC.GDI32(00000000), ref: 0041713F
                      • DeleteObject.GDI32(00000000), ref: 00417142
                      • GlobalFree.KERNEL32(?), ref: 0041714D
                      • DeleteObject.GDI32(00000000), ref: 00417201
                      • GlobalFree.KERNEL32(?), ref: 00417208
                      • DeleteDC.GDI32(?), ref: 00417218
                      • DeleteDC.GDI32(00000000), ref: 00417223
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                      • String ID: DISPLAY
                      • API String ID: 479521175-865373369
                      • Opcode ID: f4872e5e54956cb8a82cf9cfbe48a4ffd8cadd88bec2254309271a8e236c435d
                      • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                      • Opcode Fuzzy Hash: f4872e5e54956cb8a82cf9cfbe48a4ffd8cadd88bec2254309271a8e236c435d
                      • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                      Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                      • GetProcAddress.KERNEL32(00000000), ref: 00416477
                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                      • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                      • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                      • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                      • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                      • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                      • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                      • ResumeThread.KERNEL32(?), ref: 00416773
                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                      • GetCurrentProcess.KERNEL32(?), ref: 00416795
                      • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                      • GetLastError.KERNEL32 ref: 004167B8
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                      • API String ID: 4188446516-3035715614
                      • Opcode ID: d10bf65b43118d9f3602471ab8893a8a2e2c8af733416bb1b6f525cf71852451
                      • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                      • Opcode Fuzzy Hash: d10bf65b43118d9f3602471ab8893a8a2e2c8af733416bb1b6f525cf71852451
                      • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                      Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,004721E8,0040E2B2), ref: 004112C5
                        • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                      • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(Function_00009305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                        • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                        • Part of subcall function 0041A17B: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041A29A,00000000,00000000,?), ref: 0041A1BA
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                      • ExitProcess.KERNEL32 ref: 0040C389
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                      • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                      • API String ID: 1861856835-1953526029
                      • Opcode ID: 17bf4595bb140aab77195462eb014437854c4eecf7b0a70f93fa7bcd7137ec3b
                      • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                      • Opcode Fuzzy Hash: 17bf4595bb140aab77195462eb014437854c4eecf7b0a70f93fa7bcd7137ec3b
                      • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                      Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                      • ExitProcess.KERNEL32(00000000), ref: 00410F05
                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                      • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                      • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                      • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                      • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                      • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                        • Part of subcall function 0041A17B: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041A29A,00000000,00000000,?), ref: 0041A1BA
                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                      • Sleep.KERNEL32(000001F4), ref: 004110E7
                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                      • CloseHandle.KERNEL32(00000000), ref: 0041110E
                      • GetCurrentProcessId.KERNEL32 ref: 00411114
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                      • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                      • API String ID: 2649220323-71629269
                      • Opcode ID: 22e3788b7de882572e50802ce453d65e547420d61471c8ff51f656e06725a515
                      • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                      • Opcode Fuzzy Hash: 22e3788b7de882572e50802ce453d65e547420d61471c8ff51f656e06725a515
                      • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                      Function 0040B871 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 296fileCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 0040B882
                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                      • _wcslen.LIBCMT ref: 0040B968
                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe,00000000,00000000,00000000), ref: 0040B9E0
                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                      • _wcslen.LIBCMT ref: 0040BA25
                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                      • ExitProcess.KERNEL32 ref: 0040BC36
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                      • String ID: """, 0$6$C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                      • API String ID: 2743683619-1696428475
                      • Opcode ID: b06e7faee33cfaed22f51d7ac950c7a3f3444e9db8dd9e707e9954185f774f82
                      • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                      • Opcode Fuzzy Hash: b06e7faee33cfaed22f51d7ac950c7a3f3444e9db8dd9e707e9954185f774f82
                      • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                      Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,004721E8,0040E2B2), ref: 004112C5
                        • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(Function_00009305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                        • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                        • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                        • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00469654,0040BDCB,.vbs,?,?,?,?,?,00472200), ref: 00419980
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                      • ExitProcess.KERNEL32 ref: 0040BFD7
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                      • String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                      • API String ID: 3797177996-2974882535
                      • Opcode ID: 57f400eadd3448128050d7ad5fde5ac9df0c8dc2d43d0d2f55a1038c72fb190f
                      • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                      • Opcode Fuzzy Hash: 57f400eadd3448128050d7ad5fde5ac9df0c8dc2d43d0d2f55a1038c72fb190f
                      • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                      Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                      • SetEvent.KERNEL32 ref: 004191CF
                      • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                      • CloseHandle.KERNEL32 ref: 004191F0
                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                      • API String ID: 738084811-1354618412
                      • Opcode ID: d9c8abc686de1a07796c64aef86d2b04a1096a5fb4ab0ac7d3907c1f8c23837c
                      • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                      • Opcode Fuzzy Hash: d9c8abc686de1a07796c64aef86d2b04a1096a5fb4ab0ac7d3907c1f8c23837c
                      • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                      Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                      • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                      • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                      • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Write$Create
                      • String ID: RIFF$WAVE$data$fmt
                      • API String ID: 1602526932-4212202414
                      • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                      • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                      • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                      • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                      Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$EnvironmentVariable$_wcschr
                      • String ID:
                      • API String ID: 3899193279-0
                      • Opcode ID: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
                      • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                      • Opcode Fuzzy Hash: 684045cb82c272c6e2ac36361ff8b964f23035e186c2d5dbd227a350b29f8928
                      • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                      Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                        • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                      • _free.LIBCMT ref: 0044E4DF
                        • Part of subcall function 00443C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                      • _free.LIBCMT ref: 0044E501
                      • _free.LIBCMT ref: 0044E516
                      • _free.LIBCMT ref: 0044E521
                      • _free.LIBCMT ref: 0044E543
                      • _free.LIBCMT ref: 0044E556
                      • _free.LIBCMT ref: 0044E564
                      • _free.LIBCMT ref: 0044E56F
                      • _free.LIBCMT ref: 0044E5A7
                      • _free.LIBCMT ref: 0044E5AE
                      • _free.LIBCMT ref: 0044E5CB
                      • _free.LIBCMT ref: 0044E5E3
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID: pF
                      • API String ID: 161543041-2973420481
                      • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                      • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                      • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                      • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                      Function 004137DC Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                      • LoadLibraryA.KERNEL32(?), ref: 0041386D
                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                      • FreeLibrary.KERNEL32(00000000), ref: 00413894
                      • LoadLibraryA.KERNEL32(?), ref: 004138CC
                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                      • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                      • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                      • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                      • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                      • API String ID: 2490988753-744132762
                      • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                      • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                      • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                      • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                      Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                        • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00469654,0040BDCB,.vbs,?,?,?,?,?,00472200), ref: 00419980
                        • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                        • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                      • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                      • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                      • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                      • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                      • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                      • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                      • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                      • Sleep.KERNEL32(00000064), ref: 00411C63
