Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
invoice727282_PDF..exe

Overview

General Information

Sample name:invoice727282_PDF..exe
Analysis ID:1490419
MD5:8a1b3f441a8f2da1b6bb52359fa5694d
SHA1:0d522e50748a4ea1f098091865c594a16d75794c
SHA256:30c2e1e5a35089de9990cf07fd080b4dbed13bd07823b3d54f173337cb25f8c1
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: AspNetCompiler Execution
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • invoice727282_PDF..exe (PID: 4800 cmdline: "C:\Users\user\Desktop\invoice727282_PDF..exe" MD5: 8A1B3F441A8F2DA1B6BB52359FA5694D)
    • aspnet_compiler.exe (PID: 5680 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
  • QGwHqTR.exe (PID: 7344 cmdline: "C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
    • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • QGwHqTR.exe (PID: 7588 cmdline: "C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
    • conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.convergesolve.com", "Username": "prop@convergesolve.com", "Password": "vS#2!nM*5zcVw"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3741077365.0000000003061000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.3729441710.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.3729441710.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.3741077365.0000000003021000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000006.00000002.3741077365.0000000003021000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              6.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                6.2.aspnet_compiler.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3578d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x357ff:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x35889:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3591b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x35985:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x359f7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x35a8d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x35b1d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                3.2.invoice727282_PDF..exe.3a69638.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  3.2.invoice727282_PDF..exe.3a69638.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 4 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: AspNetCompiler Execution
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\invoice727282_PDF..exe", ParentImage: C:\Users\user\Desktop\invoice727282_PDF..exe, ParentProcessId: 4800, ParentProcessName: invoice727282_PDF..exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe", ProcessId: 5680, ProcessName: aspnet_compiler.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 5680, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QGwHqTR
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 209.124.85.231, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, Initiated: true, ProcessId: 5680, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49704

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: invoice727282_PDF..exeAvira: detected
                    Found malware configuration
                    Source: 6.2.aspnet_compiler.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.convergesolve.com", "Username": "prop@convergesolve.com", "Password": "vS#2!nM*5zcVw"}
                    Multi AV Scanner detection for submitted file
                    Source: invoice727282_PDF..exeReversingLabs: Detection: 39%
                    Source: invoice727282_PDF..exeVirustotal: Detection: 41%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: invoice727282_PDF..exeJoe Sandbox ML: detected
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49703 version: TLS 1.2
                    Source: invoice727282_PDF..exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\MNJ988.pdbBSJB source: invoice727282_PDF..exe
                    Source: Binary string: Under.pdb source: invoice727282_PDF..exe, 00000003.00000002.1272813919.0000000002711000.00000004.00000800.00020000.00000000.sdmp, invoice727282_PDF..exe, 00000003.00000002.1272722248.00000000025E0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\MNJ988.pdb source: invoice727282_PDF..exe
                    Source: Binary string: ompiler.pdb source: aspnet_compiler.exe, 00000006.00000002.3748270115.00000000066F4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: aspnet_compiler.pdb source: QGwHqTR.exe, 0000000C.00000000.1420599710.0000000000342000.00000002.00000001.01000000.0000000A.sdmp, QGwHqTR.exe.6.dr
                    Source: global trafficTCP traffic: 192.168.2.7:49704 -> 209.124.85.231:587
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewASN Name: A2HOSTINGUS A2HOSTINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.7:49704 -> 209.124.85.231:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.convergesolve.com
                    Source: invoice727282_PDF..exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: invoice727282_PDF..exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: invoice727282_PDF..exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: invoice727282_PDF..exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: invoice727282_PDF..exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: invoice727282_PDF..exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: invoice727282_PDF..exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: invoice727282_PDF..exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: invoice727282_PDF..exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.convergesolve.com
                    Source: invoice727282_PDF..exeString found in binary or memory: http://ocsp.digicert.com0
                    Source: invoice727282_PDF..exeString found in binary or memory: http://ocsp.digicert.com0A
                    Source: invoice727282_PDF..exeString found in binary or memory: http://ocsp.digicert.com0C
                    Source: invoice727282_PDF..exeString found in binary or memory: http://ocsp.digicert.com0X
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3748270115.0000000006722000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3738347242.0000000001357000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/0
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3748270115.0000000006722000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3738347242.0000000001357000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                    Source: invoice727282_PDF..exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: invoice727282_PDF..exeString found in binary or memory: http://s.symcd.com06
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: invoice727282_PDF..exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: invoice727282_PDF..exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: invoice727282_PDF..exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: invoice727282_PDF..exeString found in binary or memory: http://www.digicert.com/CPS0
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3748270115.0000000006722000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3738347242.0000000001357000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: aspnet_compiler.exe, 00000006.00000002.3748270115.0000000006722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.le
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3748270115.0000000006722000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3738347242.0000000001357000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: invoice727282_PDF..exe, 00000003.00000002.1272969441.0000000003975000.00000004.00000800.00020000.00000000.sdmp, invoice727282_PDF..exe, 00000003.00000002.1272969441.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3729441710.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: invoice727282_PDF..exe, 00000003.00000002.1272969441.0000000003975000.00000004.00000800.00020000.00000000.sdmp, invoice727282_PDF..exe, 00000003.00000002.1272969441.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3729441710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: invoice727282_PDF..exeString found in binary or memory: https://d.symcb.com/cps0%
                    Source: invoice727282_PDF..exeString found in binary or memory: https://d.symcb.com/rpa0
                    Source: invoice727282_PDF..exeString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49703 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, SKTzxzsJw.cs.Net Code: _1y4QtUg
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_0695E780 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0695F650,00000000,000000006_2_0695E780
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A2C8C8 GetKeyState,GetKeyState,GetKeyState,6_2_06A2C8C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A2C8D8 GetKeyState,GetKeyState,GetKeyState,6_2_06A2C8D8

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 6.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: invoice727282_PDF..exe
                    Source: initial sampleStatic PE information: Filename: invoice727282_PDF..exe
                    Sample has a suspicious name (potential lure to open the executable)
                    Source: invoice727282_PDF..exeStatic file information: Suspicious name
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeCode function: 3_2_00930A983_2_00930A98
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeCode function: 3_2_009327E13_2_009327E1
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeCode function: 3_2_009320703_2_00932070
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeCode function: 3_2_009320613_2_00932061
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_02FA42486_2_02FA4248
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_02FA4B186_2_02FA4B18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_02FA3F006_2_02FA3F00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_02FACCA86_2_02FACCA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_02FACC9B6_2_02FACC9B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_069554D86_2_069554D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_069534D06_2_069534D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_069503586_2_06950358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A2A7306_2_06A2A730
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A257C86_2_06A257C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A4AEB86_2_06A4AEB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A4B7B06_2_06A4B7B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A4CF486_2_06A4CF48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A474006_2_06A47400
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A44DF86_2_06A44DF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A412206_2_06A41220
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A419E06_2_06A419E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A4C8686_2_06A4C868
                    Source: invoice727282_PDF..exeStatic PE information: invalid certificate
                    Source: invoice727282_PDF..exe, 00000003.00000002.1272813919.0000000002788000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename77a44212-f6b7-4055-a909-4622785ee49c.exe4 vs invoice727282_PDF..exe
                    Source: invoice727282_PDF..exe, 00000003.00000002.1272813919.0000000002711000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUnder.dll, vs invoice727282_PDF..exe
                    Source: invoice727282_PDF..exe, 00000003.00000002.1272722248.00000000025E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUnder.dll, vs invoice727282_PDF..exe
                    Source: invoice727282_PDF..exe, 00000003.00000000.1268044646.0000000000316000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMNJ988.exe. vs invoice727282_PDF..exe
                    Source: invoice727282_PDF..exe, 00000003.00000002.1272969441.0000000003975000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename77a44212-f6b7-4055-a909-4622785ee49c.exe4 vs invoice727282_PDF..exe
                    Source: invoice727282_PDF..exe, 00000003.00000002.1272202924.000000000099E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs invoice727282_PDF..exe
                    Source: invoice727282_PDF..exeBinary or memory string: OriginalFilenameMNJ988.exe. vs invoice727282_PDF..exe
                    Source: 6.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: invoice727282_PDF..exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@2/2
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice727282_PDF..exe.logJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
                    Source: invoice727282_PDF..exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: invoice727282_PDF..exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: invoice727282_PDF..exeReversingLabs: Detection: 39%
                    Source: invoice727282_PDF..exeVirustotal: Detection: 41%
                    Source: unknownProcess created: C:\Users\user\Desktop\invoice727282_PDF..exe "C:\Users\user\Desktop\invoice727282_PDF..exe"
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe "C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe"
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe "C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe"
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: invoice727282_PDF..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: invoice727282_PDF..exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: invoice727282_PDF..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\MNJ988.pdbBSJB source: invoice727282_PDF..exe
                    Source: Binary string: Under.pdb source: invoice727282_PDF..exe, 00000003.00000002.1272813919.0000000002711000.00000004.00000800.00020000.00000000.sdmp, invoice727282_PDF..exe, 00000003.00000002.1272722248.00000000025E0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\MNJ988.pdb source: invoice727282_PDF..exe
                    Source: Binary string: ompiler.pdb source: aspnet_compiler.exe, 00000006.00000002.3748270115.00000000066F4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: aspnet_compiler.pdb source: QGwHqTR.exe, 0000000C.00000000.1420599710.0000000000342000.00000002.00000001.01000000.0000000A.sdmp, QGwHqTR.exe.6.dr
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_02FA0C6D push edi; retf 6_2_02FA0C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_02FA0C45 push ebx; retf 6_2_02FA0C52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_0695CD90 push es; ret 6_2_0695CDA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A285C7 push es; iretd 6_2_06A285C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A285DF push es; iretd 6_2_06A285E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A28517 push es; iretd 6_2_06A28524
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A2856F push es; iretd 6_2_06A28570
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A28573 push es; iretd 6_2_06A2857C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A2857F push es; iretd 6_2_06A28588
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A28544 push es; iretd 6_2_06A28554
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 6_2_06A21388 pushfd ; ret 6_2_06A21609
                    Source: invoice727282_PDF..exeStatic PE information: section name: .text entropy: 7.897390111297712
                    Source: 3.2.invoice727282_PDF..exe.277ae58.2.raw.unpack, Break.csHigh entropy of concatenated method names: 'dWAGFaUWn', 'iEYRO7lFN', 'udOnqmU9Q', 'cGBO5pgbB', 'mDYfCxWQI', 'IoEirBtUf', 'WugDdypL0', 'usI3Ne4l0', 'tb8cQi6WB', 'cHIdHqlXH'
                    Source: 3.2.invoice727282_PDF..exe.277ae58.2.raw.unpack, DCxWQInmoErBtUfPug.csHigh entropy of concatenated method names: 'ng88P5hhNONZ2', 'XiaT6D7x0StsE72nlE', 'SBZuexlEW8R6ioCpVD', 'E1jjr1AQDdUmo7W5aS', 'APu3Z9Karm5lho1Uv0', 'eT3IofrBykcwXq3mL7', 'sresvR1enHl1NbIrPG', 'lBwoCRZdHAUT7f4NHa', 'xdurKsI8bM7x49J3Hh'
                    Source: 3.2.invoice727282_PDF..exe.25e0000.1.raw.unpack, Break.csHigh entropy of concatenated method names: 'dWAGFaUWn', 'iEYRO7lFN', 'udOnqmU9Q', 'cGBO5pgbB', 'mDYfCxWQI', 'IoEirBtUf', 'WugDdypL0', 'usI3Ne4l0', 'tb8cQi6WB', 'cHIdHqlXH'
                    Source: 3.2.invoice727282_PDF..exe.25e0000.1.raw.unpack, DCxWQInmoErBtUfPug.csHigh entropy of concatenated method names: 'ng88P5hhNONZ2', 'XiaT6D7x0StsE72nlE', 'SBZuexlEW8R6ioCpVD', 'E1jjr1AQDdUmo7W5aS', 'APu3Z9Karm5lho1Uv0', 'eT3IofrBykcwXq3mL7', 'sresvR1enHl1NbIrPG', 'lBwoCRZdHAUT7f4NHa', 'xdurKsI8bM7x49J3Hh'
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run QGwHqTRJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run QGwHqTRJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeMemory allocated: 930000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeMemory allocated: 2710000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 2F60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 4FD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeMemory allocated: 26F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeMemory allocated: D60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeMemory allocated: 2830000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeMemory allocated: 4830000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1198922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1198812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1198703Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 2438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 7398Jump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exe TID: 7024Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -200000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -199780s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -199562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99665s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99342s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99124s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98794s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98679s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98446s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98120s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -97906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -97797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -97687s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -97578s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -97467s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99216s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -99004s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98725s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98587s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98371s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98265s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -98046s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -97937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1199938s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1199813s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1199703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1199594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1199469s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1199359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1199250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1199141s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1199031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1198922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1198812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7252Thread sleep time: -1198703s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe TID: 7396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe TID: 7652Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99665Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99342Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98794Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98679Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98446Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98120Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 97797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 97687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 97578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 97467Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99216Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 99004Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98725Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98587Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98371Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 98046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 97937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1199031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1198922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1198812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 1198703Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: aspnet_compiler.exe, 00000006.00000002.3738347242.0000000001357000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 442000Jump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: F00008Jump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"Jump to behavior
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.0000000003102000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.0000000003102000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q3<b>[ Program Manager]</b> (09/08/2024 17:13:15)<br>
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.0000000003102000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.0000000003120000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Time: 09/04/2024 14:40:35<br>User Name: user<br>Computer Name: 138727<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.33<br><hr><b>[ Program Manager]</b> (09/08/2024 17:13:15)<br>{Win}r
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.0000000003120000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qDTime: 09/04/2024 14:40:35<br>User Name: user<br>Computer Name: 138727<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.33<br><hr><b>[ Program Manager]</b> (09/08/2024 17:13:15)<br>{Win}r
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.0000000003102000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q8<b>[ Program Manager]</b> (09/08/2024 17:13:15)<br>{Win}TH
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.0000000003102000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q9<b>[ Program Manager]</b> (09/08/2024 17:13:15)<br>{Win}rTH
                    Source: aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Time: 09/04/2024 14:40:35<br>User Name: user<br>Computer Name: 138727<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.33<br><hr><b>[ Program Manager]</b> (09/08/2024 17:13:15)<br>{Win}rTe
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeQueries volume information: C:\Users\user\Desktop\invoice727282_PDF..exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeQueries volume information: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeQueries volume information: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\invoice727282_PDF..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.invoice727282_PDF..exe.3a69638.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3741077365.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3729441710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3741077365.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1272969441.0000000003975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1272969441.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: invoice727282_PDF..exe PID: 4800, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5680, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 6.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.invoice727282_PDF..exe.3a69638.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3729441710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3741077365.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1272969441.0000000003975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1272969441.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: invoice727282_PDF..exe PID: 4800, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5680, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.invoice727282_PDF..exe.3a69638.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.invoice727282_PDF..exe.3a69638.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3741077365.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3729441710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3741077365.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1272969441.0000000003975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1272969441.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: invoice727282_PDF..exe PID: 4800, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5680, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    Registry Run Keys / Startup Folder                    		312
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		311
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		111
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object Model311
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job312
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1490419 Sample: invoice727282_PDF..exe Startdate: 09/08/2024 Architecture: WINDOWS Score: 100 28 mail.convergesolve.com 2->28 30 api.ipify.org 2->30 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 7 other signatures 2->50 7 invoice727282_PDF..exe 1 2->7         started        11 QGwHqTR.exe 2 2->11         started        13 QGwHqTR.exe 1 2->13         started        signatures3 process4 file5 26 C:\Users\user\...\invoice727282_PDF..exe.log, CSV 7->26 dropped 52 Writes to foreign memory regions 7->52 54 Allocates memory in foreign processes 7->54 56 Injects a PE file into a foreign processes 7->56 15 aspnet_compiler.exe 16 4 7->15         started        20 conhost.exe 11->20         started        22 conhost.exe 13->22         started        signatures6 process7 dnsIp8 32 mail.convergesolve.com 209.124.85.231, 49704, 49705, 49714 A2HOSTINGUS United States 15->32 34 api.ipify.org 172.67.74.152, 443, 49703 CLOUDFLARENETUS United States 15->34 24 C:\Users\user\AppData\Roaming\...\QGwHqTR.exe, PE32 15->24 dropped 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->36 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->38 40 Tries to steal Mail credentials (via file / registry access) 15->40 42 5 other signatures 15->42 file9 signatures10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    invoice727282_PDF..exe39%ReversingLabsByteCode-MSIL.Trojan.GenSteal
                    invoice727282_PDF..exe41%VirustotalBrowse
                    invoice727282_PDF..exe100%AviraHEUR/AGEN.1327047
                    invoice727282_PDF..exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe0%ReversingLabs
                    C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe0%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.convergesolve.com3%VirustotalBrowse
                    api.ipify.org0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://x1.i.le0%Avira URL Cloudsafe
                    http://r10.o.lencr.org0#0%Avira URL Cloudsafe
                    http://mail.convergesolve.com0%Avira URL Cloudsafe
                    http://r10.i.lencr.org/00%Avira URL Cloudsafe
                    http://mail.convergesolve.com3%VirustotalBrowse
                    http://r10.i.lencr.org/00%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.convergesolve.com
                    		209.124.85.231
                    		truetrueunknown
                    api.ipify.org
                    		172.67.74.152
                    		truefalseunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://x1.i.leaspnet_compiler.exe, 00000006.00000002.3748270115.0000000006722000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ipify.orginvoice727282_PDF..exe, 00000003.00000002.1272969441.0000000003975000.00000004.00000800.00020000.00000000.sdmp, invoice727282_PDF..exe, 00000003.00000002.1272969441.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3729441710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://r10.o.lencr.org0#aspnet_compiler.exe, 00000006.00000002.3741077365.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3748270115.0000000006722000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3738347242.0000000001357000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://account.dyn.com/invoice727282_PDF..exe, 00000003.00000002.1272969441.0000000003975000.00000004.00000800.00020000.00000000.sdmp, invoice727282_PDF..exe, 00000003.00000002.1272969441.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3729441710.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.ipify.org/taspnet_compiler.exe, 00000006.00000002.3741077365.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameaspnet_compiler.exe, 00000006.00000002.3741077365.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://x1.c.lencr.org/0aspnet_compiler.exe, 00000006.00000002.3741077365.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3748270115.0000000006722000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3738347242.0000000001357000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://x1.i.lencr.org/0aspnet_compiler.exe, 00000006.00000002.3741077365.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3748270115.0000000006722000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3738347242.0000000001357000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://r10.i.lencr.org/0aspnet_compiler.exe, 00000006.00000002.3741077365.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3748270115.0000000006722000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3738347242.0000000001357000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://mail.convergesolve.comaspnet_compiler.exe, 00000006.00000002.3741077365.00000000030E4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000310D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 3%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    209.124.85.231
                    		mail.convergesolve.comUnited States
                    		55293A2HOSTINGUStrue
                    172.67.74.152
                    		api.ipify.orgUnited States
                    		13335CLOUDFLARENETUSfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1490419
                    Start date and time:2024-08-09 09:07:51 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 26s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:22
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:invoice727282_PDF..exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@7/5@2/2
                    EGA Information:
                    • Successful, ratio: 50%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 132
                    • Number of non-executed functions: 9
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target QGwHqTR.exe, PID 7344 because it is empty
                    • Execution Graph export aborted for target QGwHqTR.exe, PID 7588 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    03:08:52API Interceptor10448694x Sleep call for process: aspnet_compiler.exe modified
                    09:08:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run QGwHqTR C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe
                    09:09:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run QGwHqTR C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    172.67.74.152FormPlayer.exeGet hashmaliciousUnknownBrowse
                    • api.ipify.org/
                    PandaClient.exeGet hashmaliciousUnknownBrowse
                    • api.ipify.org/
                    golang-modules.exeGet hashmaliciousUnknownBrowse
                    • api.ipify.org/
                    SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                    • api.ipify.org/
                    242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                    • api.ipify.org/?format=wef
                    K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                    • api.ipify.org/
                    stub.exeGet hashmaliciousUnknownBrowse
                    • api.ipify.org/
                    stub.exeGet hashmaliciousUnknownBrowse
                    • api.ipify.org/
                    Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                    • api.ipify.org/?format=json
                    Sky-Beta.exeGet hashmaliciousUnknownBrowse
                    • api.ipify.org/?format=json

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    api.ipify.orgSecuriteInfo.com.Win32.PWSX-gen.5215.298.exeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    SecuriteInfo.com.Win32.PWSX-gen.2282.26838.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.12.205
                    http://loawnd3-8437-buertyd.pages.dev/help/contact/511828274300506/Get hashmaliciousUnknownBrowse
                    • 104.26.12.205
                    https://keagypickard-helpcenter-8597.pages.dev/help/contact/7236301044454232606:4700:31...Get hashmaliciousUnknownBrowse
                    • 172.67.74.152
                    https://form.asana.com/?k=4CXtmX3TL4hciUOIomfxgQ&d=1207815429321009Get hashmaliciousUnknownBrowse
                    • 104.26.13.205
                    Swift Copy 3072024 pdf.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.12.205
                    New PO 24072024 pdf.exeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    Order 0029399000494995900008.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.13.205
                    SOA PAYMENT.vbeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    P.O. F0N82599 FORJA rom.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.13.205

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    A2HOSTINGUSDHL INVOICE_99765.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 70.32.23.100
                    b2bXo6vmDm.exeGet hashmaliciousSystemBCBrowse
                    • 68.66.232.152
                    DHL-INVOICE_817432.bat.exeGet hashmaliciousAgentTeslaBrowse
                    • 70.32.23.100
                    Fzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                    • 85.187.128.42
                    https://trk.klclick3.com/ls/click?upn=u001.F5FUvNp8lGuVBrfF8VWSt-2Befrq4JwHZUrXxYUllvBu6JQLRTleNqoOq9cK2V6H9nF6TE8i5ai18ELwuaCRLRwA-3D-3DeBON_1svWsHF9QtKh6I35BSRfJziCtreSweSmmjNgxUuzWxLFgb12Ddkvv3gPW-2BY7HCV4BtwDYPCgqFm6ezf3LGkFgw-2FasXzQ01tiusM7qj7f7wQzyFpk04U-2BNsOiH-2B6C0IEGGhuBHlH4nFGk5hM1YrilA-2FklNstU7j1vcFJG8iHzTeSRYHOXIpK0cVyPDdeQeDUKiYrTYys-2FJ6BSjWfQuGIzI8V57VImtAPAAkrpuUD31VELoL-2FwLqoqcEcJaE-2B6fpm2wPTZkCul8wgxqc4qQClvNSQEUdlWOW-2BnsmWvhHzUvBgdPRhNpiRMg8ZZ-2BBQBoSFlRkufcGBk8zdT6H-2B-2FULHcbxzCKE71NmfbhvHZ7lmXl2A-3DGet hashmaliciousTycoon2FABrowse
                    • 68.66.226.79
                    NEW ORDER QLM0008233RFSOBL.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                    • 85.187.142.75
                    rVesselSchedule.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                    • 85.187.142.75
                    https://amdat-my.sharepoint.com/:o:/g/personal/mai_amd_at/EoDy7F40M29Hj1IohtQ4kIQBoQXIpIg2xex0MiXjURHhng?e=a92LfUGet hashmaliciousHTMLPhisherBrowse
                    • 209.124.66.28
                    rTransaction_ReceiptCopy.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                    • 85.187.142.75
                    https://rccgnet.org/Get hashmaliciousUnknownBrowse
                    • 68.66.220.30
                    CLOUDFLARENETUSHBL-08082024-RELEASE.xlsGet hashmaliciousUnknownBrowse
                    • 172.67.162.208
                    DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                    • 172.67.195.73
                    Bank Slip.xlsGet hashmaliciousUnknownBrowse
                    • 172.67.162.208
                    HBL-08082024-RELEASE.xlsGet hashmaliciousUnknownBrowse
                    • 104.21.90.242
                    waybill_shipping_documents_original_BL_CI&PL_08_08_2024_000000002024_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                    • 104.21.90.242
                    FedEx Receipt_AWB#7715323204 .xlsGet hashmaliciousUnknownBrowse
                    • 172.67.162.208
                    HBL-08082024-RELEASE.xlsGet hashmaliciousUnknownBrowse
                    • 172.67.162.208
                    FedEx Receipt_AWB#7715323204 .xlsGet hashmaliciousUnknownBrowse
                    • 172.67.162.208
                    FedEx Receipt_AWB#7715323204 .xlsGet hashmaliciousUnknownBrowse
                    • 172.67.162.208
                    PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                    • 172.67.210.102

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Win32.PWSX-gen.5215.298.exeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    SecuriteInfo.com.Win32.PWSX-gen.2282.26838.exeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    f76b2b03f3bcae16946cc4df5c6e8f0c960c415c38279a170e2dbf9ebcbd31f7_dump.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 172.67.74.152
                    rEplpxu.exeGet hashmaliciousUnknownBrowse
                    • 172.67.74.152
                    rSTORESIMPORT2024-2025.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                    • 172.67.74.152
                    rEplpxu.exeGet hashmaliciousUnknownBrowse
                    • 172.67.74.152
                    http://uspss.pages.dev/Get hashmaliciousUnknownBrowse
                    • 172.67.74.152
                    http://discord-proxy.devilyouwei.workers.dev/Get hashmaliciousUnknownBrowse
                    • 172.67.74.152
                    https://meta-mask-io-login.gitbook.io/usGet hashmaliciousUnknownBrowse
                    • 172.67.74.152
                    http://jhghjkljmn.weebly.com/Get hashmaliciousUnknownBrowse
                    • 172.67.74.152

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe#U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbsGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
                      6038732).vbsGet hashmaliciousLokibotBrowse
                        cirby0J3LP.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWorm, zgRATBrowse
                          SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                            SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                              3vj5tYFb6a.exeGet hashmaliciousSnake Keylogger, zgRATBrowse
                                50000PCSPIC12F1501-ESN.exeGet hashmaliciousAgentTeslaBrowse
                                  SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exeGet hashmaliciousXWormBrowse
                                    Jdxvyx.exeGet hashmaliciousAgentTeslaBrowse
                                      SecuriteInfo.com.Win32.TrojanX-gen.11530.1442.exeGet hashmaliciousAgentTeslaBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QGwHqTR.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):311
                                        Entropy (8bit):5.347482639021185
                                        Encrypted:false
                                        SSDEEP:6:Q3La/xwchA2DLIP12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hhpDLI4M9tDLI4MWuPTAv
                                        MD5:1AC8524D3800CDD5A91A864BCD4C3AB5
                                        SHA1:D003AEE44AC954938CE83E4A80412E04F726EA83
                                        SHA-256:8652A0399D65C2D111841F66EF2E930CDB8291CC8203252D59FD4921FF336C02
                                        SHA-512:9F28B59B99D0BC1EB60D29BE54CE2DAAC7D9B5D895311169578383C19A46CCF7CDE498EB6D7F172CF7D1D11E5B16665DF989CD8EEC527282BE3B796CD08C7DAC
                                        Malicious:false
                                        Reputation:low
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice727282_PDF..exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\invoice727282_PDF..exe
                                        File Type:CSV text
                                        Category:dropped
                                        Size (bytes):226
                                        Entropy (8bit):5.360398796477698
                                        Encrypted:false
                                        SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                        MD5:3A8957C6382192B71471BD14359D0B12
                                        SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                        SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                        SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                        C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:modified
                                        Size (bytes):56368
                                        Entropy (8bit):6.120994357619221
                                        Encrypted:false
                                        SSDEEP:768:fF9E8FLLs2Zokf85d9PTV6Iq8Fnqf7P+WxqWKnz8DH:ffE6EkfOd9PT86dWvKgb
                                        MD5:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                        SHA1:19DFD86294C4A525BA21C6AF77681B2A9BBECB55
                                        SHA-256:99A2C778C9A6486639D0AFF1A7D2D494C2B0DC4C7913EBCB7BFEA50A2F1D0B09
                                        SHA-512:94F0ACE37CAE77BE9935CF4FC8AAA94691343D3B38DE5E16C663B902C220BFF513CD02256C7AF2D815A23DD30439582DDBB0880009C76BBF36FF8FBC1A6DDC18
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                        Joe Sandbox View:
                                        • Filename: #U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbs, Detection: malicious, Browse
                                        • Filename: 6038732).vbs, Detection: malicious, Browse
                                        • Filename: cirby0J3LP.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse
                                        • Filename: 3vj5tYFb6a.exe, Detection: malicious, Browse
                                        • Filename: 50000PCSPIC12F1501-ESN.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exe, Detection: malicious, Browse
                                        • Filename: Jdxvyx.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Win32.TrojanX-gen.11530.1442.exe, Detection: malicious, Browse
                                        Reputation:moderate, very likely benign file
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A>.]..............0................. ........@.. ....................................`.................................t...O.......................0B..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(.....*.(....-..*.~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....

                                        \Device\ConDrv

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):221
                                        Entropy (8bit):4.801526423190794
                                        Encrypted:false
                                        SSDEEP:6:zx3Me21f1LRJIQtAMw/VgRZBXVN+1GFJqozrCib:zKpj1JIUwqBFN+1Q3b
                                        MD5:A3DCA41A950A7DF7ECE76A867A17400E
                                        SHA1:AA9EFDBCF37BEE2C7FD0986F1A4308A73EC3F7BB
                                        SHA-256:6B2BE177016DF867316A0C432DAB0B71B6E51B35D169B0ACB1ABB47A4C03D7C0
                                        SHA-512:F80207B5B78C7AE867AAB139196BBBEDE0437961DD03E790AEF3B877A228D7A90B9178B3342324B0EEA1C270E2A232A769B2F2D9E5DB4C065EB95140FA12239D
                                        Malicious:false
                                        Preview:Microsoft (R) ASP.NET Compilation Tool version 4.8.4084.0..Utility to precompile an ASP.NET application..Copyright (C) Microsoft Corporation. All rights reserved.....Run 'aspnet_compiler -?' for a list of valid options...

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.679530393533328
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:invoice727282_PDF..exe
                                        File size:256'072 bytes
                                        MD5:8a1b3f441a8f2da1b6bb52359fa5694d
                                        SHA1:0d522e50748a4ea1f098091865c594a16d75794c
                                        SHA256:30c2e1e5a35089de9990cf07fd080b4dbed13bd07823b3d54f173337cb25f8c1
                                        SHA512:0ba981a402187f3d699505555391a7402c38472f92583e5155e15e69152fa9c93229b98f88ead069c74354220bc57fa93250fd973bd1c955f903723efaf78697
                                        SSDEEP:6144:/py2XUv1yW68ntR5Xnb1FioABMPe1ruojcqD/4TqAJ:xy2kdyW68tRNnZoogzuo7/gz
                                        TLSH:D744F1969BD2CE83D94DAFF860A35F984F65E517690293C76148621A0F223D77C3E80F
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.................. ...@....@.. ....................................`................................