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                      • String ID: /stext "$$.F$@#G$@#G
                      • API String ID: 1223786279-2596709126
                      • Opcode ID: 48213fd4d5abe4fd85ef6aaa4562a37235d89d768066aed7768bf367896ddbbb
                      • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                      • Opcode Fuzzy Hash: 48213fd4d5abe4fd85ef6aaa4562a37235d89d768066aed7768bf367896ddbbb
                      • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                      Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: pF
                      • API String ID: 269201875-2973420481
                      • Opcode ID: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                      • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                      • Opcode Fuzzy Hash: e28a4125cd182155f8106b0edc14aa680027b5eb54e98ed2c6064bdca11899c6
                      • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                      Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                        • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                      • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                      • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                      • API String ID: 193334293-3226144251
                      • Opcode ID: 512e7aa64a29e630e753ed5142c57c007a33ad23a2ac30d04bdc22c2bdcd0654
                      • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                      • Opcode Fuzzy Hash: 512e7aa64a29e630e753ed5142c57c007a33ad23a2ac30d04bdc22c2bdcd0654
                      • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                      Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
                      • RegCloseKey.ADVAPI32(?), ref: 0041A749
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEnumOpen
                      • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                      • API String ID: 1332880857-3714951968
                      • Opcode ID: dcededb39bf263de4c0e491218869729ded1d12d81c3355e778ba101c7639554
                      • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
                      • Opcode Fuzzy Hash: dcededb39bf263de4c0e491218869729ded1d12d81c3355e778ba101c7639554
                      • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
                      Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                      Download Yara Rule
                      APIs
                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                      • GetCursorPos.USER32(?), ref: 0041B39E
                      • SetForegroundWindow.USER32(?), ref: 0041B3A7
                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                      • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                      • ExitProcess.KERNEL32 ref: 0041B41A
                      • CreatePopupMenu.USER32 ref: 0041B420
                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                      • String ID: Close
                      • API String ID: 1657328048-3535843008
                      • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                      • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                      • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                      • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                      Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$Info
                      • String ID:
                      • API String ID: 2509303402-0
                      • Opcode ID: d352d52f1b9345d75488c5de9eae0d63737ffa17687bf4e8527101d8642b8356
                      • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                      • Opcode Fuzzy Hash: d352d52f1b9345d75488c5de9eae0d63737ffa17687bf4e8527101d8642b8356
                      • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                      Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                      • __aulldiv.LIBCMT ref: 00407D89
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                      • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                      • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                      • CloseHandle.KERNEL32(00000000), ref: 00408038
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                      • API String ID: 3086580692-2596673759
                      • Opcode ID: e294c69aea2f9896a26e80ba208023c2e52adf2670876ef97f8c5d22051058c8
                      • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                      • Opcode Fuzzy Hash: e294c69aea2f9896a26e80ba208023c2e52adf2670876ef97f8c5d22051058c8
                      • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                      Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,004721E8,0040E2B2), ref: 004112C5
                        • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8
                        • Part of subcall function 004120E8: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00472200), ref: 00412104
                        • Part of subcall function 004120E8: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041211D
                        • Part of subcall function 004120E8: RegCloseKey.KERNELBASE(00000000), ref: 00412128
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                      • ExitProcess.KERNEL32 ref: 0040C57D
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                      • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                      • API String ID: 1913171305-2600661426
                      • Opcode ID: ec7b6c5aa71812b8a2a0985082f26332d579f65edb8dcc3be96a361ae3ddec7d
                      • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                      • Opcode Fuzzy Hash: ec7b6c5aa71812b8a2a0985082f26332d579f65edb8dcc3be96a361ae3ddec7d
                      • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                      Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E18
                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E23
                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E2C
                      • closesocket.WS2_32(000000FF), ref: 00404E3A
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E71
                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404E82
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E89
                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E9A
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E9F
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EA4
                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404EB1
                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404EB6
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                      • String ID:
                      • API String ID: 3658366068-0
                      • Opcode ID: f707382b18fa39c0527187131c55234197c0fa46854763e90b09e39a9568e99a
                      • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                      • Opcode Fuzzy Hash: f707382b18fa39c0527187131c55234197c0fa46854763e90b09e39a9568e99a
                      • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                      Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 65535$udp
                      • API String ID: 0-1267037602
                      • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                      • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                      • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                      • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                      Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                      • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                      • __dosmaperr.LIBCMT ref: 00438646
                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                      • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                      • __dosmaperr.LIBCMT ref: 00438683
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                      • __dosmaperr.LIBCMT ref: 004386D7
                      • _free.LIBCMT ref: 004386E3
                      • _free.LIBCMT ref: 004386EA
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                      • String ID:
                      • API String ID: 2441525078-0
                      • Opcode ID: 2428d6136fa203607d9b9ba94df6370f818a7f930700a212aadf753765814adb
                      • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                      • Opcode Fuzzy Hash: 2428d6136fa203607d9b9ba94df6370f818a7f930700a212aadf753765814adb
                      • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                      Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: pF$tF
                      • API String ID: 269201875-2954683558
                      • Opcode ID: f1956a37fb57c14efad3a30e8a4a694615c5a3291379cc37ed6cd6fb8765ce3b
                      • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                      • Opcode Fuzzy Hash: f1956a37fb57c14efad3a30e8a4a694615c5a3291379cc37ed6cd6fb8765ce3b
                      • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                      Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • SetEvent.KERNEL32(?,?), ref: 0040549F
                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                      • TranslateMessage.USER32(?), ref: 0040555E
                      • DispatchMessageA.USER32(?), ref: 00405569
                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                      • String ID: CloseChat$DisplayMessage$GetMessage
                      • API String ID: 2956720200-749203953
                      • Opcode ID: fe4378931874f6166ff32b88e7d6dc79f438b20f787d57f99f1f9b7ddfcabb74
                      • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                      • Opcode Fuzzy Hash: fe4378931874f6166ff32b88e7d6dc79f438b20f787d57f99f1f9b7ddfcabb74
                      • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                      Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                      • CloseHandle.KERNEL32(00000000), ref: 00416123
                      • DeleteFileA.KERNEL32(00000000), ref: 00416132
                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                      • String ID: <$@$@%G$@%G$Temp
                      • API String ID: 1704390241-4139030828
                      • Opcode ID: 08cb1755ce7b468823e10bc19469487db811a439f2e1fee2786586d5cf0c4217
                      • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                      • Opcode Fuzzy Hash: 08cb1755ce7b468823e10bc19469487db811a439f2e1fee2786586d5cf0c4217
                      • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                      Function 004066A6 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                      • ExitProcess.KERNEL32 ref: 00406782
                      Strings
                      • mscfile\shell\open\command, xrefs: 004066D4
                      • open, xrefs: 0040676E
                      • origmsc, xrefs: 00406710
                      • H"G, xrefs: 004066E8
                      • C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe, xrefs: 00406730
                      • eventvwr.exe, xrefs: 0040674F
                      • Software\Classes\mscfile\shell\open\command, xrefs: 0040673F
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteExitProcessShell
                      • String ID: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe$H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                      • API String ID: 1124553745-2292313255
                      • Opcode ID: ff3164ff437bd938bf0af4aa1d69ac47d2773793f706654e7af8f8ab839ecf43
                      • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                      • Opcode Fuzzy Hash: ff3164ff437bd938bf0af4aa1d69ac47d2773793f706654e7af8f8ab839ecf43
                      • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                      Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: 5ca2c9f4f824d20fd2b15ead523db82676a1b8751022075e59f45b476e20e695
                      • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                      • Opcode Fuzzy Hash: 5ca2c9f4f824d20fd2b15ead523db82676a1b8751022075e59f45b476e20e695
                      • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                      Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00445645