                                        File Icon

                                        Icon Hash:1203233b23333b82

                                        Static PE Info

                                        General

                                        Entrypoint:0x432e0e
                                        Entrypoint Section:.text
                                        Digitally signed:true
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x66829CB2 [Mon Jul 1 12:10:26 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Authenticode Signature

                                        Signature Valid:false
                                        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                        Signature Validation Error:The digital signature of the object did not verify
                                        Error Number:-2146869232
                                        Not Before, Not After
                                        • 13/12/2021 01:00:00 09/01/2025 00:59:59
                                        Subject Chain
                                        • CN=philandro Software GmbH, O=philandro Software GmbH, L=Stuttgart, S=Baden-W\xfcrttemberg, C=DE
                                        Version:3
                                        Thumbprint MD5:EAE713DFC05244CF4301BF1C9F68B1BE
                                        Thumbprint SHA-1:9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE
                                        Thumbprint SHA-256:9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF
                                        Serial:0DBF152DEAF0B981A8A938D53F769DB8

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x32db40x57.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x8d9c.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x3a2000x4648.rsrc
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x340000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x2e7240x1c.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x30e140x3100057cc5f6d3a2f36f8f4a620c5053538c6False0.9327118542729592SysEx File -7.897390111297712IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .reloc0x340000xc0x200d9cf14401c5ef53741cbf6c694c316a1False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        .rsrc0x360000x8d9c0x8e00250aed1fb7125b4aa9f8476c8e1fa7a6False0.3537632042253521data5.284802229972301IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x361f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.29074161549362304
                                        RT_ICON0x3a4180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.4104771784232365
                                        RT_ICON0x3c9c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.38367729831144465
                                        RT_ICON0x3da680x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5372950819672131
                                        RT_ICON0x3e3f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5673758865248227
                                        RT_GROUP_ICON0x3e8580x4cdata0.8026315789473685
                                        RT_VERSION0x3e8a40x30cdata0.4307692307692308
                                        RT_MANIFEST0x3ebb00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 9, 2024 09:08:48.320233107 CEST49703443192.168.2.7172.67.74.152
                                        Aug 9, 2024 09:08:48.320266008 CEST44349703172.67.74.152192.168.2.7
                                        Aug 9, 2024 09:08:48.320395947 CEST49703443192.168.2.7172.67.74.152
                                        Aug 9, 2024 09:08:48.329253912 CEST49703443192.168.2.7172.67.74.152
                                        Aug 9, 2024 09:08:48.329272032 CEST44349703172.67.74.152192.168.2.7
                                        Aug 9, 2024 09:08:48.801471949 CEST44349703172.67.74.152192.168.2.7
                                        Aug 9, 2024 09:08:48.801553965 CEST49703443192.168.2.7172.67.74.152
                                        Aug 9, 2024 09:08:48.806868076 CEST49703443192.168.2.7172.67.74.152
                                        Aug 9, 2024 09:08:48.806881905 CEST44349703172.67.74.152192.168.2.7
                                        Aug 9, 2024 09:08:48.807147026 CEST44349703172.67.74.152192.168.2.7
                                        Aug 9, 2024 09:08:48.851562977 CEST49703443192.168.2.7172.67.74.152
                                        Aug 9, 2024 09:08:48.937020063 CEST49703443192.168.2.7172.67.74.152
                                        Aug 9, 2024 09:08:48.984507084 CEST44349703172.67.74.152192.168.2.7
                                        Aug 9, 2024 09:08:49.046163082 CEST44349703172.67.74.152192.168.2.7
                                        Aug 9, 2024 09:08:49.046228886 CEST44349703172.67.74.152192.168.2.7
                                        Aug 9, 2024 09:08:49.046293974 CEST49703443192.168.2.7172.67.74.152
                                        Aug 9, 2024 09:08:49.052509069 CEST49703443192.168.2.7172.67.74.152
                                        Aug 9, 2024 09:08:53.194360018 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:53.199402094 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:53.199656010 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:53.884090900 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:53.929794073 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:53.935537100 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:53.935671091 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:53.946594000 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:53.951610088 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.060529947 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.074464083 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:54.080002069 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.192979097 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.208905935 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:54.215951920 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.334613085 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.334670067 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.334708929 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.334759951 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:54.361738920 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:54.366698980 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.485852003 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.488749981 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:54.493649960 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.603168964 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.604650021 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:54.610230923 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.734134912 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:54.735488892 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:54.740298986 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.058451891 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.058774948 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.063612938 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.173789978 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.175730944 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.183578014 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.326159954 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.326600075 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.333070993 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.442224026 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.444508076 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.444508076 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.444648981 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.444648981 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.444648981 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.444678068 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.444688082 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.449412107 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.449537992 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.449547052 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.449552059 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.449564934 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.449568987 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.449572086 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.591475010 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.632925987 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.641172886 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.646003008 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.756921053 CEST58749704209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.757586002 CEST49704587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.758905888 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:55.763798952 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:55.763891935 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:56.288419962 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.288616896 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:56.293448925 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.401511908 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.401743889 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:56.406733036 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.518033028 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.520123959 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:56.525554895 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.642893076 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.642937899 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.642973900 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.643074036 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:56.672689915 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:56.677850008 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.785476923 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.818830967 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:56.823725939 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.931301117 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:56.931556940 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:56.936424971 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.044444084 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.045409918 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.050403118 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.166054964 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.166266918 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.171119928 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.281800985 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.285249949 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.290270090 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.450061083 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.451888084 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.456706047 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.563867092 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.564335108 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.564367056 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.564428091 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.564465046 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.564508915 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.564558029 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.564589024 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.564589024 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.564606905 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.564626932 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:08:57.569227934 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.569361925 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.569562912 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.569591045 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.569617033 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.569648027 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.712258101 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:08:57.757869959 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:25.570554018 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:25.575692892 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:25.684878111 CEST58749705209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:25.685478926 CEST49705587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:25.686574936 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:25.691678047 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:25.693439960 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:26.208992004 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.209558964 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:26.214420080 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.322134018 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.323515892 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:26.328691006 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.441826105 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.445213079 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:26.450252056 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.568764925 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.568793058 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.568804979 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.568818092 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.568862915 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:26.578166962 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:26.583081961 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.692679882 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.697356939 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:26.702900887 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.812547922 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.812901974 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:26.817888975 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.933725119 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:26.933995962 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:26.938782930 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.168129921 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.168550014 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:27.173412085 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.281358957 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.281697035 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:27.286832094 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.441600084 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.442518950 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:27.447504044 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.582386017 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.583837986 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:27.583981991 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:27.584121943 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:27.584177017 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:27.584177017 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:27.584260941 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:27.584532022 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:10:27.588700056 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.588818073 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.589049101 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.589057922 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.589066982 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.589080095 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.589277029 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.724225998 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:10:27.773763895 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:12:05.587172031 CEST49714587192.168.2.7209.124.85.231
                                        Aug 9, 2024 09:12:05.592117071 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:12:05.702533007 CEST58749714209.124.85.231192.168.2.7
                                        Aug 9, 2024 09:12:05.703227997 CEST49714587192.168.2.7209.124.85.231

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 9, 2024 09:08:48.300947905 CEST5493453192.168.2.71.1.1.1
                                        Aug 9, 2024 09:08:48.309997082 CEST53549341.1.1.1192.168.2.7
                                        Aug 9, 2024 09:08:52.983375072 CEST5583953192.168.2.71.1.1.1
                                        Aug 9, 2024 09:08:53.192420006 CEST53558391.1.1.1192.168.2.7

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Aug 9, 2024 09:08:48.300947905 CEST192.168.2.71.1.1.10x4fe5Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                        Aug 9, 2024 09:08:52.983375072 CEST192.168.2.71.1.1.10x7198Standard query (0)mail.convergesolve.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Aug 9, 2024 09:08:48.309997082 CEST1.1.1.1192.168.2.70x4fe5No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                        Aug 9, 2024 09:08:48.309997082 CEST1.1.1.1192.168.2.70x4fe5No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                        Aug 9, 2024 09:08:48.309997082 CEST1.1.1.1192.168.2.70x4fe5No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                        Aug 9, 2024 09:08:53.192420006 CEST1.1.1.1192.168.2.70x7198No error (0)mail.convergesolve.com209.124.85.231A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • api.ipify.org

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.749703172.67.74.1524435680C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                        TimestampBytes transferredDirectionData
                                        2024-08-09 07:08:48 UTC155OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                        Host: api.ipify.org
                                        Connection: Keep-Alive
                                        2024-08-09 07:08:49 UTC211INHTTP/1.1 200 OK
                                        Date: Fri, 09 Aug 2024 07:08:48 GMT
                                        Content-Type: text/plain
                                        Content-Length: 11
                                        Connection: close
                                        Vary: Origin
                                        CF-Cache-Status: DYNAMIC
                                        Server: cloudflare
                                        CF-RAY: 8b05eac62df2c35d-EWR
                                        2024-08-09 07:08:49 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                        Data Ascii: 8.46.123.33


                                        SMTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Aug 9, 2024 09:08:53.884090900 CEST58749704209.124.85.231192.168.2.7220-server.convergesolve.com ESMTP Exim 4.96.2 #2 Fri, 09 Aug 2024 03:08:53 -0400
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Aug 9, 2024 09:08:53.935537100 CEST58749704209.124.85.231192.168.2.7220-server.convergesolve.com ESMTP Exim 4.96.2 #2 Fri, 09 Aug 2024 03:08:53 -0400
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Aug 9, 2024 09:08:53.946594000 CEST49704587192.168.2.7209.124.85.231EHLO 138727
                                        Aug 9, 2024 09:08:54.060529947 CEST58749704209.124.85.231192.168.2.7250-server.convergesolve.com Hello 138727 [8.46.123.33]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPECONNECT
                                        250-STARTTLS
                                        250 HELP
                                        Aug 9, 2024 09:08:54.074464083 CEST49704587192.168.2.7209.124.85.231STARTTLS
                                        Aug 9, 2024 09:08:54.192979097 CEST58749704209.124.85.231192.168.2.7220 TLS go ahead
                                        Aug 9, 2024 09:08:56.288419962 CEST58749705209.124.85.231192.168.2.7220-server.convergesolve.com ESMTP Exim 4.96.2 #2 Fri, 09 Aug 2024 03:08:56 -0400
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Aug 9, 2024 09:08:56.288616896 CEST49705587192.168.2.7209.124.85.231EHLO 138727
                                        Aug 9, 2024 09:08:56.401511908 CEST58749705209.124.85.231192.168.2.7250-server.convergesolve.com Hello 138727 [8.46.123.33]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPECONNECT
                                        250-STARTTLS
                                        250 HELP
                                        Aug 9, 2024 09:08:56.401743889 CEST49705587192.168.2.7209.124.85.231STARTTLS
                                        Aug 9, 2024 09:08:56.518033028 CEST58749705209.124.85.231192.168.2.7220 TLS go ahead
                                        Aug 9, 2024 09:10:26.208992004 CEST58749714209.124.85.231192.168.2.7220-server.convergesolve.com ESMTP Exim 4.96.2 #2 Fri, 09 Aug 2024 03:10:26 -0400
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        Aug 9, 2024 09:10:26.209558964 CEST49714587192.168.2.7209.124.85.231EHLO 138727
                                        Aug 9, 2024 09:10:26.322134018 CEST58749714209.124.85.231192.168.2.7250-server.convergesolve.com Hello 138727 [8.46.123.33]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPECONNECT
                                        250-STARTTLS
                                        250 HELP
                                        Aug 9, 2024 09:10:26.323515892 CEST49714587192.168.2.7209.124.85.231STARTTLS
                                        Aug 9, 2024 09:10:26.441826105 CEST58749714209.124.85.231192.168.2.7220 TLS go ahead

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:3
                                        Start time:03:08:46
                                        Start date:09/08/2024
                                        Path:C:\Users\user\Desktop\invoice727282_PDF..exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\invoice727282_PDF..exe"
                                        Imagebase:0x2e0000
                                        File size:256'072 bytes
                                        MD5 hash:8A1B3F441A8F2DA1B6BB52359FA5694D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1272969441.0000000003975000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1272969441.0000000003975000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1272969441.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1272969441.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:03:08:46
                                        Start date:09/08/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"
                                        Imagebase:0xd10000
                                        File size:56'368 bytes
                                        MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3741077365.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3729441710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3729441710.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3741077365.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3741077365.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3741077365.000000000304C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:12
                                        Start time:03:09:01
                                        Start date:09/08/2024
                                        Path:C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe"
                                        Imagebase:0x340000
                                        File size:56'368 bytes
                                        MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        • Detection: 0%, Virustotal, Browse
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:03:09:02
                                        Start date:09/08/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:04:14:57
                                        Start date:09/08/2024
                                        Path:C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\QGwHqTR\QGwHqTR.exe"
                                        Imagebase:0x500000
                                        File size:56'368 bytes
                                        MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:04:14:58
                                        Start date:09/08/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:23.4%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:17
                                          Total number of Limit Nodes:2
                                          execution_graph 3344 936250 3345 9362dd CreateProcessW 3344->3345 3347 936444 3345->3347 3347->3347 3348 936b70 ResumeThread 3349 936bf8 3348->3349 3352 936600 3353 936673 Wow64SetThreadContext 3352->3353 3354 93665e 3352->3354 3355 9366bc 3353->3355 3354->3353 3356 936740 ReadProcessMemory 3357 9367ff 3356->3357 3358 936960 3359 9369c9 3358->3359 3360 9369de WriteProcessMemory 3358->3360 3359->3360 3361 936a40 3360->3361 3350 936858 VirtualAllocEx 3351 93690f 3350->3351