                        • Part of subcall function 00443C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                      • _free.LIBCMT ref: 00445651
                      • _free.LIBCMT ref: 0044565C
                      • _free.LIBCMT ref: 00445667
                      • _free.LIBCMT ref: 00445672
                      • _free.LIBCMT ref: 0044567D
                      • _free.LIBCMT ref: 00445688
                      • _free.LIBCMT ref: 00445693
                      • _free.LIBCMT ref: 0044569E
                      • _free.LIBCMT ref: 004456AC
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                      • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                      • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                      • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                      Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00417F6F
                      • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                      • Sleep.KERNEL32(000003E8), ref: 004180B3
                      • GetLocalTime.KERNEL32(?), ref: 004180BB
                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                      • API String ID: 489098229-3790400642
                      • Opcode ID: d986c0086e082f31797726373313937d89721add50fb1544cc2274eb4558e2a5
                      • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                      • Opcode Fuzzy Hash: d986c0086e082f31797726373313937d89721add50fb1544cc2274eb4558e2a5
                      • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                      Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: DecodePointer
                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                      • API String ID: 3527080286-3064271455
                      • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                      • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                      • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                      • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                      Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228
                      • Sleep.KERNEL32(00000064), ref: 00415A46
                      • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CreateDeleteExecuteShellSleep
                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                      • API String ID: 1462127192-2001430897
                      • Opcode ID: 430b105faeda767b46b4a098234c7ea381730a777681d078a01f98d4ea25ab71
                      • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                      • Opcode Fuzzy Hash: 430b105faeda767b46b4a098234c7ea381730a777681d078a01f98d4ea25ab71
                      • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                      Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • AllocConsole.KERNEL32(00000000), ref: 0041AA5D
                      • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocConsoleShowWindow
                      • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                      • API String ID: 4118500197-4025029772
                      • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                      • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                      • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                      • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                      Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                        • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                        • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                        • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                      • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                      • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                      • TranslateMessage.USER32(?), ref: 0041B29E
                      • DispatchMessageA.USER32(?), ref: 0041B2A8
                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                      • String ID: Remcos
                      • API String ID: 1970332568-165870891
                      • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                      • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                      • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                      • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                      Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dee208c16fd6e6a71a697de3b175f4e390e38276f2012422441a095a82cae68d
                      • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                      • Opcode Fuzzy Hash: dee208c16fd6e6a71a697de3b175f4e390e38276f2012422441a095a82cae68d
                      • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                      Function 00452DBB Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00452A89: CreateFileW.KERNEL32(00000000,00000000,?,00452E64,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                      • __dosmaperr.LIBCMT ref: 00452ED6
                      • GetFileType.KERNEL32(00000000), ref: 00452EE2
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                      • __dosmaperr.LIBCMT ref: 00452EF5
                      • CloseHandle.KERNEL32(00000000), ref: 00452F15
                      • CloseHandle.KERNEL32(00000000), ref: 0045305F
                      • GetLastError.KERNEL32 ref: 00453091
                      • __dosmaperr.LIBCMT ref: 00453098
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                      • String ID:
                      • API String ID: 4237864984-0
                      • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                      • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                      • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                      • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                      Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
                      • __alloca_probe_16.LIBCMT ref: 004510CA
                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
                      • __alloca_probe_16.LIBCMT ref: 00451174
                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C
                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B
                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
                      • __freea.LIBCMT ref: 004511E3
                      • __freea.LIBCMT ref: 004511EF
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                      • String ID:
                      • API String ID: 201697637-0
                      • Opcode ID: 77818321e3ce56ea0e71bb7bca8220fb6369df6bc1e17647591189b9ba8744e1
                      • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                      • Opcode Fuzzy Hash: 77818321e3ce56ea0e71bb7bca8220fb6369df6bc1e17647591189b9ba8744e1
                      • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                      Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
                        • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                        • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
                        • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                      • _memcmp.LIBVCRUNTIME ref: 00442935
                      • _free.LIBCMT ref: 004429A6
                      • _free.LIBCMT ref: 004429BF
                      • _free.LIBCMT ref: 004429F1
                      • _free.LIBCMT ref: 004429FA
                      • _free.LIBCMT ref: 00442A06
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorLast$_abort_memcmp
                      • String ID: C
                      • API String ID: 1679612858-1037565863
                      • Opcode ID: 1b68fb9e24b66cfa6b20be242c75466d086ab93edfb681ab48de3257ce38a64d
                      • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                      • Opcode Fuzzy Hash: 1b68fb9e24b66cfa6b20be242c75466d086ab93edfb681ab48de3257ce38a64d
                      • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                      Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: tcp$udp
                      • API String ID: 0-3725065008
                      • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                      • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                      • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                      • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                      Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Eventinet_ntoa
                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                      • API String ID: 3578746661-168337528
                      • Opcode ID: 70b562623e608f52b74c615430b61c3c036e804be76b82e8d1e90eafa8e2c2e4
                      • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                      • Opcode Fuzzy Hash: 70b562623e608f52b74c615430b61c3c036e804be76b82e8d1e90eafa8e2c2e4
                      • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                      Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                      • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                        • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,?,00471E90,00404C29,00000000,?,?,?,00471E90,?), ref: 00404B85
                        • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                      • String ID: .part
                      • API String ID: 1303771098-3499674018
                      • Opcode ID: 902e130b94aad18369189187a8e6e7e21762ac87eb431447f7a89350bc37b519
                      • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                      • Opcode Fuzzy Hash: 902e130b94aad18369189187a8e6e7e21762ac87eb431447f7a89350bc37b519
                      • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                      Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042BAB6,?,?,?,00447215,00000001,00000001,?), ref: 0044701E
                      • __alloca_probe_16.LIBCMT ref: 00447056
                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042BAB6,?,?,?,00447215,00000001,00000001,?), ref: 004470A4
                      • __alloca_probe_16.LIBCMT ref: 0044713B
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                      • __freea.LIBCMT ref: 004471AB
                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B
                      • __freea.LIBCMT ref: 004471B4
                      • __freea.LIBCMT ref: 004471D9
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                      • String ID:
                      • API String ID: 3864826663-0
                      • Opcode ID: 4a3c7fd5df8aec1f106920e086c0c8b502c59cd20239ccd34f4dcb85e5a0006e
                      • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                      • Opcode Fuzzy Hash: 4a3c7fd5df8aec1f106920e086c0c8b502c59cd20239ccd34f4dcb85e5a0006e
                      • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                      Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                      • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: InputSend
                      • String ID:
                      • API String ID: 3431551938-0
                      • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                      • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                      • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                      • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                      Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32 ref: 00414F41
                      • EmptyClipboard.USER32 ref: 00414F4F
                      • CloseClipboard.USER32 ref: 00414F55
                      • OpenClipboard.USER32 ref: 00414F5C
                      • GetClipboardData.USER32(0000000D), ref: 00414F6C
                      • GlobalLock.KERNEL32(00000000), ref: 00414F75
                      • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                      • CloseClipboard.USER32 ref: 00414F84
                        • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                      • String ID:
                      • API String ID: 2172192267-0
                      • Opcode ID: 1de530116997ba81a090b82115ea5616da963aeca7a52e6e9a7f8e655297098a
                      • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                      • Opcode Fuzzy Hash: 1de530116997ba81a090b82115ea5616da963aeca7a52e6e9a7f8e655297098a
                      • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                      Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                      • __fassign.LIBCMT ref: 00447814
                      • __fassign.LIBCMT ref: 0044782F
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                      • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                      • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                      • String ID:
                      • API String ID: 1324828854-0
                      • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                      • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                      • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                      • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                      Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      • _strftime.LIBCMT ref: 00401D30
                        • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                      • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                      • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                      • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                      • String ID: %Y-%m-%d %H.%M$.wav
                      • API String ID: 3809562944-3597965672
                      • Opcode ID: d9f53293eee377a4641faa8542e573edd33862d918c1b44ecd9bf446bc1b64af
                      • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                      • Opcode Fuzzy Hash: d9f53293eee377a4641faa8542e573edd33862d918c1b44ecd9bf446bc1b64af
                      • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                      Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00411F91: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,00000000,00000000,00000000), ref: 00411FB5
                        • Part of subcall function 00411F91: RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,00000400), ref: 00411FD2
                        • Part of subcall function 00411F91: RegCloseKey.KERNELBASE(00000000), ref: 00411FDD
                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                      • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                      • API String ID: 1133728706-4073444585
                      • Opcode ID: b203dc2bf87086d66bf72b334b1ed1fd5e5a8ad1a1e44632c740ce92ce1b61e8
                      • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                      • Opcode Fuzzy Hash: b203dc2bf87086d66bf72b334b1ed1fd5e5a8ad1a1e44632c740ce92ce1b61e8
                      • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                      Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4e3d8c9a568c57fb9dcdc880f5c8ebbc933660610661b36433ba77454d73a655
                      • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                      • Opcode Fuzzy Hash: 4e3d8c9a568c57fb9dcdc880f5c8ebbc933660610661b36433ba77454d73a655
                      • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                      Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                      • _free.LIBCMT ref: 0044E128
                        • Part of subcall function 00443C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                      • _free.LIBCMT ref: 0044E133
                      • _free.LIBCMT ref: 0044E13E
                      • _free.LIBCMT ref: 0044E192
                      • _free.LIBCMT ref: 0044E19D
                      • _free.LIBCMT ref: 0044E1A8
                      • _free.LIBCMT ref: 0044E1B3
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                      • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                      • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                      • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                      Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                      • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                      • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                      • Opcode Fuzzy Hash: a51cd608757b9cf21dde5cb3b99bb74488ace4818edb59339c74db540250a301
                      • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                      Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                      • GetLastError.KERNEL32 ref: 0040AA28
                      Strings
                      • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                      • UserProfile, xrefs: 0040A9EE
                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                      • [Chrome Cookies not found], xrefs: 0040AA42
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteErrorFileLast
                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      • API String ID: 2018770650-304995407
                      • Opcode ID: 72959d3c99de93e4222bab9abc487c3734757a9235bfdd9193e44ef0947d1452
                      • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                      • Opcode Fuzzy Hash: 72959d3c99de93e4222bab9abc487c3734757a9235bfdd9193e44ef0947d1452
                      • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                      Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                      Download Yara Rule
                      APIs
                      • __allrem.LIBCMT ref: 00438A09
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                      • __allrem.LIBCMT ref: 00438A3C
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                      • __allrem.LIBCMT ref: 00438A71
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                      • String ID:
                      • API String ID: 1992179935-0
                      • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                      • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                      • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                      • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                      Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: __cftoe
                      • String ID:
                      • API String ID: 4189289331-0
                      • Opcode ID: eba01cb7e667bf10c13e1131eb8d53c0a733c53fb11b583ea7a9a5fabebc0a3a
                      • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                      • Opcode Fuzzy Hash: eba01cb7e667bf10c13e1131eb8d53c0a733c53fb11b583ea7a9a5fabebc0a3a
                      • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                      Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: __freea$__alloca_probe_16_free
                      • String ID: a/p$am/pm
                      • API String ID: 2936374016-3206640213
                      • Opcode ID: 57e5036cd7783279a466902622085f7a15e34eba906f96654b679836998df48b
                      • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                      • Opcode Fuzzy Hash: 57e5036cd7783279a466902622085f7a15e34eba906f96654b679836998df48b
                      • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                      Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                      • int.LIBCPMT ref: 0040F8D7
                        • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                        • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                      • std::_Facet_Register.LIBCPMT ref: 0040F917
                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                      • __Init_thread_footer.LIBCMT ref: 0040F97F
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                      • String ID:
                      • API String ID: 3815856325-0
                      • Opcode ID: 884822b495c0d911e7e6d260955d18b9f199f61a7b6913d9d71a9645d575b0f3
                      • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                      • Opcode Fuzzy Hash: 884822b495c0d911e7e6d260955d18b9f199f61a7b6913d9d71a9645d575b0f3
                      • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                      Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                      • String ID:
                      • API String ID: 493672254-0
                      • Opcode ID: e5fb97a0e042aa3cf5d98ae642475e55fc2ba561f34e835e136d8c0823c8ccc0
                      • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                      • Opcode Fuzzy Hash: e5fb97a0e042aa3cf5d98ae642475e55fc2ba561f34e835e136d8c0823c8ccc0
                      • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                      Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
                      • _free.LIBCMT ref: 0044575C
                      • _free.LIBCMT ref: 00445784
                      • SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791
                      • SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
                      • _abort.LIBCMT ref: 004457A3
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$_free$_abort
                      • String ID:
                      • API String ID: 3160817290-0
                      • Opcode ID: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                      • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                      • Opcode Fuzzy Hash: beb673fc776bdcf0cb4aa2f907b8faed87466b0c6696de81e80bb7a9f8cba6db
                      • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                      Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: 3bbd86ba799800cf7f8ce060c277169374427670bb2790cc1e4148a280c4ce89
                      • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                      • Opcode Fuzzy Hash: 3bbd86ba799800cf7f8ce060c277169374427670bb2790cc1e4148a280c4ce89
                      • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                      Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: 51d638f86096adaa624434d30e6a89006adfc0cfe1ec13e8d912c26abb46eda1
                      • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                      • Opcode Fuzzy Hash: 51d638f86096adaa624434d30e6a89006adfc0cfe1ec13e8d912c26abb46eda1
                      • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                      Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: 0684a22c1c03eddcd9e7afcbe452ed3b601dba84a8ad96751855c8c9c88a9e76
                      • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                      • Opcode Fuzzy Hash: 0684a22c1c03eddcd9e7afcbe452ed3b601dba84a8ad96751855c8c9c88a9e76
                      • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                      Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegisterClassExA.USER32(00000030), ref: 0041B310
                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                      • GetLastError.KERNEL32 ref: 0041B335
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ClassCreateErrorLastRegisterWindow
                      • String ID: 0$MsgWindowClass
                      • API String ID: 2877667751-2410386613
                      • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                      • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                      • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                      • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                      Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                        • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                      • _UnwindNestedFrames.LIBCMT ref: 00437631
                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                      • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                      • String ID: /zC
                      • API String ID: 2633735394-4132788633
                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                      • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                      • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                      Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                      • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                      • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                      • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: MetricsSystem
                      • String ID: ]tA
                      • API String ID: 4116985748-3517819141
                      • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                      • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                      • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                      • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                      Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                      Strings