                                          Executed Functions

                                          Function 00930A98 Relevance: 1.8, Strings: 1, Instructions: 530COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 930a98-930ac3 1 930ac5 0->1 2 930aca-930b6d 0->2 1->2 5 930bd0-930c24 2->5 6 930b6f-930b76 2->6 16 930c2a-930c31 5->16 6->6 7 930b78-930b7d 6->7 8 930b8f-930bce 7->8 9 930b7f-930b89 7->9 8->16 9->8 17 930c33-930c3f 16->17 18 930c5b 16->18 19 930c41-930c47 17->19 20 930c49-930c4f 17->20 21 930c61-930ca1 18->21 22 930c59 19->22 20->22 25 93121c-931228 21->25 22->21 26 930ca6-930cb2 25->26 27 93122e-931235 25->27 29 930cb4 26->29 30 930cb9-930cd8 26->30 27->27 28 931237-93123e 27->28 29->30 32 930d21-930d94 30->32 33 930cda-930ce1 30->33 44 930df6-930e2c 32->44 45 930d96-930d9d 32->45 33->33 34 930ce3-930d1c 33->34 39 9311f4-931219 34->39 39->25 51 930e34-930e3c 44->51 45->45 46 930d9f-930df4 45->46 46->51 53 930e8e-930e94 51->53 54 930e96-930e9d 53->54 55 930e3e-930e5d 53->55 54->54 56 930e9f-930f63 54->56 57 930e64-930e8b 55->57 58 930e5f 55->58 67 930f65-930f6c 56->67 68 930fad-930fb1 56->68 57->53 58->57 67->67 69 930f6e-930fa7 67->69 70 930fb3-930fec 68->70 71 930ff2-930ff6 68->71 69->68 70->71 72 931040-931044 71->72 73 930ff8-930fff 71->73 75 931046-93104d 72->75 76 9310af-9310dc 72->76 73->73 74 931001-93103a 73->74 74->72 75->75 79 93104f-931057 75->79 83 931128-931152 76->83 84 9310de-9310f1 76->84 82 93109e-9310a4 79->82 85 9310a6-9310ad 82->85 86 931059-93109b 82->86 91 93115b-9311da 83->91 84->84 87 9310f3-931126 84->87 85->76 85->85 86->82 87->91 96 9311e1-9311ee 91->96 96->39
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: pq
                                          • API String ID: 0-153521182
                                          • Opcode ID: 8ded334e026367fe425ac14764bbfd6a3e41ef398cdbfbf797c39bcea3e03d75
                                          • Instruction ID: ed3bb3817d715e26a1b93dbddb6fe51b54ce70c7067fe96f1c6c400b13c81ea3
                                          • Opcode Fuzzy Hash: 8ded334e026367fe425ac14764bbfd6a3e41ef398cdbfbf797c39bcea3e03d75
                                          • Instruction Fuzzy Hash: 7832C175A00218DFDB25CF68C944B99BBB2FF89300F1581E9E509AB261DB31AE91DF11
                                          Function 009327E1 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 97 9327e1-93281c 98 932823-932900 97->98 99 93281e 97->99 101 932915-932919 98->101 99->98 102 932902 101->102 103 93291b-932922 101->103 105 93290e-932912 102->105 103->103 104 932924-932929 103->104 106 93293b-932966 104->106 107 93292b-932935 104->107 105->101 110 932ddf-932de6 106->110 111 93296c-932973 106->111 107->106 113 932efb-932f02 110->113 114 932dec-932df3 110->114 111->111 112 932975 111->112 207 932975 call 933082 112->207 208 932975 call 933090 112->208 209 932975 call 93310a 112->209 115 932f30-932f63 113->115 116 932f04-932f0b 113->116 114->114 117 932df5-932dfc 114->117 132 932f70-932f73 115->132 133 932f65-932f67 115->133 116->116 118 932f0d-932f2d 116->118 120 932e56-932e6d 117->120 121 932dfe-932e05 117->121 119 93297b-932a2e 151 932a65-932a71 119->151 199 932e6f call 933771 120->199 200 932e6f call 933780 120->200 121->121 123 932e07-932e11 121->123 127 932e13-932e43 123->127 128 932e45-932e4b 123->128 127->120 128->120 130 932e75-932ea4 143 932eaa-932eb5 130->143 137 932f75 132->137 138 932f7a-932fc3 132->138 135 932f69 133->135 136 932f6e 133->136 135->136 136->138 137->138 205 932ebb call 933150 143->205 206 932ebb call 933140 143->206 146 932ec1-932ecf 148 932ed1-932edc 146->148 149 932ee8-932eee 146->149 148->149 149->143 152 932ef0-932ef5 149->152 153 932a73-932a7a 151->153 154 932a30-932a3c 151->154 152->113 153->153 155 932a7c-932a80 153->155 156 932a43-932a4f 154->156 157 932a3e 154->157 160 932a82-932a89 155->160 161 932ab5-932ace 155->161 158 932a62 156->158 159 932a51-932a58 156->159 157->156 158->151 159->159 162 932a5a-932a60 159->162 160->160 163 932a8b-932aaf call 931448 160->163 166 932ad0-932ada 161->166 167 932b25-932b36 161->167 162->155 163->161 169 932b14-932b1a 166->169 170 932adc-932b12 166->170 201 932b3c call 933358 167->201 202 932b3c call 933348 167->202 169->167 170->167 174 932b42-932b55 203 932b5b call 9333d8 174->203 204 932b5b call 9333c8 174->204 176 932b61-932bec 183 932c58-932c90 176->183 185 932c92 183->185 186 932ca4-932cab 183->186 187 932c98-932c9e 185->187 188 932bee-932c55 185->188 186->186 189 932cad-932dd9 186->189 187->186 187->188 188->183 189->110 199->130 200->130 201->174 202->174 203->176 204->176 205->146 206->146 207->119 208->119 209->119
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: XXq
                                          • API String ID: 0-1863046703
                                          • Opcode ID: 5c78fee9dde1efe5d8b07e8f7a6a5f54ff4b5cf40fed8f9edc3fcc93573bedad
                                          • Instruction ID: 744c415fd1ef5875aa7137b97f096e93d5904f44125120ef8e075b40bed4afe8
                                          • Opcode Fuzzy Hash: 5c78fee9dde1efe5d8b07e8f7a6a5f54ff4b5cf40fed8f9edc3fcc93573bedad
                                          • Instruction Fuzzy Hash: 8132B474E01259CFEB64CF69DD84B9DBBB2BF89300F1091AAD909A7294DB345E81CF50
                                          Function 00936245 Relevance: 1.7, APIs: 1, Instructions: 240processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 210 936245-9362db 212 9362f2-936300 210->212 213 9362dd-9362ef 210->213 214 936302-936314 212->214 215 936317-936353 212->215 213->212 214->215 216 936367-936442 CreateProcessW 215->216 217 936355-936364 215->217 221 936444-93644a 216->221 222 93644b-936514 216->222 217->216 221->222 231 936516-93653f 222->231 232 93654a-936555 222->232 231->232 235 936556 232->235 235->235
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0093642F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 0d0a2b4da37f1f54d4687ca4cc7d485e1000691968603471a5c5186fbce54563
                                          • Instruction ID: 7c66a759e850c3e312c5fed82f6377ee17c2f5f74138d10734c5f92a53fb78b0
                                          • Opcode Fuzzy Hash: 0d0a2b4da37f1f54d4687ca4cc7d485e1000691968603471a5c5186fbce54563
                                          • Instruction Fuzzy Hash: F681DF71D002699FDB25CFA5C884BDEBBF1AF09300F0490AAE548B7260DB709E85CF94
                                          Function 00936250 Relevance: 1.7, APIs: 1, Instructions: 236processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 237 936250-9362db 238 9362f2-936300 237->238 239 9362dd-9362ef 237->239 240 936302-936314 238->240 241 936317-936353 238->241 239->238 240->241 242 936367-936442 CreateProcessW 241->242 243 936355-936364 241->243 247 936444-93644a 242->247 248 93644b-936514 242->248 243->242 247->248 257 936516-93653f 248->257 258 93654a-936555 248->258 257->258 261 936556 258->261 261->261
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0093642F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 0b1b531e4be4927eb605ffddc5089a7c5fd3f5a101a029a3b9bb10a2b2a885b6
                                          • Instruction ID: 6fc7564f56b5ef72f6f3b92f2243c1ca803c9103c3ada1ce64d45d406659124f
                                          • Opcode Fuzzy Hash: 0b1b531e4be4927eb605ffddc5089a7c5fd3f5a101a029a3b9bb10a2b2a885b6
                                          • Instruction Fuzzy Hash: 9D81CF75C0026D9FDB25CFA5C884BDEBBF5AB09300F0490AAE548B7220DB709E85CF94
                                          Function 0093695A Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 263 93695a-9369c7 264 9369c9-9369db 263->264 265 9369de-936a3e WriteProcessMemory 263->265 264->265 266 936a40-936a46 265->266 267 936a47-936a85 265->267 266->267
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00936A2E
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 10a7faf347c35169f75140e1ebaa6328624081ab62adc003afc059a3914ed68b
                                          • Instruction ID: 72b43f97755b2baed89508df03876e5a3e38cdb53d1015ceed2afd711839773f
                                          • Opcode Fuzzy Hash: 10a7faf347c35169f75140e1ebaa6328624081ab62adc003afc059a3914ed68b
                                          • Instruction Fuzzy Hash: 1E416BB5D042589FCB11CFA9D984ADEFBF1BB49310F24902AE818B7350D375AA45CF64
                                          Function 00936960 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 270 936960-9369c7 271 9369c9-9369db 270->271 272 9369de-936a3e WriteProcessMemory 270->272 271->272 273 936a40-936a46 272->273 274 936a47-936a85 272->274 273->274
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00936A2E
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: a2c270f98fe3586743f81fb07183b2145a1025a0e10cb1eed072b468ae27900e
                                          • Instruction ID: 78383d48951cdbb08078408354f84ae1e3232e0294d8af28388e0d896cf02236
                                          • Opcode Fuzzy Hash: a2c270f98fe3586743f81fb07183b2145a1025a0e10cb1eed072b468ae27900e
                                          • Instruction Fuzzy Hash: 984157B9D012589FCB10CFA9D984ADEFBF5BB49310F24902AE818B7250D375AA45CF64
                                          Function 009365F8 Relevance: 1.6, APIs: 1, Instructions: 106threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 277 9365f8-9365f9 278 936592-93659b 277->278 279 9365fb-93665c 277->279 280 9365a2-9365b7 278->280 281 93659d 278->281 283 936673-9366ba Wow64SetThreadContext 279->283 284 93665e-936670 279->284 281->280 286 9366c3-9366fb 283->286 287 9366bc-9366c2 283->287 284->283 287->286
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 009366AA
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: b4ac8a45a2a2fd717829c275ce22eb3c31575931691b715daebdced38b4916b9
                                          • Instruction ID: a5d782e6d20975637f43104a0ba5c4c3c2ffd7c2bcacfdf8836c8c25c6bd3ce2
                                          • Opcode Fuzzy Hash: b4ac8a45a2a2fd717829c275ce22eb3c31575931691b715daebdced38b4916b9
                                          • Instruction Fuzzy Hash: 5041DBB4D01248AFCB10CFA9D884ADEFBF5BB49314F24806AE418B7350D339AA45CF64
                                          Function 00936738 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 290 936738-9367fd ReadProcessMemory 291 936806-936844 290->291 292 9367ff-936805 290->292 292->291
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 009367ED
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: a08af646a5b03f0df11411397878ab79669ca97a99b030d578d7b2a44b554089
                                          • Instruction ID: c16f007fc30cb7d57143677aa1cd5d46cfdfc5bbc37817e817bb6117386f4114
                                          • Opcode Fuzzy Hash: a08af646a5b03f0df11411397878ab79669ca97a99b030d578d7b2a44b554089
                                          • Instruction Fuzzy Hash: 0F4177B9D042589FCF10CFAAD984ADEFBB1BB19310F24902AE815B7250D375A946CF64
                                          Function 00936740 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 295 936740-9367fd ReadProcessMemory 296 936806-936844 295->296 297 9367ff-936805 295->297 297->296
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 009367ED
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 8784fdb20a1aeb024756ed962b797c2fa65f1f18b1967e5b748b6485e4ad93e1
                                          • Instruction ID: 0bc035185a50d37cd25d05910d65312c61d4748a9edb6fc80989e081bbb03af9
                                          • Opcode Fuzzy Hash: 8784fdb20a1aeb024756ed962b797c2fa65f1f18b1967e5b748b6485e4ad93e1
                                          • Instruction Fuzzy Hash: CE3166B9D042589FCF10CFAAD984ADEFBB5BB19310F20A02AE814B7210D375A945CF64
                                          Function 00936852 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 300 936852-936856 301 936858-93690d VirtualAllocEx 300->301 302 936916-93694c 301->302 303 93690f-936915 301->303 303->302
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 009368FD
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: bf7dac0aa986e8c652e065710c5ff4cb69ed9fc0400d4a8d9facff91cf6ca82e
                                          • Instruction ID: 86c32912f43e7d889cbfe5b29ff884050b6bfb02f9071c206bf60c50230fdd1a
                                          • Opcode Fuzzy Hash: bf7dac0aa986e8c652e065710c5ff4cb69ed9fc0400d4a8d9facff91cf6ca82e
                                          • Instruction Fuzzy Hash: CC3167B9D04258DFCF10CFA9D984A9EFBB5BB19310F10902AE814BB310D335A945CF65
                                          Function 00936858 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 306 936858-93690d VirtualAllocEx 307 936916-93694c 306->307 308 93690f-936915 306->308 308->307
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 009368FD
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 9579083c8ae5dca228d5b65109649aaa5411774ad054688574b6b68c51bab88a
                                          • Instruction ID: caec6301a03f47980c2265e9312b1c691bf5386c141b96adf380687bc322733d
                                          • Opcode Fuzzy Hash: 9579083c8ae5dca228d5b65109649aaa5411774ad054688574b6b68c51bab88a
                                          • Instruction Fuzzy Hash: E33147B9D04258DFCF10CFA9E984A9EFBB5BB19310F20A02AE914B7310D375A945CF65
                                          Function 00936600 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 311 936600-93665c 312 936673-9366ba Wow64SetThreadContext 311->312 313 93665e-936670 311->313 314 9366c3-9366fb 312->314 315 9366bc-9366c2 312->315 313->312 315->314
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 009366AA
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 621fc3e88af8819e0ed4d3674532c29064ac43ee19f841dd860b078dc26320c8
                                          • Instruction ID: 71730f3e9ddf10ccd97cfe34ee3d5d7e333d60e9bc1ca9f262813aff5dc41a8e
                                          • Opcode Fuzzy Hash: 621fc3e88af8819e0ed4d3674532c29064ac43ee19f841dd860b078dc26320c8
                                          • Instruction Fuzzy Hash: 9531B8B4D012589FCB10CFAAD984ADEFBF1BB49314F24802AE418B7310C379AA45CF64
                                          Function 00936B68 Relevance: 1.6, APIs: 1, Instructions: 79threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 318 936b68-936b69 319 936b02-936b1b 318->319 320 936b6b-936bf6 ResumeThread 318->320 321 936bf8-936bfe 320->321 322 936bff-936c2d 320->322 321->322
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 00936BE6
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 208466d0550c80b5360415cb99759064ee8406269ea0db1528e7e5eb046cbef6
                                          • Instruction ID: 14f758e4665536ff52be49d16e56eebb5ed428780a9d0c3a4e7370a9ac2d2cb5
                                          • Opcode Fuzzy Hash: 208466d0550c80b5360415cb99759064ee8406269ea0db1528e7e5eb046cbef6
                                          • Instruction Fuzzy Hash: 8B319DB9D04249AFCB10CFA9D484ADEFBB5EB49310F14905AE814B7310D375A941CFA4
                                          Function 00936B70 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 326 936b70-936bf6 ResumeThread 327 936bf8-936bfe 326->327 328 936bff-936c2d 326->328 327->328
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 00936BE6
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: df818ccb7e350c861a8687ab2b1f6136aaee1c309d7e9b241933d0b229722852
                                          • Instruction ID: 6be836511c153e1726e7d8ce3a7c0c5d0f75a57941fe8eca59b7abc3f7fb31bc
                                          • Opcode Fuzzy Hash: df818ccb7e350c861a8687ab2b1f6136aaee1c309d7e9b241933d0b229722852
                                          • Instruction Fuzzy Hash: BA2198B8D042199FCB10CFA9D484ADEFBF4EB09320F24902AE818B7310D375A945CFA4
                                          Function 00950A60 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5465213bf9561f5c528c60da3b0660707552e2fd921667f078dbe38b26c88a9e
                                          • Instruction ID: 857ddadd9cb2c6fe34eca373845c3a69b83f4e2c62787617852d812bb905d6dc
                                          • Opcode Fuzzy Hash: 5465213bf9561f5c528c60da3b0660707552e2fd921667f078dbe38b26c88a9e
                                          • Instruction Fuzzy Hash: 5021E474D083899FCB02CFA8C8509DDBFB0EF4A300F0490AAE950F7292D3359954CB65
                                          Function 00950A80 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 59aad2ff4bbd6168165ece67f8b6dba33fdd83782de2e980fc8248740555b929
                                          • Instruction ID: 1b593e9e475de19828c6fc85fa9f0282af98fb83d46ee9259be56276f9dd4e5d
                                          • Opcode Fuzzy Hash: 59aad2ff4bbd6168165ece67f8b6dba33fdd83782de2e980fc8248740555b929
                                          • Instruction Fuzzy Hash: EB117CB5E002199BCF15CFA9D8409EEBBF5BB49310F10942AE914B7350D7319A50DBA5
                                          Function 00950414 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 76af5336c93cbc5177bd5939aa5fe983f6dc724549e834e229e3b1e9641dd3d7
                                          • Instruction ID: 116fe7b3993d787e5eac5fca8804ea1e6f7dafbde04099bb09f37fe21520414c
                                          • Opcode Fuzzy Hash: 76af5336c93cbc5177bd5939aa5fe983f6dc724549e834e229e3b1e9641dd3d7
                                          • Instruction Fuzzy Hash: 67011D34909388AFC742DFA8D854998BFB4AF46200F1580EBD984DB2A2D6345E49DB52
                                          Function 00950560 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e84f7b1c8214a3e4f93ae16fff5993398b34c16535ba475314387bd45c2f3479
                                          • Instruction ID: 66f3495b4fd65c493d7125795f2282d5a3a40c0b6fd40c6c0cf28884da6b4611
                                          • Opcode Fuzzy Hash: e84f7b1c8214a3e4f93ae16fff5993398b34c16535ba475314387bd45c2f3479
                                          • Instruction Fuzzy Hash: 10F0F43454E3C49FC742CBB89C649887FB4AF47200B1A40EBD584DB2B3D6349E49DB62
                                          Function 00950218 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83c10ea73390e6245a1d13af2a2c36d2dc8d46df323e72d3fa9056e49a8f5a0d
                                          • Instruction ID: a87b4ae3f898f072153db6d57b1ff16375fb3a0154ee5aafe64e84a8e2a1e4e7
                                          • Opcode Fuzzy Hash: 83c10ea73390e6245a1d13af2a2c36d2dc8d46df323e72d3fa9056e49a8f5a0d
                                          • Instruction Fuzzy Hash: CCF0F97080E3C8AFC7178BB498642997FB4AF47201F1940EBC494DB2A3D2395E59DB66
                                          Function 009509B4 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ceb7ee241e9646897b6dd71c8af05ae62fa302100bf3525111a51f82b18a8790
                                          • Instruction ID: 83dc21ec26e4354be2a1c0f1c60b80855d733317f203c04cd7712a16be78d17f
                                          • Opcode Fuzzy Hash: ceb7ee241e9646897b6dd71c8af05ae62fa302100bf3525111a51f82b18a8790
                                          • Instruction Fuzzy Hash: 23F06730808388EFCB02DFB99824688BFB0AF46304F2480EBD884DB252DA355D46DB51
                                          Function 00950A0C Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7258ec471e3f081e3db20b7da8adeb4b0f11cc6b23d60f03bbd6425a17eb010a
                                          • Instruction ID: 08ffd94c3ce0419bc752c757be4c836b6b958d0c7feb1931d3d84d9ed3774d29
                                          • Opcode Fuzzy Hash: 7258ec471e3f081e3db20b7da8adeb4b0f11cc6b23d60f03bbd6425a17eb010a
                                          • Instruction Fuzzy Hash: DAF0F9749093C8AFC742CFA899649997FB4AF46200B1540EAD988DB3A3D2345D49DB52
                                          Function 0095095C Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 91eba63d31aeb62ea44359dff2a49c62f9c7638d95e50548722721e8706b07df
                                          • Instruction ID: 16ce19767cfbd201e4333c89dcec47d703f6729a35f28b115e83a01294058f71
                                          • Opcode Fuzzy Hash: 91eba63d31aeb62ea44359dff2a49c62f9c7638d95e50548722721e8706b07df
                                          • Instruction Fuzzy Hash: 52F05E74808388EFCB01DFA8D82068DBFB4EF46300F1080EAD84497292D7345E45DB55
                                          Function 009503C4 Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e33842c4405b8d219433a5de144ece97eef92f4e5a851b7a90cf0aba1b121bf
                                          • Instruction ID: d426bbf2f0d736238d0e55122ec33cfb59ac80758dc60948122caee9bf7174b0
                                          • Opcode Fuzzy Hash: 7e33842c4405b8d219433a5de144ece97eef92f4e5a851b7a90cf0aba1b121bf
                                          • Instruction Fuzzy Hash: F3F01C60449288EFC702DBA899217997FB8AF46201F1500EBD444DB262DA351E14DB56
                                          Function 00950430 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27fa79697dee7d76ba572c7b5bd6817c56bbb77aca5d7ef5f57904156936d793
                                          • Instruction ID: c25277e31cc0460f50cbb6a7737c56beb9e2dd7a0f9e0b7d48e6b2eb95c5c3a4
                                          • Opcode Fuzzy Hash: 27fa79697dee7d76ba572c7b5bd6817c56bbb77aca5d7ef5f57904156936d793
                                          • Instruction Fuzzy Hash: 34F0A574900208EFCB40DFA8D545A9CBBF4FB48300F1081A9E918A7360D7319E54DB41
                                          Function 00950A28 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cdbb08060d22475a67be1fc17bb783702b7a4e705d87254b763763f13d1f740a
                                          • Instruction ID: 7a07989a29aab402875ff87cce77f8f656af925185e5fae96b0db247ec17239a
                                          • Opcode Fuzzy Hash: cdbb08060d22475a67be1fc17bb783702b7a4e705d87254b763763f13d1f740a
                                          • Instruction Fuzzy Hash: 6CE07574E04208EFCB44DFA9E549A9DBBF4FB48301F1081A9D918A7360D7349E44DF91
                                          Function 009509D0 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 60b7f78ba48a976c612cb016c0938695a854c41f6908758a0de8932e08684ae7
                                          • Instruction ID: 60aa4b4d8e296b4e3508d7cffe66acbea95133a3c84edd257e53c1069d695a1d
                                          • Opcode Fuzzy Hash: 60b7f78ba48a976c612cb016c0938695a854c41f6908758a0de8932e08684ae7
                                          • Instruction Fuzzy Hash: 36E01270D00308EFCB44EFA9D445A9DBBB4FB48300F6081AAE818A7354DB35AE90DF84
                                          Function 00950238 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f0b4f208d2f2f8ea89260b2b08074178584a0351799093f51847b5eea1d6a9ff
                                          • Instruction ID: 2cd66a0e012dcc576c631939bb211cfce3e432182bb30ab9c62247aa0c7f3a4d
                                          • Opcode Fuzzy Hash: f0b4f208d2f2f8ea89260b2b08074178584a0351799093f51847b5eea1d6a9ff
                                          • Instruction Fuzzy Hash: 73E04670D04348EFCB14DFB8A5442ADBBF4AB85302F2081E9C818A7350D7359E40EB84
                                          Function 00950978 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3fa21d0ba4e571c81dc8fbcdeece0ba166dd469f3d0e59a5da3bbc114e466de0
                                          • Instruction ID: f48a2d9e62bef4b41155d1f6fe083445390268ef6aeb78a23cec59e131b9a9b3
                                          • Opcode Fuzzy Hash: 3fa21d0ba4e571c81dc8fbcdeece0ba166dd469f3d0e59a5da3bbc114e466de0
                                          • Instruction Fuzzy Hash: 8EE09274D0420CEFCB54EFA9D944A9DBBB4EB88300F1081AAA918A7354DB346A54DF85
                                          Function 00950580 Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6cbe87cc649847af2253734e402a160295be1779865f845b237235d4819234d1
                                          • Instruction ID: c85fbdbc7d08da7f53d43959d8c32306eff3a11ad2d0b77655f9df907ffe1eea
                                          • Opcode Fuzzy Hash: 6cbe87cc649847af2253734e402a160295be1779865f845b237235d4819234d1
                                          • Instruction Fuzzy Hash: 44E0B674900248EFC740DFA9D585A5CBBF4EB09301F5001A9E90997360E7309E44DB81
                                          Function 009503E0 Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272111040.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_950000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5eaa2d779fd8739313439c7b807f60ad26539609eb2aaa785dd09730a7e044e9
                                          • Instruction ID: 0abb1382c0de06cb2c337c740d9869755b2b4eab4fee957a9ce59a7a25a099da
                                          • Opcode Fuzzy Hash: 5eaa2d779fd8739313439c7b807f60ad26539609eb2aaa785dd09730a7e044e9
                                          • Instruction Fuzzy Hash: 04D01770900208EBCB00EBB9DA1166DBBF8FB49340F5001A9A809E7360DB315F049B96