                      • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseHandle$CreateProcess
                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                      • API String ID: 2922976086-4183131282
                      • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                      • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                      • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                      • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                      Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,?,?,0044078B,?), ref: 0044085A
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                      • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,?,?,0044078B,?), ref: 00440890
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                      • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                      • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                      • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                      Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405100
                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 0040510C
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405117
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405120
                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                      Strings
                      • Connection KeepAlive | Disabled, xrefs: 004050D9
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                      • String ID: Connection KeepAlive | Disabled
                      • API String ID: 2993684571-3818284553
                      • Opcode ID: 3c7acb05a4e0257c4243895fd0c0a32a1713874f0248c7c788b0d5ac90108107
                      • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                      • Opcode Fuzzy Hash: 3c7acb05a4e0257c4243895fd0c0a32a1713874f0248c7c788b0d5ac90108107
                      • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                      Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                      • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                      • Sleep.KERNEL32(00002710), ref: 00418DBD
                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: PlaySound$HandleLocalModuleSleepTime
                      • String ID: Alarm triggered
                      • API String ID: 614609389-2816303416
                      • Opcode ID: f3b2e6a196e006c08730a50f46cf1091306eb2f4cb3f358d521c73ccadf31b21
                      • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                      • Opcode Fuzzy Hash: f3b2e6a196e006c08730a50f46cf1091306eb2f4cb3f358d521c73ccadf31b21
                      • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                      Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 675a2b2e16e95726d0081b70f545144743ae2c0fe8ff8d83379613ee76e05ba8
                      • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                      • Opcode Fuzzy Hash: 675a2b2e16e95726d0081b70f545144743ae2c0fe8ff8d83379613ee76e05ba8
                      • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                      Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000,0040BE20), ref: 004044A4
                        • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: H_prologSleep
                      • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                      • API String ID: 3469354165-3547787478
                      • Opcode ID: bbb38402c9496c34a48b63492a6924582e100767aeebfe0f4872da9798447dbf
                      • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                      • Opcode Fuzzy Hash: bbb38402c9496c34a48b63492a6924582e100767aeebfe0f4872da9798447dbf
                      • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                      Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B
                      • _free.LIBCMT ref: 00442318
                      • _free.LIBCMT ref: 0044232F
                      • _free.LIBCMT ref: 0044234E
                      • _free.LIBCMT ref: 00442369
                      • _free.LIBCMT ref: 00442380
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$AllocateHeap
                      • String ID:
                      • API String ID: 3033488037-0
                      • Opcode ID: 1cb3f8468d83fa4b51ad4767ae85eb964ea8f2ce9cb50cf83adb64ec4114f07b
                      • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                      • Opcode Fuzzy Hash: 1cb3f8468d83fa4b51ad4767ae85eb964ea8f2ce9cb50cf83adb64ec4114f07b
                      • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                      Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                      • _free.LIBCMT ref: 004468EC
                        • Part of subcall function 00443C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                      • _free.LIBCMT ref: 00446AB8
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                      • String ID:
                      • API String ID: 1286116820-0
                      • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                      • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
                      • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                      • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
                      Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                      • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                      • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                      • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                      Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042BAB6,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6), ref: 0044E359
                      • __alloca_probe_16.LIBCMT ref: 0044E391
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042BAB6,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6,?), ref: 0044E3E2
                      • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6,?,00000002,00000000), ref: 0044E3F4
                      • __freea.LIBCMT ref: 0044E3FD
                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                      • String ID:
                      • API String ID: 313313983-0
                      • Opcode ID: cd44d6698c102d2af4edf97b65b02ba280a030654d2c9f96c5f73d04308e4ca0
                      • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                      • Opcode Fuzzy Hash: cd44d6698c102d2af4edf97b65b02ba280a030654d2c9f96c5f73d04308e4ca0
                      • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                      Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                      • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                      • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                      • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                      • waveInStart.WINMM ref: 00401CDE
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                      • String ID:
                      • API String ID: 1356121797-0
                      • Opcode ID: 83ba936013dc37cd0af0ea744be7f1114ca09fe95f3fbf4348052972e1372099
                      • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                      • Opcode Fuzzy Hash: 83ba936013dc37cd0af0ea744be7f1114ca09fe95f3fbf4348052972e1372099
                      • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                      Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                        • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                      • _free.LIBCMT ref: 0044C59F
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                      • String ID:
                      • API String ID: 336800556-0
                      • Opcode ID: 4aac595f9ed8bece24bab84cc27b423baa4c6b615b6e2e749ab0ef35dcfe54a8
                      • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                      • Opcode Fuzzy Hash: 4aac595f9ed8bece24bab84cc27b423baa4c6b615b6e2e749ab0ef35dcfe54a8
                      • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                      Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                      • int.LIBCPMT ref: 0040FBE8
                        • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                        • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                      • std::_Facet_Register.LIBCPMT ref: 0040FC28
                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                      • String ID:
                      • API String ID: 2536120697-0
                      • Opcode ID: 32d331dee3c396e979eb1c936d77adf0263c25033da8a89480af8e78189b82f1
                      • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                      • Opcode Fuzzy Hash: 32d331dee3c396e979eb1c936d77adf0263c25033da8a89480af8e78189b82f1
                      • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                      Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,00000000,00000000,00439A11,00000000,00000000,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004457AE
                      • _free.LIBCMT ref: 004457E3
                      • _free.LIBCMT ref: 0044580A
                      • SetLastError.KERNEL32(00000000,?,004050E3), ref: 00445817
                      • SetLastError.KERNEL32(00000000,?,004050E3), ref: 00445820
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$_free
                      • String ID:
                      • API String ID: 3170660625-0
                      • Opcode ID: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                      • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                      • Opcode Fuzzy Hash: 8116442bc0b7785a5c87a9e5c1511c9661b86afcbe0e70ddbbe26362d10e1a04
                      • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                      Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0044DBB4
                        • Part of subcall function 00443C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                      • _free.LIBCMT ref: 0044DBC6
                      • _free.LIBCMT ref: 0044DBD8
                      • _free.LIBCMT ref: 0044DBEA
                      • _free.LIBCMT ref: 0044DBFC
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                      • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                      • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                      • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                      Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00441566
                        • Part of subcall function 00443C92: RtlFreeHeap.NTDLL(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                        • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                      • _free.LIBCMT ref: 00441578
                      • _free.LIBCMT ref: 0044158B
                      • _free.LIBCMT ref: 0044159C
                      • _free.LIBCMT ref: 004415AD
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                      • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                      • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                      • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                      Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                      • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Enum$InfoQueryValue
                      • String ID: [regsplt]
                      • API String ID: 3554306468-4262303796
                      • Opcode ID: 31596f5eeff4ff3231d9cf904b1bbbbbb7f3a84228b4d9aa491321f33c9aa201
                      • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                      • Opcode Fuzzy Hash: 31596f5eeff4ff3231d9cf904b1bbbbbb7f3a84228b4d9aa491321f33c9aa201
                      • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                      Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • _strpbrk.LIBCMT ref: 0044B918
                      • _free.LIBCMT ref: 0044BA35
                        • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,004050E3,?,00000000,00000000,00402086,00000000,00000000,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
                        • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417,?,004050E3), ref: 00439AC7
                        • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000,?,004050E3), ref: 00439ACE
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                      • String ID: *?$.
                      • API String ID: 2812119850-3972193922
                      • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                      • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
                      • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                      • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
                      Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: __alloca_probe_16__freea
                      • String ID: H"G$H"GH"G
                      • API String ID: 1635606685-3036711414
                      • Opcode ID: e2e3cca706edb79a852b9ee6f10956c62f062633488338ea1caae12a9919ff4a
                      • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                      • Opcode Fuzzy Hash: e2e3cca706edb79a852b9ee6f10956c62f062633488338ea1caae12a9919ff4a
                      • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                      Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 0040189E
                      • ExitThread.KERNEL32 ref: 004018D6
                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                        • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                      • String ID: 8:G
                      • API String ID: 1649129571-405301104
                      • Opcode ID: 10dc60cb35ab61dcc6849e3b29841ec1f691037cf33c39428261ce72e9623d3a
                      • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                      • Opcode Fuzzy Hash: 10dc60cb35ab61dcc6849e3b29841ec1f691037cf33c39428261ce72e9623d3a
                      • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                      Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe,00000104), ref: 00440975
                      • _free.LIBCMT ref: 00440A40
                      • _free.LIBCMT ref: 00440A4A
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$FileModuleName
                      • String ID: C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe
                      • API String ID: 2506810119-1759859186
                      • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                      • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                      • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                      • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                      Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                        • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                        • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                        • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                      • _wcslen.LIBCMT ref: 00419744
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                      • String ID: .exe$program files (x86)\$program files\
                      • API String ID: 37874593-1203593143
                      • Opcode ID: 1417c3b161e4306ff3f102890f87f473ccca3ae6b06841d4ebb46211cc06e180
                      • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                      • Opcode Fuzzy Hash: 1417c3b161e4306ff3f102890f87f473ccca3ae6b06841d4ebb46211cc06e180
                      • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                      Function 0040A0B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
                      • wsprintfW.USER32 ref: 0040A13F
                        • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: EventLocalTimewsprintf
                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                      • API String ID: 1497725170-1359877963
                      • Opcode ID: 7dcf1d7cb1894f2045459242b6b034b8816ee14a12255925dde439958625a976
                      • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                      • Opcode Fuzzy Hash: 7dcf1d7cb1894f2045459242b6b034b8816ee14a12255925dde439958625a976
                      • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                      Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
                        • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                      • CreateThread.KERNEL32(00000000,00000000,Function_000092EF,?,00000000,00000000), ref: 00409EB7
                      • CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 00409EC3
                      • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateThread$LocalTime$wsprintf
                      • String ID: Online Keylogger Started
                      • API String ID: 112202259-1258561607
                      • Opcode ID: 5fa459dc9ce629ff8a70036c08f5d98878fb93e531b8a2c19081d6b25492cc47
                      • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                      • Opcode Fuzzy Hash: 5fa459dc9ce629ff8a70036c08f5d98878fb93e531b8a2c19081d6b25492cc47
                      • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                      Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?,00000000), ref: 00406090
                      • GetProcAddress.KERNEL32(00000000), ref: 00406097
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: CryptUnprotectData$crypt32
                      • API String ID: 2574300362-2380590389
                      • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                      • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                      • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                      • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                      Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                      • CloseHandle.KERNEL32(?), ref: 004051AA
                      • SetEvent.KERNEL32(?), ref: 004051B9
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEventHandleObjectSingleWait
                      • String ID: Connection Timeout
                      • API String ID: 2055531096-499159329
                      • Opcode ID: 63802c29894aba1c9235576c830eb551c7f601f2e83192e88b92a5e109e54835
                      • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                      • Opcode Fuzzy Hash: 63802c29894aba1c9235576c830eb551c7f601f2e83192e88b92a5e109e54835
                      • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                      Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                      Download Yara Rule
                      APIs
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Exception@8Throw
                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                      • API String ID: 2005118841-1866435925
                      • Opcode ID: c2bed29ba638d9f2391385ea3c87f8400cac86e7986091462376dda2deee5712
                      • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                      • Opcode Fuzzy Hash: c2bed29ba638d9f2391385ea3c87f8400cac86e7986091462376dda2deee5712
                      • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                      Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteShell
                      • String ID: /C $cmd.exe$open
                      • API String ID: 587946157-3896048727
                      • Opcode ID: 81b5345ad9d3db4d4994ac41449fb6ee697cad801085dd735002afe2716ac4b4
                      • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                      • Opcode Fuzzy Hash: 81b5345ad9d3db4d4994ac41449fb6ee697cad801085dd735002afe2716ac4b4
                      • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                      Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                      • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                      • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                      Strings
                      • http\shell\open\command, xrefs: 00412026
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID: http\shell\open\command
                      • API String ID: 3677997916-1487954565
                      • Opcode ID: 0e8278834a88dd125b5a4e0272649bf262eb2ce361776dde88d9fd2e8eebaada
                      • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                      • Opcode Fuzzy Hash: 0e8278834a88dd125b5a4e0272649bf262eb2ce361776dde88d9fd2e8eebaada
                      • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                      Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,?), ref: 0041220F
                      • RegSetValueExW.ADVAPI32(?,00469654,00000000,?,00000000,00000000,00469654,?,0040674F,00469654,C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe), ref: 0041223E
                      • RegCloseKey.ADVAPI32(?,?,0040674F,00469654,C:\Users\user\Desktop\018292540-LetterReguranPPI-20230814215304.PDF.exe), ref: 00412249
                      Strings
                      • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateValue
                      • String ID: Software\Classes\mscfile\shell\open\command
                      • API String ID: 1818849710-505396733
                      • Opcode ID: a2b3254e269ed075d9dc061201a3f9a1afffdab784d1a4dfdfe539f8f512937d
                      • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                      • Opcode Fuzzy Hash: a2b3254e269ed075d9dc061201a3f9a1afffdab784d1a4dfdfe539f8f512937d
                      • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                      Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                      Download Yara Rule
                      APIs
                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                        • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                        • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                      • String ID: bad locale name
                      • API String ID: 3628047217-1405518554
                      • Opcode ID: b8ecc850591a1ec77cb11eee1f92953351954c39fd186dfa0a3b440cd31c26bd
                      • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                      • Opcode Fuzzy Hash: b8ecc850591a1ec77cb11eee1f92953351954c39fd186dfa0a3b440cd31c26bd
                      • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                      Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                      • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                      • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateValue
                      • String ID: P0F
                      • API String ID: 1818849710-3540264436
                      • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                      • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                      • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                      • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                      Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                      • GetProcAddress.KERNEL32(00000000), ref: 00401403
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: GetCursorInfo$User32.dll
                      • API String ID: 1646373207-2714051624
                      • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                      • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                      • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                      • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                      Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                      • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetLastInputInfo$User32.dll