                                          Non-executed Functions

                                          Function 00932070 Relevance: 1.6, Strings: 1, Instructions: 385COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: pq
                                          • API String ID: 0-153521182
                                          • Opcode ID: e515b9d78770ac4ca052f3fa583720bdb9c17717a51b7d1e1aeb49a6deb1cea1
                                          • Instruction ID: 5e79aebf95aeaa3eb82624214b1fb6846b6110d4b26cbfafa27236927acf98fd
                                          • Opcode Fuzzy Hash: e515b9d78770ac4ca052f3fa583720bdb9c17717a51b7d1e1aeb49a6deb1cea1
                                          • Instruction Fuzzy Hash: 7202D175A00218DFDB15CFA9C984E9DBBB2FF49314F1580A9E609AB236D731E991DF00
                                          Function 00932061 Relevance: .2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1272053261.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_930000_invoice727282_PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a56e21fb47d87ce4f7538bd88de29c73483e2fcec2e3297f0a94e0e147ffe73a
                                          • Instruction ID: eefd16c665c2a70281a9c41807d2b439022a51c0ff6ea50008f56cb5363b9d4c
                                          • Opcode Fuzzy Hash: a56e21fb47d87ce4f7538bd88de29c73483e2fcec2e3297f0a94e0e147ffe73a
                                          • Instruction Fuzzy Hash: 39610975E04209DFDB18CFAAD944A9DBBF2FF89300F14C1A9D508AB265DB309985CF40

                                          Execution Graph

                                          Execution Coverage:12.8%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:1%
                                          Total number of Nodes:293
                                          Total number of Limit Nodes:32
                                          execution_graph 49854 2fa0848 49855 2fa084e 49854->49855 49856 2fa091b 49855->49856 49858 2fa13da 49855->49858 49860 2fa13e3 49858->49860 49859 2fa1500 49859->49855 49860->49859 49872 695f580 49860->49872 49878 695f570 49860->49878 49884 6959880 49860->49884 49890 6959890 49860->49890 49896 2fae8d1 49860->49896 49901 2fae872 49860->49901 49906 2fae834 49860->49906 49911 2fae708 49860->49911 49918 2fae6f9 49860->49918 49925 2fa7e09 49860->49925 49931 2fa7e18 49860->49931 49873 695f588 49872->49873 49874 695f5cd 49873->49874 49937 695f5d1 49873->49937 49941 695f662 49873->49941 49945 695f5e0 49873->49945 49874->49860 49879 695f588 49878->49879 49880 695f5cd 49879->49880 49881 695f5d1 SetWindowsHookExA 49879->49881 49882 695f5e0 SetWindowsHookExA 49879->49882 49883 695f662 SetWindowsHookExA 49879->49883 49880->49860 49881->49879 49882->49879 49883->49879 49885 69598a2 49884->49885 49887 6959953 49885->49887 49953 6957884 49885->49953 49887->49860 49888 6959919 49958 69578a4 49888->49958 49891 69598a2 49890->49891 49892 6957884 CreateWindowExW 49891->49892 49893 6959953 49891->49893 49894 6959919 49892->49894 49893->49860 49895 69578a4 KiUserCallbackDispatcher 49894->49895 49895->49893 49897 2fae8d6 49896->49897 49980 2fae980 49897->49980 49984 2fae970 49897->49984 49898 2fae963 49898->49860 49902 2fae877 49901->49902 49904 2fae980 DeleteFileW 49902->49904 49905 2fae970 DeleteFileW 49902->49905 49903 2fae963 49903->49860 49904->49903 49905->49903 49908 2fae839 49906->49908 49907 2fae963 49907->49860 49909 2fae980 DeleteFileW 49908->49909 49910 2fae970 DeleteFileW 49908->49910 49909->49907 49910->49907 49915 2fae721 49911->49915 49912 2fae963 49912->49860 49914 2fae832 49916 2fae980 DeleteFileW 49914->49916 49917 2fae970 DeleteFileW 49914->49917 49915->49912 49915->49914 49992 2fa0750 8 API calls 49915->49992 49916->49912 49917->49912 49919 2fae721 49918->49919 49920 2fae963 49919->49920 49922 2fae832 49919->49922 49993 2fa0750 8 API calls 49919->49993 49920->49860 49923 2fae980 DeleteFileW 49922->49923 49924 2fae970 DeleteFileW 49922->49924 49923->49920 49924->49920 49927 2fa7e15 49925->49927 49926 2fa7e99 49926->49860 49927->49926 49994 2faac48 49927->49994 50000 2faabe1 49927->50000 50006 2faac43 49927->50006 49933 2fa7e21 49931->49933 49932 2fa7e99 49932->49860 49933->49932 49934 2faac48 2 API calls 49933->49934 49935 2faac43 2 API calls 49933->49935 49936 2faabe1 2 API calls 49933->49936 49934->49933 49935->49933 49936->49933 49938 695f5e0 49937->49938 49940 695f660 49938->49940 49949 695e780 49938->49949 49940->49873 49943 695f61d 49941->49943 49942 695f660 49942->49873 49943->49942 49944 695e780 SetWindowsHookExA 49943->49944 49944->49943 49947 695f5fd 49945->49947 49946 695f660 49946->49873 49947->49946 49948 695e780 SetWindowsHookExA 49947->49948 49948->49947 49951 695f7e8 SetWindowsHookExA 49949->49951 49952 695f872 49951->49952 49952->49938 49954 695788f 49953->49954 49962 695aa60 49954->49962 49966 695aa4b 49954->49966 49959 69578af 49958->49959 49961 695d36b 49959->49961 49976 695b32c 49959->49976 49961->49887 49963 695aa8b 49962->49963 49964 695ab3a 49963->49964 49971 695bed2 49963->49971 49967 6959efa 49966->49967 49968 695aa53 49966->49968 49967->49888 49969 695ab3a 49968->49969 49970 695bed2 CreateWindowExW 49968->49970 49970->49969 49972 695bee6 49971->49972 49973 695bf1e CreateWindowExW 49971->49973 49972->49964 49975 695c054 49973->49975 49975->49975 49977 695d380 KiUserCallbackDispatcher 49976->49977 49979 695d3ee 49977->49979 49979->49959 49981 2fae990 49980->49981 49982 2fae9c2 49981->49982 49988 2fadcfc 49981->49988 49982->49898 49985 2fae990 49984->49985 49986 2fae9c2 49985->49986 49987 2fadcfc DeleteFileW 49985->49987 49986->49898 49987->49986 49989 2fae9e0 DeleteFileW 49988->49989 49991 2faea5f 49989->49991 49991->49982 49992->49915 49993->49919 49995 2faacab 49994->49995 49996 2faae8d 49995->49996 49997 2faadbf GetActiveWindow 49995->49997 49998 2faaded 49995->49998 49996->49927 49997->49998 49998->49996 50012 2faa814 49998->50012 50001 2faabe6 50000->50001 50002 2faadbf GetActiveWindow 50001->50002 50003 2faaded 50001->50003 50005 2faabf6 50001->50005 50002->50003 50004 2faa814 MessageBoxW 50003->50004 50003->50005 50004->50005 50005->49927 50007 2faac44 50006->50007 50008 2faadbf GetActiveWindow 50007->50008 50009 2faaded 50007->50009 50011 2faac0e 50007->50011 50008->50009 50010 2faa814 MessageBoxW 50009->50010 50009->50011 50010->50011 50011->49927 50013 2fae250 MessageBoxW 50012->50013 50015 2fae2dc 50013->50015 50015->49996 50016 2fac788 50019 2fabfe0 50016->50019 50021 2fabfeb 50019->50021 50020 2fac7ba 50021->50020 50024 2fac0c4 50021->50024 50023 2fac8bc 50025 2fac0cf 50024->50025 50027 2facbd3 50025->50027 50028 2fac0e0 50025->50028 50027->50023 50029 2facc08 OleInitialize 50028->50029 50030 2facc6c 50029->50030 50030->50027 49665 6955970 49666 69559a5 49665->49666 49667 695597d 49665->49667 49673 695517c 49666->49673 49669 69559c6 49671 6955a8e GlobalMemoryStatusEx 49672 6955abe 49671->49672 49674 6955a48 GlobalMemoryStatusEx 49673->49674 49676 69559c2 49674->49676 49676->49669 49676->49671 50031 695dca0 50032 695dcfa OleGetClipboard 50031->50032 50033 695dd3a 50032->50033 49677 131d118 49678 131d130 49677->49678 49679 131d18a 49678->49679 49684 695cdb0 49678->49684 49695 695c0e8 49678->49695 49699 695c0d9 49678->49699 49703 695b1bc 49678->49703 49686 695cdc0 49684->49686 49685 695ce21 49689 695ce1f 49685->49689 49738 695b2d4 49685->49738 49686->49685 49688 695ce11 49686->49688 49714 6a27204 49688->49714 49720 695cf48 49688->49720 49724 695cf38 49688->49724 49728 6a27129 49688->49728 49733 6a27138 49688->49733 49696 695c10e 49695->49696 49697 695b1bc 3 API calls 49696->49697 49698 695c12f 49697->49698 49698->49679 49700 695c0e8 49699->49700 49701 695b1bc 3 API calls 49700->49701 49702 695c12f 49701->49702 49702->49679 49704 695b1c7 49703->49704 49705 695ce21 49704->49705 49707 695ce11 49704->49707 49706 695b2d4 3 API calls 49705->49706 49708 695ce1f 49705->49708 49706->49708 49709 6a27204 3 API calls 49707->49709 49710 6a27138 3 API calls 49707->49710 49711 6a27129 3 API calls 49707->49711 49712 695cf38 3 API calls 49707->49712 49713 695cf48 3 API calls 49707->49713 49709->49708 49710->49708 49711->49708 49712->49708 49713->49708 49715 6a271c2 49714->49715 49716 6a27212 49714->49716 49745 6a271f0 49715->49745 49748 6a271df 49715->49748 49717 6a271d8 49717->49689 49722 695cf56 49720->49722 49721 695b2d4 3 API calls 49721->49722 49722->49721 49723 695d032 49722->49723 49723->49689 49726 695cf48 49724->49726 49725 695b2d4 3 API calls 49725->49726 49726->49725 49727 695d032 49726->49727 49727->49689 49730 6a2714c 49728->49730 49729 6a271d8 49729->49689 49731 6a271f0 3 API calls 49730->49731 49732 6a271df 3 API calls 49730->49732 49731->49729 49732->49729 49734 6a2714c 49733->49734 49736 6a271f0 3 API calls 49734->49736 49737 6a271df 3 API calls 49734->49737 49735 6a271d8 49735->49689 49736->49735 49737->49735 49739 695b2df 49738->49739 49740 695d134 49739->49740 49741 695d08a 49739->49741 49743 695b1bc 2 API calls 49740->49743 49742 695d0e2 CallWindowProcW 49741->49742 49744 695d091 49741->49744 49742->49744 49743->49744 49744->49689 49746 6a27201 49745->49746 49752 6a28621 49745->49752 49746->49717 49749 6a271f0 49748->49749 49750 6a27201 49749->49750 49751 6a28621 3 API calls 49749->49751 49750->49717 49751->49750 49753 6a2862a 49752->49753 49755 6a2863e 49752->49755 49756 695b2d4 3 API calls 49753->49756 49759 695d038 49753->49759 49766 695b2a7 49753->49766 49754 6a2863a 49754->49746 49755->49746 49756->49754 49760 695d048 49759->49760 49761 695d134 49760->49761 49762 695d08a 49760->49762 49764 695b1bc 2 API calls 49761->49764 49763 695d0e2 CallWindowProcW 49762->49763 49765 695d091 49762->49765 49763->49765 49764->49765 49765->49754 49767 695b2bd 49766->49767 49768 695d134 49767->49768 49769 695d08a 49767->49769 49771 695b1bc 2 API calls 49768->49771 49770 695d0e2 CallWindowProcW 49769->49770 49772 695d091 49769->49772 49770->49772 49771->49772 49772->49754 50034 2fac2a3 50035 2fac237 DuplicateHandle 50034->50035 50036 2fac276 50035->50036 49773 6a20448 49774 6a2046d 49773->49774 49775 6a20650 49774->49775 49776 6a206ab 49774->49776 49780 6a21a20 49774->49780 49775->49776 49785 6a2a720 49775->49785 49791 6a2a730 49775->49791 49781 6a21a41 49780->49781 49782 6a21a65 49781->49782 49797 6a21bc0 49781->49797 49801 6a21bd0 49781->49801 49782->49775 49790 6a2a72d 49785->49790 49786 6a29b70 PeekMessageW 49786->49790 49787 6a2abf8 WaitMessage 49787->49790 49788 6a2a7e2 49788->49776 49790->49786 49790->49787 49790->49788 49831 6a29bbc 49790->49831 49792 6a2a795 49791->49792 49793 6a29b70 PeekMessageW 49792->49793 49794 6a2abf8 WaitMessage 49792->49794 49795 6a29bbc DispatchMessageW 49792->49795 49796 6a2a7e2 49792->49796 49793->49792 49794->49792 49795->49792 49796->49776 49798 6a21bd0 49797->49798 49799 6a21c16 49798->49799 49805 6a201e4 49798->49805 49799->49782 49803 6a21bdd 49801->49803 49802 6a21c16 49802->49782 49803->49802 49804 6a201e4 5 API calls 49803->49804 49804->49802 49806 6a201ef 49805->49806 49808 6a21c88 49806->49808 49809 6a20218 49806->49809 49808->49808 49810 6a20223 49809->49810 49818 6a20228 49810->49818 49813 6a21d06 49815 6a266d0 GetModuleHandleW GetModuleHandleW CreateWindowExW LoadLibraryExW 49813->49815 49816 6a266b8 GetModuleHandleW GetModuleHandleW CreateWindowExW LoadLibraryExW 49813->49816 49814 6a21d31 49814->49808 49815->49814 49816->49814 49819 6a20233 49818->49819 49820 6a21cf7 49819->49820 49821 6a21a20 5 API calls 49819->49821 49822 6a249b8 49820->49822 49821->49820 49823 6a249e6 49822->49823 49825 6a24a0f 49823->49825 49826 6a228f8 49823->49826 49827 6a22903 49826->49827 49829 6a24fad 49827->49829 49830 6a2297c GetFocus 49827->49830 49829->49825 49830->49829 49832 6a2b4a0 DispatchMessageW 49831->49832 49833 6a2b503 49832->49833 49833->49790 49834 2fac7f7 49837 2fabff0 49834->49837 49838 2fabffb 49837->49838 49842 2fad9c8 49838->49842 49846 2fad9b8 49838->49846 49839 2fac804 49843 2fada17 49842->49843 49850 2fac14c 49843->49850 49847 2fad9be 49846->49847 49848 2fac14c EnumThreadWindows 49847->49848 49849 2fada98 49848->49849 49849->49839 49852 2fadab8 EnumThreadWindows 49850->49852 49853 2fada98 49852->49853 49853->49839