                      • API String ID: 2574300362-1519888992
                      • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                      • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                      • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                      • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                      Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: __alldvrm$_strrchr
                      • String ID:
                      • API String ID: 1036877536-0
                      • Opcode ID: 45817878d7a01db81a842cb5081aca8b5ed5f57512068edda74ff65de2f7f38c
                      • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                      • Opcode Fuzzy Hash: 45817878d7a01db81a842cb5081aca8b5ed5f57512068edda74ff65de2f7f38c
                      • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                      Function 00453DF4 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
                      • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                      • Opcode Fuzzy Hash: e48a72c45575700ceddfc4a13269a7974e50b6c85b9f24d2dc50821f03aae928
                      • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                      Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                      • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                      • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                      • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                      Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • [Cleared browsers logins and cookies.], xrefs: 0040B025
                      • Cleared browsers logins and cookies., xrefs: 0040B036
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                      • API String ID: 3472027048-1236744412
                      • Opcode ID: 8b2299d4167419da35c718df7871dbe309bc118562e90e7a0a6311305ab773bd
                      • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                      • Opcode Fuzzy Hash: 8b2299d4167419da35c718df7871dbe309bc118562e90e7a0a6311305ab773bd
                      • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                      Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004120E8: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00472200), ref: 00412104
                        • Part of subcall function 004120E8: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041211D
                        • Part of subcall function 004120E8: RegCloseKey.KERNELBASE(00000000), ref: 00412128
                      • Sleep.KERNEL32(00000BB8), ref: 004111DF
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQuerySleepValue
                      • String ID: H"G$exepath$!G
                      • API String ID: 4119054056-2148977334
                      • Opcode ID: d156cd8a51638a8627d35fbdd7c90d8568819640595f3e7dc19cb873884dd4e6
                      • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                      • Opcode Fuzzy Hash: d156cd8a51638a8627d35fbdd7c90d8568819640595f3e7dc19cb873884dd4e6
                      • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                      Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                        • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                        • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                      • Sleep.KERNEL32(000001F4), ref: 0040955A
                      • Sleep.KERNEL32(00000064), ref: 004095F5
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$SleepText$ForegroundLength
                      • String ID: [ $ ]
                      • API String ID: 3309952895-93608704
                      • Opcode ID: 50bd45538fc1325d318fbbf77384be1d7cd884a7cd54cef18345d66a056de0e4
                      • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                      • Opcode Fuzzy Hash: 50bd45538fc1325d318fbbf77384be1d7cd884a7cd54cef18345d66a056de0e4
                      • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                      Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
                      • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                      • Opcode Fuzzy Hash: 2970eecc447bf90f09d99781fc54b6e0c8e96c5b6031d191d94caaf8528dc60b
                      • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                      Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
                      • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                      • Opcode Fuzzy Hash: 995436ab4c2709f546f4042a2e75d66bbbd7790162713e0acfb32ec842828db5
                      • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                      Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                      • GetLastError.KERNEL32(?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID:
                      • API String ID: 3177248105-0
                      • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                      • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                      • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                      • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                      Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0041A23C
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041A261
                      • CloseHandle.KERNEL32(00000000), ref: 0041A26F
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseCreateHandleReadSize
                      • String ID:
                      • API String ID: 3919263394-0
                      • Opcode ID: 41f32d273eec2ecedf938006867b0e525744eccbc76a9f2796ec39ced93a6363
                      • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                      • Opcode Fuzzy Hash: 41f32d273eec2ecedf938006867b0e525744eccbc76a9f2796ec39ced93a6363
                      • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                      Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                      Download Yara Rule
                      APIs
                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                        • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                      • String ID:
                      • API String ID: 1761009282-0
                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                      • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                      • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                      Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorHandling__start
                      • String ID: pow
                      • API String ID: 3213639722-2276729525
                      • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                      • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                      • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                      • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                      Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                        • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00469654,0040BDCB,.vbs,?,?,?,?,?,00472200), ref: 00419980
                        • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                        • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                        • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228
                      • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                      Strings
                      • /sort "Visit Time" /stext ", xrefs: 00404092
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                      • String ID: /sort "Visit Time" /stext "
                      • API String ID: 368326130-1573945896
                      • Opcode ID: 2f96630334efbfd4b306ff90604b490529d5dc6b98f029d45a81ae78404ef316
                      • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                      • Opcode Fuzzy Hash: 2f96630334efbfd4b306ff90604b490529d5dc6b98f029d45a81ae78404ef316
                      • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                      Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                      • __Init_thread_footer.LIBCMT ref: 0040A6E3
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Init_thread_footer__onexit
                      • String ID: [End of clipboard]$[Text copied to clipboard]
                      • API String ID: 1881088180-3686566968
                      • Opcode ID: 7103c85559471987959954c794bf5a9939257c7fe470f67ca2388a99a2e131d5
                      • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                      • Opcode Fuzzy Hash: 7103c85559471987959954c794bf5a9939257c7fe470f67ca2388a99a2e131d5
                      • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                      Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: ACP$OCP
                      • API String ID: 0-711371036
                      • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                      • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                      • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                      • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                      Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                      • IsWindowVisible.USER32(?), ref: 00415B37
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$TextVisible
                      • String ID: (%G
                      • API String ID: 1670992164-3377777310
                      • Opcode ID: 5332efaccc7d7c2c6cf63c14179539180dc6fa0cfb5aa13d9b40585e9b1c5967
                      • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                      • Opcode Fuzzy Hash: 5332efaccc7d7c2c6cf63c14179539180dc6fa0cfb5aa13d9b40585e9b1c5967
                      • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                      Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                      • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                      Strings
                      • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: LocalTime
                      • String ID: Connection KeepAlive | Enabled | Timeout:
                      • API String ID: 481472006-507513762
                      • Opcode ID: a8726f34dbf31cf40e7db5209114500087a3490dd5e7b49e6455b7329ad4a22d
                      • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                      • Opcode Fuzzy Hash: a8726f34dbf31cf40e7db5209114500087a3490dd5e7b49e6455b7329ad4a22d
                      • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                      Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                      • ___raise_securityfailure.LIBCMT ref: 00432E76
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: FeaturePresentProcessor___raise_securityfailure
                      • String ID: (F
                      • API String ID: 3761405300-3109638091