                                          Executed Functions

                                          Function 06A47400 Relevance: 9.0, Strings: 6, Instructions: 1528COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q$$q$$q
                                          • API String ID: 0-2069967915
                                          • Opcode ID: e7dd8e4546eff4e4478722a6d51422701307d3901a1062b52742319bc00e3e7e
                                          • Instruction ID: b9d7d822a9acb835b6eae3a4ab5413ec37a233e8e2703437a3f660f2ff3a5128
                                          • Opcode Fuzzy Hash: e7dd8e4546eff4e4478722a6d51422701307d3901a1062b52742319bc00e3e7e
                                          • Instruction Fuzzy Hash: 9EE22834E102548FDB64EF68C984A9DBBF2FF89300F5585A9E409AB355DB34ED85CB80
                                          Function 06A4CF48 Relevance: 3.0, Strings: 2, Instructions: 480COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1054 6a4cf48-6a4cf66 1055 6a4cf68-6a4cf6b 1054->1055 1056 6a4cf6d-6a4cf77 1055->1056 1057 6a4cf78-6a4cf7b 1055->1057 1058 6a4cf92-6a4cf95 1057->1058 1059 6a4cf7d-6a4cf8b 1057->1059 1060 6a4cfb6-6a4cfb9 1058->1060 1061 6a4cf97-6a4cfb1 1058->1061 1068 6a4cf8d 1059->1068 1069 6a4cfee-6a4d004 1059->1069 1062 6a4cfdc-6a4cfde 1060->1062 1063 6a4cfbb-6a4cfd7 1060->1063 1061->1060 1066 6a4cfe5-6a4cfe8 1062->1066 1067 6a4cfe0 1062->1067 1063->1062 1066->1055 1066->1069 1067->1066 1068->1058 1073 6a4d21f-6a4d229 1069->1073 1074 6a4d00a-6a4d013 1069->1074 1076 6a4d019-6a4d036 1074->1076 1077 6a4d22a-6a4d234 1074->1077 1085 6a4d20c-6a4d219 1076->1085 1087 6a4d03c-6a4d064 1076->1087 1080 6a4d236-6a4d25f 1077->1080 1081 6a4d1ed-6a4d1ee 1077->1081 1083 6a4d261-6a4d264 1080->1083 1084 6a4d1fa-6a4d206 1081->1084 1088 6a4d266-6a4d282 1083->1088 1089 6a4d287-6a4d28a 1083->1089 1084->1085 1086 6a4d06a-6a4d073 1084->1086 1085->1073 1085->1074 1086->1077 1092 6a4d079-6a4d095 1086->1092 1087->1085 1087->1086 1088->1089 1090 6a4d337-6a4d33a 1089->1090 1091 6a4d290-6a4d29c 1089->1091 1093 6a4d340-6a4d34f 1090->1093 1094 6a4d56f-6a4d571 1090->1094 1097 6a4d2a7-6a4d2a9 1091->1097 1092->1084 1107 6a4d09b-6a4d0c5 1092->1107 1112 6a4d351-6a4d36c 1093->1112 1113 6a4d36e-6a4d3b2 1093->1113 1098 6a4d573 1094->1098 1099 6a4d578-6a4d57b 1094->1099 1101 6a4d2c1-6a4d2c5 1097->1101 1102 6a4d2ab-6a4d2b1 1097->1102 1098->1099 1099->1083 1104 6a4d581-6a4d58a 1099->1104 1110 6a4d2c7-6a4d2d1 1101->1110 1111 6a4d2d3 1101->1111 1108 6a4d2b5-6a4d2b7 1102->1108 1109 6a4d2b3 1102->1109 1131 6a4d1f0-6a4d1f5 1107->1131 1132 6a4d0cb-6a4d0f3 1107->1132 1108->1101 1109->1101 1115 6a4d2d8-6a4d2da 1110->1115 1111->1115 1112->1113 1120 6a4d543-6a4d558 1113->1120 1121 6a4d3b8-6a4d3c9 1113->1121 1117 6a4d2f1-6a4d32a 1115->1117 1118 6a4d2dc-6a4d2df 1115->1118 1117->1093 1141 6a4d32c-6a4d336 1117->1141 1118->1104 1120->1094 1129 6a4d52e-6a4d53d 1121->1129 1130 6a4d3cf-6a4d3ec 1121->1130 1129->1120 1129->1121 1130->1129 1142 6a4d3f2-6a4d4e8 call 6a4b760 1130->1142 1131->1084 1132->1131 1143 6a4d0f9-6a4d127 1132->1143 1187 6a4d4f6 1142->1187 1188 6a4d4ea-6a4d4f4 1142->1188 1143->1131 1148 6a4d12d-6a4d136 1143->1148 1148->1131 1150 6a4d13c-6a4d16e 1148->1150 1157 6a4d170-6a4d174 1150->1157 1158 6a4d179-6a4d195 1150->1158 1157->1131 1160 6a4d176 1157->1160 1158->1084 1161 6a4d197-6a4d1e7 call 6a4b760 1158->1161 1160->1158 1161->1081 1189 6a4d4fb-6a4d4fd 1187->1189 1188->1189 1189->1129 1190 6a4d4ff-6a4d504 1189->1190 1191 6a4d506-6a4d510 1190->1191 1192 6a4d512 1190->1192 1193 6a4d517-6a4d519 1191->1193 1192->1193 1193->1129 1194 6a4d51b-6a4d527 1193->1194 1194->1129
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q
                                          • API String ID: 0-3126353813
                                          • Opcode ID: 6bd2dd290a373249a4cb813ee2bb3fa81cde7a639a7cf30a9a33f808ddeea43d
                                          • Instruction ID: a35023736c449d7da3736bf6739346f3c044b529b60ce2e3866c0f4e84ce06d4
                                          • Opcode Fuzzy Hash: 6bd2dd290a373249a4cb813ee2bb3fa81cde7a639a7cf30a9a33f808ddeea43d
                                          • Instruction Fuzzy Hash: 58027A30B002159FDB55FB69D850BAEBBE2FF84310F148569E806AB394DB35EC46CB90
                                          Function 06A4AEB8 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1196 6a4aeb8-6a4aec8 1197 6a4aeca-6a4aecd 1196->1197 1198 6a4af04-6a4af07 1197->1198 1199 6a4aecf-6a4aeee 1197->1199 1200 6a4af25-6a4af28 1198->1200 1201 6a4af09-6a4af0e 1198->1201 1215 6a4aef0 1199->1215 1216 6a4aef3-6a4aef9 1199->1216 1204 6a4af31-6a4af34 1200->1204 1205 6a4af2a-6a4af2c 1200->1205 1202 6a4af10 1201->1202 1203 6a4af13-6a4af20 1201->1203 1202->1203 1203->1200 1207 6a4af45-6a4af4b 1204->1207 1208 6a4af36-6a4af39 1204->1208 1205->1204 1207->1199 1210 6a4af4d 1207->1210 1212 6a4af40-6a4af43 1208->1212 1213 6a4af3b-6a4af3d 1208->1213 1214 6a4af52-6a4af54 1210->1214 1212->1207 1212->1214 1213->1212 1217 6a4af56 1214->1217 1218 6a4af5b-6a4af5e 1214->1218 1215->1216 1219 6a4af6d-6a4afaa 1216->1219 1220 6a4aefb-6a4aeff 1216->1220 1217->1218 1218->1197 1221 6a4af64-6a4af6c 1218->1221 1223 6a4afac-6a4afaf 1219->1223 1220->1198 1224 6a4afb5-6a4afbc 1223->1224 1225 6a4b129-6a4b12c 1223->1225 1226 6a4afc2-6a4b009 1224->1226 1227 6a4b10a-6a4b11d 1224->1227 1228 6a4b140-6a4b143 1225->1228 1229 6a4b12e-6a4b135 1225->1229 1249 6a4b00b-6a4b01a 1226->1249 1230 6a4b145-6a4b15a 1228->1230 1231 6a4b15f-6a4b162 1228->1231 1229->1224 1232 6a4b13b 1229->1232 1230->1231 1234 6a4b164-6a4b172 1231->1234 1235 6a4b177-6a4b17a 1231->1235 1232->1228 1234->1235 1238 6a4b17c-6a4b185 1235->1238 1239 6a4b188-6a4b18a 1235->1239 1242 6a4b191-6a4b194 1239->1242 1243 6a4b18c 1239->1243 1242->1223 1245 6a4b19a-6a4b1a4 1242->1245 1243->1242 1251 6a4b1a7-6a4b1e2 1249->1251 1252 6a4b020-6a4b036 1249->1252 1256 6a4b1e4-6a4b1e7 1251->1256 1252->1251 1255 6a4b03c-6a4b044 1252->1255 1255->1249 1257 6a4b046-6a4b04c 1255->1257 1258 6a4b1ed-6a4b1f4 1256->1258 1259 6a4b278-6a4b27b 1256->1259 1260 6a4b0ac-6a4b0fc call 6a49c90 1257->1260 1261 6a4b04e-6a4b051 1257->1261 1262 6a4b293-6a4b2a6 1258->1262 1263 6a4b1fa-6a4b265 1258->1263 1264 6a4b27d-6a4b289 1259->1264 1265 6a4b28e-6a4b291 1259->1265 1313 6a4b107 1260->1313 1314 6a4b0fe 1260->1314 1261->1251 1266 6a4b057-6a4b062 1261->1266 1317 6a4b26e-6a4b275 1263->1317 1264->1265 1265->1262 1267 6a4b2a9-6a4b2ac 1265->1267 1266->1251 1270 6a4b068-6a4b072 1266->1270 1268 6a4b2c0-6a4b2c3 1267->1268 1269 6a4b2ae-6a4b2b5 1267->1269 1276 6a4b2c5-6a4b2d2 1268->1276 1277 6a4b2d7-6a4b2da 1268->1277 1269->1258 1275 6a4b2bb 1269->1275 1270->1251 1278 6a4b078-6a4b082 1270->1278 1275->1268 1276->1277 1279 6a4b2dc-6a4b2e8 1277->1279 1280 6a4b2ed-6a4b2f0 1277->1280 1278->1251 1281 6a4b088-6a4b09d 1278->1281 1279->1280 1286 6a4b306-6a4b309 1280->1286 1287 6a4b2f2-6a4b301 1280->1287 1281->1251 1285 6a4b0a3-6a4b0aa 1281->1285 1285->1260 1285->1261 1288 6a4b323-6a4b326 1286->1288 1289 6a4b30b-6a4b31e 1286->1289 1287->1286 1293 6a4b364-6a4b367 1288->1293 1294 6a4b328-6a4b347 1288->1294 1289->1288 1298 6a4b37f-6a4b381 1293->1298 1299 6a4b369-6a4b37a 1293->1299 1305 6a4b391-6a4b39b 1294->1305 1301 6a4b383 1298->1301 1302 6a4b388-6a4b38b 1298->1302 1299->1298 1301->1302 1302->1256 1302->1305 1313->1227 1314->1313
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: XPq$\Oq
                                          • API String ID: 0-3725437444
                                          • Opcode ID: 60dad5d55e2581392901497e855a60316893d7772725ba50b2fd023854090abd
                                          • Instruction ID: 8458598b05856a0b4577de61c2817fbb24eb98c3e9d6bd2efcbd5ef6b1d6afc1
                                          • Opcode Fuzzy Hash: 60dad5d55e2581392901497e855a60316893d7772725ba50b2fd023854090abd
                                          • Instruction Fuzzy Hash: D1D1C231B101148FDB54FB6DD890AAEB7E6FBC9310F24846AE506DB395CA31DC41C7A1
                                          Function 06A419E0 Relevance: 2.8, Instructions: 2840COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 69726b2ad45e17e000085b5e0eb89ab21bee8b9979b1fc16e4ab9529ffec4ae2
                                          • Instruction ID: e11fc6b2efc26e1bffa162082c19ef1073d3c546b67d844ff4453e873e3bb28d
                                          • Opcode Fuzzy Hash: 69726b2ad45e17e000085b5e0eb89ab21bee8b9979b1fc16e4ab9529ffec4ae2
                                          • Instruction Fuzzy Hash: 7A63F831D10B1A8ADB51EF68C8406A9F7B1FF99300F55D79AE4587B121EB70AAC4CF81
                                          Function 06A44DF8 Relevance: 2.3, Instructions: 2314COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d37f2bd65ad0ef448ffb23abaa185896544fd636e6689b20751ca713734da9b5
                                          • Instruction ID: 3da4b4ef7f7ce47d25c669e872382191410a77de1e1d1db892d1fdf141dac010
                                          • Opcode Fuzzy Hash: d37f2bd65ad0ef448ffb23abaa185896544fd636e6689b20751ca713734da9b5
                                          • Instruction Fuzzy Hash: 0D331E31D107198EDB51EF68C8806ADF7B1FF89300F55C69AE459AB211EB70EAC5CB81
                                          Function 06A2A730 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749063930.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a20000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: DispatchMessage
                                          • String ID:
                                          • API String ID: 2061451462-0
                                          • Opcode ID: bcb5bb683bb2a06fdb51d21ce653005ca72f38a8b1b3e4fcace55999d0277290
                                          • Instruction ID: 1957fdc228a02355ed474798a7a8da7fbb3c9cb4e2931978bf2c01cc87b0262e
                                          • Opcode Fuzzy Hash: bcb5bb683bb2a06fdb51d21ce653005ca72f38a8b1b3e4fcace55999d0277290
                                          • Instruction Fuzzy Hash: 8CF16A30E4021ACFEB54EFA9C944B9DBBF2BF88704F158169E505AF295DB70E945CB80
                                          Function 0695E780 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0695F650,00000000,00000000), ref: 0695F863
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: HookWindows
                                          • String ID:
                                          • API String ID: 2559412058-0
                                          • Opcode ID: bd995a4157c4c21349f82b6ccc32caeb5c4a872b8f6ed8b4b9dc31513cccb2ee
                                          • Instruction ID: bf7a1e0de45ed9859976be24e4a015838f8a43efc2a78dc121e93af266f3dac7
                                          • Opcode Fuzzy Hash: bd995a4157c4c21349f82b6ccc32caeb5c4a872b8f6ed8b4b9dc31513cccb2ee
                                          • Instruction Fuzzy Hash: 60213871D002099FCB54DF9AD844BEEBBF5FB48320F10842AE815A7650C775A945CFA1
                                          Function 06A4B7B0 Relevance: .8, Instructions: 821COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c65ffd4e2f35c1658575d9e6fa035ca5c137a958ba220621e5871366150c229
                                          • Instruction ID: 1008b5a240c6cbde5199f927ad74ffff8ff29099c89285d0932bc27fdd84af91
                                          • Opcode Fuzzy Hash: 9c65ffd4e2f35c1658575d9e6fa035ca5c137a958ba220621e5871366150c229
                                          • Instruction Fuzzy Hash: F5626B34A002049FDB64FB68D994BADBBF2EFC8314F148569E4069B395DB35ED42CB90
                                          Function 06A41220 Relevance: .4, Instructions: 406COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eaba4811290e5e45ad76a6ee5b485cb2c0d3879f4eb971e3ec4ec0e033a21ef0
                                          • Instruction ID: 9f0b00588801db8dc649c8f0fe470db24f859954f2cea5938f8caba8cad03f92
                                          • Opcode Fuzzy Hash: eaba4811290e5e45ad76a6ee5b485cb2c0d3879f4eb971e3ec4ec0e033a21ef0
                                          • Instruction Fuzzy Hash: 31E19074B002058FDB54EF68D894ABEBBB2FB89311F148569E806DB350DB35EC81CB81
                                          Function 02FAAC48 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 332COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 450 2faac48-2faacca 454 2faaf0e-2faaf41 450->454 455 2faacd0-2faacf5 450->455 461 2faaf48-2faaf7d 454->461 460 2faacfb-2faad20 455->460 455->461 468 2faad26-2faad36 460->468 469 2faaf84-2faafb9 460->469 461->469 473 2faad3c-2faad40 468->473 474 2faafc0-2faafec 468->474 469->474 477 2faad4e-2faad53 473->477 478 2faad42-2faad48 473->478 479 2faaff3-2fab031 474->479 480 2faad61-2faad67 477->480 481 2faad55-2faad5b 477->481 478->477 478->479 484 2fab038-2fab076 479->484 485 2faad78-2faad8c 480->485 486 2faad69-2faad71 480->486 481->480 481->484 519 2fab07d-2fab11b 484->519 497 2faad8e-2faad90 485->497 498 2faad92 485->498 486->485 502 2faad97-2faadaf 497->502 498->502 503 2faadb9-2faadbd 502->503 504 2faadb1-2faadb7 502->504 508 2faadbf-2faadeb GetActiveWindow 503->508 509 2faae00-2faae09 503->509 504->503 507 2faae0c-2faae19 504->507 517 2faae1b-2faae31 call 2faa808 507->517 518 2faae59 507->518 510 2faaded-2faadf3 508->510 511 2faadf4-2faadfe 508->511 509->507 510->511 511->507 527 2faae33-2faae4a 517->527 528 2faae50-2faae56 517->528 548 2faae59 call 2fab538 518->548 549 2faae59 call 2fab570 518->549 550 2faae59 call 2fab560 518->550 522 2faae5f-2faaeb3 call 2faa814 541 2faaebc-2faaebd 522->541 527->519 527->528 528->518 541->454 548->522 549->522 550->522
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: ActiveWindow
                                          • String ID: Hq$Hq
                                          • API String ID: 2558294473-925789375
                                          • Opcode ID: bd40609a7b195eceda35bb17d1061d0a313bb49bc1eba25d2b9e9a907c75d11f
                                          • Instruction ID: 563013cae1bd45105eec7c9b7da9a59145d3e90cd708d54c4ddadcbd14830963
                                          • Opcode Fuzzy Hash: bd40609a7b195eceda35bb17d1061d0a313bb49bc1eba25d2b9e9a907c75d11f
                                          • Instruction Fuzzy Hash: 74C19C71F102058FDB19AFA9D4647AE7AF2BFC8341F148428E506EB384DF349846CBA5
                                          Function 06A4E318 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 551 6a4e318-6a4e33d 552 6a4e33f-6a4e342 551->552 553 6a4e344-6a4e363 552->553 554 6a4e368-6a4e36b 552->554 553->554 555 6a4e371-6a4e386 554->555 556 6a4ec2b-6a4ec2d 554->556 563 6a4e39e-6a4e3b4 555->563 564 6a4e388-6a4e38e 555->564 557 6a4ec34-6a4ec37 556->557 558 6a4ec2f 556->558 557->552 560 6a4ec3d-6a4ec47 557->560 558->557 568 6a4e3bf-6a4e3c1 563->568 565 6a4e390 564->565 566 6a4e392-6a4e394 564->566 565->563 566->563 569 6a4e3c3-6a4e3c9 568->569 570 6a4e3d9-6a4e44a 568->570 571 6a4e3cd-6a4e3cf 569->571 572 6a4e3cb 569->572 581 6a4e476-6a4e492 570->581 582 6a4e44c-6a4e46f 570->582 571->570 572->570 587 6a4e494-6a4e4b7 581->587 588 6a4e4be-6a4e4d9 581->588 582->581 587->588 593 6a4e504-6a4e51f 588->593 594 6a4e4db-6a4e4fd 588->594 599 6a4e521-6a4e543 593->599 600 6a4e54a-6a4e554 593->600 594->593 599->600 601 6a4e564-6a4e5de 600->601 602 6a4e556-6a4e55f 600->602 608 6a4e5e0-6a4e5fe 601->608 609 6a4e62b-6a4e640 601->609 602->560 613 6a4e600-6a4e60f 608->613 614 6a4e61a-6a4e629 608->614 609->556 613->614 614->608 614->609