                      • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                      • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                      • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                      • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                      Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: LocalTime
                      • String ID: | $%02i:%02i:%02i:%03i
                      • API String ID: 481472006-2430845779
                      • Opcode ID: 07f86f52f9fe5ad8dc19ba50befdd62a3544993bc388c75ec5461e2102273a9c
                      • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                      • Opcode Fuzzy Hash: 07f86f52f9fe5ad8dc19ba50befdd62a3544993bc388c75ec5461e2102273a9c
                      • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                      Function 00406B3E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON
                      Download Yara Rule
                      APIs
                      • GetDriveTypeA.KERNEL32(00000000,?,0000000A,00471E78,?), ref: 00406B60
                      • lstrlenA.KERNEL32(00000000,00000000,0000002D), ref: 00406BBC
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: DriveTypelstrlen
                      • String ID: Ws@
                      • API String ID: 1700768220-3833367170
                      • Opcode ID: 0e5edb2266cd4b610cea852f101f42e9b8e15d10d9c755c24c9b2aaba250e15e
                      • Instruction ID: bd7ac8bb915d3f0bfd94f66ba46fc9d40afea29ba7a9df804c5d05ff75fdb300
                      • Opcode Fuzzy Hash: 0e5edb2266cd4b610cea852f101f42e9b8e15d10d9c755c24c9b2aaba250e15e
                      • Instruction Fuzzy Hash: C7017071A041096ACB04F7B5DC56EADB76C9F54344F50007EF406A31E1EF785A06C689
                      Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: alarm.wav$x(G
                      • API String ID: 1174141254-2413638199
                      • Opcode ID: 063e447dd27a8f3e036d16ecff9e9acab7f656fc78c84636d77534a964b77f13
                      • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                      • Opcode Fuzzy Hash: 063e447dd27a8f3e036d16ecff9e9acab7f656fc78c84636d77534a964b77f13
                      • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                      Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
                        • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                        • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                      • CloseHandle.KERNEL32(?), ref: 00409FFD
                      • UnhookWindowsHookEx.USER32 ref: 0040A010
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                      • String ID: Online Keylogger Stopped
                      • API String ID: 1623830855-1496645233
                      • Opcode ID: 95be6b2d5d1265815bc3ce4225fc1cdac552dc75167390ee86932ead681b8db3
                      • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                      • Opcode Fuzzy Hash: 95be6b2d5d1265815bc3ce4225fc1cdac552dc75167390ee86932ead681b8db3
                      • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                      Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1,?), ref: 0040B49A
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                      • API String ID: 1174141254-2800177040
                      • Opcode ID: f72588871a47a103f08bd557687f8b84f797b2eb235cb9e389d344094cad4272
                      • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                      • Opcode Fuzzy Hash: f72588871a47a103f08bd557687f8b84f797b2eb235cb9e389d344094cad4272
                      • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                      Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E,?), ref: 0040B437
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: UserProfile$\AppData\Local\Google\Chrome\
                      • API String ID: 1174141254-4188645398
                      • Opcode ID: 4c5869dc73605c4198742c87f314f8ffe11a8100b16f69da5b982344c5d6b7fa
                      • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                      • Opcode Fuzzy Hash: 4c5869dc73605c4198742c87f314f8ffe11a8100b16f69da5b982344c5d6b7fa
                      • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                      Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604,?), ref: 0040B4FD
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: AppData$\Opera Software\Opera Stable\
                      • API String ID: 1174141254-1629609700
                      • Opcode ID: 0cb57bc748a43cdf280c296903742492f5481ab6d2799d92af52763c0172cfec
                      • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                      • Opcode Fuzzy Hash: 0cb57bc748a43cdf280c296903742492f5481ab6d2799d92af52763c0172cfec
                      • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                      Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyState.USER32(00000011), ref: 0040A597
                        • Part of subcall function 00409468: GetForegroundWindow.USER32(00472008,?,00472008), ref: 0040949C
                        • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                        • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                        • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                        • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                        • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                        • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                      • String ID: [AltL]$[AltR]
                      • API String ID: 3195419117-2658077756
                      • Opcode ID: c7c7ad3f27c2af8ea36dcc5d825e618062cde7260dbebf7789c9b1878f0a465e
                      • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                      • Opcode Fuzzy Hash: c7c7ad3f27c2af8ea36dcc5d825e618062cde7260dbebf7789c9b1878f0a465e
                      • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                      Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyState.USER32(00000012), ref: 0040A5F1
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: State
                      • String ID: [CtrlL]$[CtrlR]
                      • API String ID: 1649606143-2446555240
                      • Opcode ID: 8e7e769867d94fe63cd06e7140cf990a5fd4f428e2263eac50557698d3f8299e
                      • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                      • Opcode Fuzzy Hash: 8e7e769867d94fe63cd06e7140cf990a5fd4f428e2263eac50557698d3f8299e
                      • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                      Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,004721E8,80000002,80000002,0040BD02,00000000,?,00472200,pth_unenc,004721E8), ref: 00412422
                      • RegDeleteValueW.ADVAPI32(004721E8,?,?,00472200,pth_unenc,004721E8), ref: 00412436
                      Strings
                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412420
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteOpenValue
                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                      • API String ID: 2654517830-1051519024
                      • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                      • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                      • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                      • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                      Function 00433058 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                      Download Yara Rule
                      APIs
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00433064
                        • Part of subcall function 00432FCD: std::exception::exception.LIBCONCRT ref: 00432FDA
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00433072
                        • Part of subcall function 00436EC6: RaiseException.KERNEL32(?,?,00433057,?,?,?,00000000,?,?,?,P@,00433057,?,0046B09C,00000000), ref: 00436F25
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
                      • String ID: P@
                      • API String ID: 1586462112-676759640
                      • Opcode ID: d34f057b204cbc7e51539216932af2e5b0516ce62ca17289c65ad8c524a6b4fa
                      • Instruction ID: 0bfe0c8ac6dbc9b0d4453f7df384559b02cf33d5589a4338b6e2a72978291aeb
                      • Opcode Fuzzy Hash: d34f057b204cbc7e51539216932af2e5b0516ce62ca17289c65ad8c524a6b4fa
                      • Instruction Fuzzy Hash: 5CC08034C0020C77CB00F6E1C907C8D773C5D04300F405416B51091081E774531D96D5
                      Function 00433038 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                      Download Yara Rule
                      APIs
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00433044
                        • Part of subcall function 00432F76: std::exception::exception.LIBCONCRT ref: 00432F83
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00433052
                        • Part of subcall function 00436EC6: RaiseException.KERNEL32(?,?,00433057,?,?,?,00000000,?,?,?,P@,00433057,?,0046B09C,00000000), ref: 00436F25
                      Strings
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
                      • String ID: P@
                      • API String ID: 1586462112-676759640
                      • Opcode ID: 0f635586152ab29110567b9c987066954b21ef4f476975f95e78209acc4c7d60
                      • Instruction ID: 865ee2ddef0a897f612f6fb2ad11127a6c44acc13293d016e759f8d59b40e8c3
                      • Opcode Fuzzy Hash: 0f635586152ab29110567b9c987066954b21ef4f476975f95e78209acc4c7d60
                      • Instruction Fuzzy Hash: 15C08034C0010CB7CB00FAF5D907D8E773C5904340F409015B61091041E7B8631C87C5
                      Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                      • GetLastError.KERNEL32 ref: 0043B4E9
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$ErrorLast
                      • String ID:
                      • API String ID: 1717984340-0
                      • Opcode ID: 570887f611a5d1f74d34073c32c2f77717d7cd84bcf1f9b239cc9e46d00ed125
                      • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                      • Opcode Fuzzy Hash: 570887f611a5d1f74d34073c32c2f77717d7cd84bcf1f9b239cc9e46d00ed125
                      • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                      Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                      Download Yara Rule
                      APIs
                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                      • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004106DF
                      • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                      Memory Dump Source
                      • Source File: 00000003.00000002.4563140092.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_3_2_400000_018292540-LetterReguranPPI-20230814215304.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastRead
                      • String ID:
                      • API String ID: 4100373531-0
                      • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                      • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                      • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                      • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19