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q
                                          • API String ID: 0-4102054182
                                          • Opcode ID: 320b6c1aa74996270d31f1b91d5da87fbe4260a0ecfd64c9b7a399790efecadd
                                          • Instruction ID: 9585f6e748446e8a5920eee206a63de01131961ef2114bdced29803b4e191f12
                                          • Opcode Fuzzy Hash: 320b6c1aa74996270d31f1b91d5da87fbe4260a0ecfd64c9b7a399790efecadd
                                          • Instruction Fuzzy Hash: DE912F30B002198FDB64EF69D85076EBBE6FFC8340F548565D819EB344EA74ED418B91
                                          Function 06A49D18 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1006 6a49d18-6a49d3c 1007 6a49d3e-6a49d41 1006->1007 1008 6a49d62-6a49d65 1007->1008 1009 6a49d43-6a49d5d 1007->1009 1010 6a4a444-6a4a446 1008->1010 1011 6a49d6b-6a49e63 1008->1011 1009->1008 1012 6a4a44d-6a4a450 1010->1012 1013 6a4a448 1010->1013 1029 6a49ee6-6a49eed 1011->1029 1030 6a49e69-6a49eb1 1011->1030 1012->1007 1015 6a4a456-6a4a463 1012->1015 1013->1012 1031 6a49f71-6a49f7a 1029->1031 1032 6a49ef3-6a49f63 1029->1032 1052 6a49eb6 call 6a4a5d0 1030->1052 1053 6a49eb6 call 6a4a5c2 1030->1053 1031->1015 1049 6a49f65 1032->1049 1050 6a49f6e 1032->1050 1043 6a49ebc-6a49ed8 1047 6a49ee3-6a49ee4 1043->1047 1048 6a49eda 1043->1048 1047->1029 1048->1047 1049->1050 1050->1031 1052->1043 1053->1043
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: fq$XPq$\Oq
                                          • API String ID: 0-132346853
                                          • Opcode ID: ad1b29397b7491df5111d2bc7ff1fb9bc3c3a3c578f59b6495cebe0e368d2879
                                          • Instruction ID: d72ed2e830d24c1021d88551431845f0e728149add5586ced592eb8acc02c476
                                          • Opcode Fuzzy Hash: ad1b29397b7491df5111d2bc7ff1fb9bc3c3a3c578f59b6495cebe0e368d2879
                                          • Instruction Fuzzy Hash: 45616534F002099FDF54ABA9C854BAEBBF6FFC8300F208529E506AB395DB754C458B91
                                          Function 06A4E30A Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1978 6a4e30a-6a4e30c 1979 6a4e2d5-6a4e2e3 call 6a4e3d7 1978->1979 1980 6a4e30e-6a4e33d 1978->1980 1979->1978 1983 6a4e33f-6a4e342 1980->1983 1985 6a4e344-6a4e363 1983->1985 1986 6a4e368-6a4e36b 1983->1986 1985->1986 1988 6a4e371-6a4e379 1986->1988 1989 6a4ec2b-6a4ec2d 1986->1989 1995 6a4e384-6a4e386 1988->1995 1990 6a4ec34-6a4ec37 1989->1990 1991 6a4ec2f 1989->1991 1990->1983 1994 6a4ec3d-6a4ec47 1990->1994 1991->1990 1997 6a4e39e-6a4e3a1 1995->1997 1998 6a4e388-6a4e38e 1995->1998 2001 6a4e3a9-6a4e3b4 1997->2001 1999 6a4e390 1998->1999 2000 6a4e392-6a4e394 1998->2000 1999->1997 2000->1997 2002 6a4e3bf-6a4e3c1 2001->2002 2003 6a4e3c3-6a4e3c9 2002->2003 2004 6a4e3d9-6a4e44a 2002->2004 2005 6a4e3cd-6a4e3cf 2003->2005 2006 6a4e3cb 2003->2006 2015 6a4e476-6a4e492 2004->2015 2016 6a4e44c-6a4e46f 2004->2016 2005->2004 2006->2004 2021 6a4e494-6a4e4b7 2015->2021 2022 6a4e4be-6a4e4d9 2015->2022 2016->2015 2021->2022 2027 6a4e504-6a4e51f 2022->2027 2028 6a4e4db-6a4e4fd 2022->2028 2033 6a4e521-6a4e543 2027->2033 2034 6a4e54a-6a4e554 2027->2034 2028->2027 2033->2034 2035 6a4e564-6a4e5de 2034->2035 2036 6a4e556-6a4e55f 2034->2036 2042 6a4e5e0-6a4e5fe 2035->2042 2043 6a4e62b-6a4e640 2035->2043 2036->1994 2047 6a4e600-6a4e60f 2042->2047 2048 6a4e61a-6a4e629 2042->2048 2043->1989 2047->2048 2048->2042 2048->2043
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q
                                          • API String ID: 0-3126353813
                                          • Opcode ID: bb47e1b422c27575d4d3bcfa99264cac61b0e00024efc4f595b4be3b6c879a75
                                          • Instruction ID: 6103b876a14206056a154c8d052dfc84bccc62215487a68f91ec8c122fbaf6ae
                                          • Opcode Fuzzy Hash: bb47e1b422c27575d4d3bcfa99264cac61b0e00024efc4f595b4be3b6c879a75
                                          • Instruction Fuzzy Hash: 95516F30B002059FDB94FB68DC60B6EBBE6FBC8340F148569D819EB354EA74ED418B91
                                          Function 06A49D08 Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2190 6a49d08-6a49d3c 2192 6a49d3e-6a49d41 2190->2192 2193 6a49d62-6a49d65 2192->2193 2194 6a49d43-6a49d5d 2192->2194 2195 6a4a444-6a4a446 2193->2195 2196 6a49d6b-6a49e63 2193->2196 2194->2193 2197 6a4a44d-6a4a450 2195->2197 2198 6a4a448 2195->2198 2214 6a49ee6-6a49eed 2196->2214 2215 6a49e69-6a49eb1 2196->2215 2197->2192 2200 6a4a456-6a4a463 2197->2200 2198->2197 2216 6a49f71-6a49f7a 2214->2216 2217 6a49ef3-6a49f63 2214->2217 2237 6a49eb6 call 6a4a5d0 2215->2237 2238 6a49eb6 call 6a4a5c2 2215->2238 2216->2200 2234 6a49f65 2217->2234 2235 6a49f6e 2217->2235 2228 6a49ebc-6a49ed8 2232 6a49ee3-6a49ee4 2228->2232 2233 6a49eda 2228->2233 2232->2214 2233->2232 2234->2235 2235->2216 2237->2228 2238->2228
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: fq$XPq
                                          • API String ID: 0-3167736908
                                          • Opcode ID: 69c0bd30b411caeff9112095d22d23ae4f2b6846f9a9b779b66d725e9f194b7a
                                          • Instruction ID: 76be1bb968713a69908dc4d36f19d954ebb6875e3f933f74cf8f50f3a419cbc3
                                          • Opcode Fuzzy Hash: 69c0bd30b411caeff9112095d22d23ae4f2b6846f9a9b779b66d725e9f194b7a
                                          • Instruction Fuzzy Hash: 7E516330F002099FDB55EBA9C855B9EBBF6FF88700F248529E106AB395DA758C018B91
                                          Function 02FAABE1 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a14f283056a2c324a07f99f1d6d4a99e4c1237787290dd429d3ad322a033cff
                                          • Instruction ID: 391817b5ab68aa7d2b77182824ecc72d9019703d9554f5fce8a47ad7e7148c9b
                                          • Opcode Fuzzy Hash: 5a14f283056a2c324a07f99f1d6d4a99e4c1237787290dd429d3ad322a033cff
                                          • Instruction Fuzzy Hash: B281BFB1E103498FDB15DFA4D8A57ADBFB2FF84345F04802AE946AB281DF349849CB51
                                          Function 06A4A958 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $
                                          • API String ID: 0-3993045852
                                          • Opcode ID: 916965441fa477e2cada090cfcfb2b91e5210c6f629386f27bef4d0476136f8d
                                          • Instruction ID: 7e0ff7e8adf6672d8b0c1ec88f7415991aca9767e1966db494cdc8820a5df130
                                          • Opcode Fuzzy Hash: 916965441fa477e2cada090cfcfb2b91e5210c6f629386f27bef4d0476136f8d
                                          • Instruction Fuzzy Hash: 1BE19F35F402148FDB64EBA4C99069EBBF6FF89310F248079D915AB398DA35DD41CB90
                                          Function 02FAAC43 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: ActiveWindow
                                          • String ID:
                                          • API String ID: 2558294473-0
                                          • Opcode ID: ac17bc4555a64cfb63c3c951965a57e31e20ac47d61c68a1ff30647d094e01f1
                                          • Instruction ID: d86ec8bb5ace9b731d3c47597a3d448cbabdc0c33a12ac6e8ad955ac1465797f
                                          • Opcode Fuzzy Hash: ac17bc4555a64cfb63c3c951965a57e31e20ac47d61c68a1ff30647d094e01f1
                                          • Instruction Fuzzy Hash: C2614AB0E103199FDB14DFA5D459BADBFB2BF88345F148429E916AB280DF349849CB50
                                          Function 0695BED2 Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0695C042
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 18fddafe14fdb3ea1fd29e63bd4048084a6d42b3a28717945f0413db6811eab0
                                          • Instruction ID: 407bc5d387ba71a7249a10c0195da21f733f309cc99f3a9a6618016fee875a5f
                                          • Opcode Fuzzy Hash: 18fddafe14fdb3ea1fd29e63bd4048084a6d42b3a28717945f0413db6811eab0
                                          • Instruction Fuzzy Hash: 9051D1B5C00249AFDF11CFA9C980ADEBFB6BF49310F25815AE918AB221D7759851CF90
                                          Function 06955970 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 579ac5f2218eaaf33efc631d4c564491f547efd84dd8de01c69c0c857e05a3ea
                                          • Instruction ID: e9668ba39948b2efb48b92b73de182e47b4be2f50e62ead38dfa019f1ace9cd6
                                          • Opcode Fuzzy Hash: 579ac5f2218eaaf33efc631d4c564491f547efd84dd8de01c69c0c857e05a3ea
                                          • Instruction Fuzzy Hash: F1415631D043498FCB14DFB9D80479EBBF5EF89220F16816AE805A7751EB349841CBE1
                                          Function 0695BF30 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0695C042
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 2ce2b5d3a81eb04712be3759515a3d0b9fe9417db36e8ed5983d7b6bef1f52a0
                                          • Instruction ID: 8f2ffc8cdd52786775b139f2141351462046d5e7f974234ea466e9c83fafa303
                                          • Opcode Fuzzy Hash: 2ce2b5d3a81eb04712be3759515a3d0b9fe9417db36e8ed5983d7b6bef1f52a0
                                          • Instruction Fuzzy Hash: 9E41BDB1D00349DFDB14CFAAC984ADEBFB5BF48310F65812AE819AB210D775A845CF90
                                          Function 0695B2D4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 0695D109
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: CallProcWindow
                                          • String ID:
                                          • API String ID: 2714655100-0
                                          • Opcode ID: b074e6e9ac48b4a425fa994a10019ed4793d9243a6a5cba55c2de55db5d78abb
                                          • Instruction ID: 07b380862549f7c06443af5b18f602ab93ed9e1796093fe3062833ee6ddf4076
                                          • Opcode Fuzzy Hash: b074e6e9ac48b4a425fa994a10019ed4793d9243a6a5cba55c2de55db5d78abb
                                          • Instruction Fuzzy Hash: C1416AB4900305CFDB54CF99C889AAABBF5FF88314F258859E419A7721D734A845CFA0
                                          Function 0695DC95 Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: Clipboard
                                          • String ID:
                                          • API String ID: 220874293-0
                                          • Opcode ID: 977d989924edfcec8de55e1775cc81a11a85c327eb7bda89092f55b4fd3ecd59
                                          • Instruction ID: 474a98a6c81fb4c829035efd97cbb940bec9ee96315ecf6d26e5c28055f5d893
                                          • Opcode Fuzzy Hash: 977d989924edfcec8de55e1775cc81a11a85c327eb7bda89092f55b4fd3ecd59
                                          • Instruction Fuzzy Hash: 6E3114B0D01248DFDB14CFA9D984BDEBBF5AF48304F24805AE404AB790DB75A949CF54
                                          Function 0695DCA0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: Clipboard
                                          • String ID:
                                          • API String ID: 220874293-0
                                          • Opcode ID: 294d939cc56e06421b3561b89eceada53f2affcfca942bb441d38e3c988676d8
                                          • Instruction ID: 009aa76d30f6469fcaf9388fd756f2fc564031ff25d25e978fd2ecf9f0f2f53e
                                          • Opcode Fuzzy Hash: 294d939cc56e06421b3561b89eceada53f2affcfca942bb441d38e3c988676d8
                                          • Instruction Fuzzy Hash: B031F1B0D01308DFDB24DF99D984BCEBBF5AF48304F20806AE404AB690DBB5A949CF55
                                          Function 02FAC1DB Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FAC267
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: a6edbd4bffa09dee13b888299dcfe3eb1bd9cd98a2d4b494811cf93346a05c89
                                          • Instruction ID: 17aeded7c7fc05a58c16de84d41b4d77e552882cc5e6410198690ce8e4a17edc
                                          • Opcode Fuzzy Hash: a6edbd4bffa09dee13b888299dcfe3eb1bd9cd98a2d4b494811cf93346a05c89
                                          • Instruction Fuzzy Hash: 1321F5B5D002489FDB10CFAAD985ADEBFF4FB48320F14801AE914A7350D379A940CFA1
                                          Function 02FAC1E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FAC267
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 7dea7aa4d22f9c7fca78df510a89e08c1064363075506011a94d7e449630666b
                                          • Instruction ID: d40dc4518cecf2998dfda2521e190f0902f6abae5de0a291111da3bec4b04e77
                                          • Opcode Fuzzy Hash: 7dea7aa4d22f9c7fca78df510a89e08c1064363075506011a94d7e449630666b
                                          • Instruction Fuzzy Hash: 9D21E4B5D002489FDB10CFAAD984ADEBFF4FB48310F14801AE914A3350D379A940CFA4
                                          Function 02FAC14C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,02FADA98,03FD41C8,03024F5C), ref: 02FADB29
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: EnumThreadWindows
                                          • String ID:
                                          • API String ID: 2941952884-0
                                          • Opcode ID: 0dd9a9e98190335cb0cd369cd24dd9a142dcd9ddb881826c4dd575d72239ecc9
                                          • Instruction ID: a89b9c282354301727e842239edbd4cb71e554730fde5522fce2498790915cea
                                          • Opcode Fuzzy Hash: 0dd9a9e98190335cb0cd369cd24dd9a142dcd9ddb881826c4dd575d72239ecc9
                                          • Instruction Fuzzy Hash: A92147B1D002098FDB10DF9AC844BEEFBF4FB88360F10842AD925A3640D778A941CFA4
                                          Function 02FADAB0 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,02FADA98,03FD41C8,03024F5C), ref: 02FADB29
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: EnumThreadWindows
                                          • String ID:
                                          • API String ID: 2941952884-0
                                          • Opcode ID: 0756713689206e920e21f8343935ebb149af480eeb36857d14185e02c9b08b49
                                          • Instruction ID: 3554b050a733d44afaa5cb6bd0f3797f79ae56d46b1964d12b551c163aa433bf
                                          • Opcode Fuzzy Hash: 0756713689206e920e21f8343935ebb149af480eeb36857d14185e02c9b08b49
                                          • Instruction Fuzzy Hash: 2A2134B1D002498FDB10DF9AC844BEEFBF5FB88360F14842AD464A3650D778A941CFA4
                                          Function 02FAA814 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,02FAAE8D,?,?,?), ref: 02FAE2CD
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: Message
                                          • String ID:
                                          • API String ID: 2030045667-0
                                          • Opcode ID: e411670dac2b71ac40381a07b979784e2b57b94015f58470f12d2196c18645ab
                                          • Instruction ID: 6b41848eeafde0a2f7f061a8e2504b5695c7e5f6179297082cea25b86ca32d87
                                          • Opcode Fuzzy Hash: e411670dac2b71ac40381a07b979784e2b57b94015f58470f12d2196c18645ab
                                          • Instruction Fuzzy Hash: AA2104B5D003499FDB10CF9AD984ADEFBF5FB88354F10852EE919A7200C375A944CBA4
                                          Function 0695B310 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0695D355), ref: 0695D3DF
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: CallbackDispatcherUser
                                          • String ID:
                                          • API String ID: 2492992576-0
                                          • Opcode ID: 9c802fe5c111f88594b20bae5c7effb0aba7eeacf969e7ca252274792d4d0aad
                                          • Instruction ID: 53daae720ab559e73c7bc1f49f0a587f1ffd1a0d53f48f5a127d022bb3fde77c
                                          • Opcode Fuzzy Hash: 9c802fe5c111f88594b20bae5c7effb0aba7eeacf969e7ca252274792d4d0aad
                                          • Instruction Fuzzy Hash: FD218C71C053498FDB11DF99C884BDEBFF4EF49314F11405AD454A7241C7346949CBA5
                                          Function 02FAE249 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,02FAAE8D,?,?,?), ref: 02FAE2CD
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: Message
                                          • String ID:
                                          • API String ID: 2030045667-0
                                          • Opcode ID: 4cc55fff5338634cd5a3c3a4a1e9c6da57d06ab3e7767d1377d8db3ccf926ea0
                                          • Instruction ID: 78d2fbbb42644a939348ff0bac77698d989e95da73bd51c515eef992eb5c3bfa
                                          • Opcode Fuzzy Hash: 4cc55fff5338634cd5a3c3a4a1e9c6da57d06ab3e7767d1377d8db3ccf926ea0
                                          • Instruction Fuzzy Hash: F621F3B9D003098FDB10CF99D984ADEBBF5FF48314F14852EE559A7200C375A545CBA4
                                          Function 02FADCFC Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNELBASE(00000000), ref: 02FAEA50
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 0868b150f085b1b1a8a0da6e6ade4d629aebc9b4200356cf4b5ad358f09efb60
                                          • Instruction ID: 381599b69abfcde4de861690a1c1e828f05ac58552b503220b085c99b88fd11e
                                          • Opcode Fuzzy Hash: 0868b150f085b1b1a8a0da6e6ade4d629aebc9b4200356cf4b5ad358f09efb60
                                          • Instruction Fuzzy Hash: 342138B5C0065A9BCB20DF9AC555B9EFBF4FB48360F108129E919A7340D738A941CFA5
                                          Function 02FAE9D9 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNELBASE(00000000), ref: 02FAEA50
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 02c30bcc33d0a576c4aa6214f5104e182186479458211355571ceaf3383e25d2
                                          • Instruction ID: b452cf4a8e5b18c401e1553414a67ef0e08bc545623ccf998de330197b763ffb
                                          • Opcode Fuzzy Hash: 02c30bcc33d0a576c4aa6214f5104e182186479458211355571ceaf3383e25d2
                                          • Instruction Fuzzy Hash: BF2136B5C0061A9BCB20CF9AD545BEEFBB4BF48320F14812AD919B7640D738A945CFA0
                                          Function 0695F7E0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0695F650,00000000,00000000), ref: 0695F863
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: HookWindows
                                          • String ID:
                                          • API String ID: 2559412058-0
                                          • Opcode ID: 375e444bb5db93bdf42198332a6e40d04ee391f484335693fbde5e184be405e9
                                          • Instruction ID: b374c1cc7d0ff597c49c57513b14675189992b129385b59cc68a0626e83a4203
                                          • Opcode Fuzzy Hash: 375e444bb5db93bdf42198332a6e40d04ee391f484335693fbde5e184be405e9
                                          • Instruction Fuzzy Hash: D0214775D002098FDB14DFAAC944BDEBBF5FB88320F10842AE819B7690C774A945CFA1
                                          Function 0695517C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,069559C2), ref: 06955AAF
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 82003f5677bf64cfc9fd90a819772756d3260e5b52ae5b717aa8ff3fb35a8d23
                                          • Instruction ID: a620c3cd1e6fc588d95600f138aa5b34199595ba90b89d5a4f5cee2e8c5b98bf
                                          • Opcode Fuzzy Hash: 82003f5677bf64cfc9fd90a819772756d3260e5b52ae5b717aa8ff3fb35a8d23
                                          • Instruction Fuzzy Hash: 761130B1C0025A9BCB20DF9AC444B9EFBF4AB08220F11812AE818A7641D378A901CFE5
                                          Function 06A26BD0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,06A26BB1,00000800), ref: 06A26C42
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749063930.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a20000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 7e539ad13932ee91339204abc24a8e27f88d7f45f0796828e40f8a6de6fa759f
                                          • Instruction ID: 0c3d086791d3eadf11802ec5f5b268ee21d92a17f4df67dac853a653994963a3
                                          • Opcode Fuzzy Hash: 7e539ad13932ee91339204abc24a8e27f88d7f45f0796828e40f8a6de6fa759f
                                          • Instruction Fuzzy Hash: AE1114B6C013599FDB20DF9AD844BDEFBF4EB48310F10842AE959A7200C779A545CFA5
                                          Function 06A29B70 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,06A2A912,00000000,00000000,03FD41C8,03024F5C), ref: 06A2AD60
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749063930.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a20000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: MessagePeek
                                          • String ID:
                                          • API String ID: 2222842502-0
                                          • Opcode ID: 6b5de0b7f26c069affb50f56c81c84660d90e6d611411ea93a3f0fc7fecd64a5
                                          • Instruction ID: 49bd25f791ad8444ada094831528305508b6be3d7558c1efa6d0f3c4d7b209ca
                                          • Opcode Fuzzy Hash: 6b5de0b7f26c069affb50f56c81c84660d90e6d611411ea93a3f0fc7fecd64a5
                                          • Instruction Fuzzy Hash: E51117B5C002499FDB10DF9AD945BDEBBF8FB08310F10842AE918A3241D378A944CFA5
                                          Function 06A258F0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,06A26BB1,00000800), ref: 06A26C42
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749063930.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a20000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 425d76f7d40df6a69eee6eda7dc83b42d0a3cb39bef87cfb9cf47c4f94fdc8e1
                                          • Instruction ID: 62dfa94015304bd42c0c53354a6557d00cf296f7e965a8216c05fd358e22dc64
                                          • Opcode Fuzzy Hash: 425d76f7d40df6a69eee6eda7dc83b42d0a3cb39bef87cfb9cf47c4f94fdc8e1
                                          • Instruction Fuzzy Hash: 2A1114B6D003598FDB20EF9AD944BDEFBF4EB48710F10842AE919A7200C775A545CFA4
                                          Function 06A2ACF0 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,06A2A912,00000000,00000000,03FD41C8,03024F5C), ref: 06A2AD60
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749063930.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a20000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: MessagePeek
                                          • String ID:
                                          • API String ID: 2222842502-0
                                          • Opcode ID: 530518f8d8c6566381da0cf89622a959bf3dd7274ac8219d0d35ff3db237af54
                                          • Instruction ID: b8d2804c746015571327e8c67917520d8dc4496c3f45a2e8fa606775dbda6c78
                                          • Opcode Fuzzy Hash: 530518f8d8c6566381da0cf89622a959bf3dd7274ac8219d0d35ff3db237af54
                                          • Instruction Fuzzy Hash: A41123B5C00249DFDB10DF9AD984BDEBBF4FB08320F10802AE918A3250D378A944CFA5
                                          Function 02FABB7F Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FAC267
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 3c0b4bc1ce11dc5318ee0b61790197bbcaafdfcd68fac924ac60b2fe7949c174
                                          • Instruction ID: a51b151b80b937aceb04ac1a56ebc9c6469bf4c74e8b734675c466635807c596
                                          • Opcode Fuzzy Hash: 3c0b4bc1ce11dc5318ee0b61790197bbcaafdfcd68fac924ac60b2fe7949c174
                                          • Instruction Fuzzy Hash: DE1133B69043099FDB10CFA9D884AEEBBF4EF49310F14805AE958E7251C338A955CF61
                                          Function 0695B7F8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0695B866
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: f8cfce563a5246633908cf70458decbdfbfbd007d39ae784e0133a6192835535
                                          • Instruction ID: 0ddc00956437df05df3c7fd537ea138986cd4371e572f0066393317fbb6b29a3
                                          • Opcode Fuzzy Hash: f8cfce563a5246633908cf70458decbdfbfbd007d39ae784e0133a6192835535
                                          • Instruction Fuzzy Hash: 1B1123B5C003498FCB10DFAAD845BDEFBF8EB48314F10801AD919A7610C375A545CFA5
                                          Function 0695B800 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0695B866
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 4eb9a2e3cb0cdf79d16159a1791004ba5cfb14370bfa035a6021b4ea51518a70
                                          • Instruction ID: a40c8e390805b155c8838c26c28e7de7038487811f3bbbc0865d54543b61882d
                                          • Opcode Fuzzy Hash: 4eb9a2e3cb0cdf79d16159a1791004ba5cfb14370bfa035a6021b4ea51518a70
                                          • Instruction Fuzzy Hash: 341102B5C003498FCB10DF9AD444ADEFBF4EB48314F11842AD919A7610C375A545CFA1
                                          Function 02FAC0E0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OleInitialize.OLE32(00000000), ref: 02FACC5D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: Initialize
                                          • String ID:
                                          • API String ID: 2538663250-0
                                          • Opcode ID: 5ac4960aaa8e815d46a151ea1629d6a5db6c82b9683eae364b7f7a72965d1d05
                                          • Instruction ID: e51634fa2296d0fe0524791f1ce632901c42848dc8638b35a09f07a333d27332
                                          • Opcode Fuzzy Hash: 5ac4960aaa8e815d46a151ea1629d6a5db6c82b9683eae364b7f7a72965d1d05
                                          • Instruction Fuzzy Hash: CF1133B1D003488FCB20DF9AD549BDEBBF4EB48220F10841AD518A3250C375A940CFA4
                                          Function 0695B32C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0695D355), ref: 0695D3DF
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: CallbackDispatcherUser
                                          • String ID:
                                          • API String ID: 2492992576-0
                                          • Opcode ID: b6737e7fe0326a45fe3aa15ae81b5385698d99d653f2e44ddd40ae2af6121ae6
                                          • Instruction ID: a3b40fb479a32030c2313f2c8a2f9a78cc681afe44318f3c9e4b8af5de522f5e
                                          • Opcode Fuzzy Hash: b6737e7fe0326a45fe3aa15ae81b5385698d99d653f2e44ddd40ae2af6121ae6
                                          • Instruction Fuzzy Hash: 371133B4C003498FCB20DF9AC885BDEBBF4EB48324F208459E919A7740C775A944CFA4
                                          Function 0695D379 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0695D355), ref: 0695D3DF
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3748907904.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6950000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: CallbackDispatcherUser
                                          • String ID:
                                          • API String ID: 2492992576-0
                                          • Opcode ID: 66356751cff97ceed3097f3b2fb698cee1ac3c483a063163242cd924425ed791
                                          • Instruction ID: cf3afe8c128df7044f110af7cd28e21e0d931966cf65d4ae86fcbe1520dad041
                                          • Opcode Fuzzy Hash: 66356751cff97ceed3097f3b2fb698cee1ac3c483a063163242cd924425ed791
                                          • Instruction Fuzzy Hash: C711F5B58003498FCB20DF9AD985BDEBFF8EB48324F208419D919A7640C775A545CFA5
                                          Function 06A29BBC Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06A2AA57), ref: 06A2B4FD
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749063930.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a20000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: DispatchMessage
                                          • String ID:
                                          • API String ID: 2061451462-0
                                          • Opcode ID: 385f427cde555250221c7d9e99aa0f152085848cda89d933163453cf5204c3e1
                                          • Instruction ID: c86d883f8cc9a56a3fb8c4d4950005453947d4c43757248868c3cff2158e50a4
                                          • Opcode Fuzzy Hash: 385f427cde555250221c7d9e99aa0f152085848cda89d933163453cf5204c3e1
                                          • Instruction Fuzzy Hash: 271122B0C046598FCB20EF9AD444BDEFBF4EB48324F10802AE419A7340D378A540CFA5
                                          Function 02FACC00 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OleInitialize.OLE32(00000000), ref: 02FACC5D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: Initialize
                                          • String ID:
                                          • API String ID: 2538663250-0
                                          • Opcode ID: fd1e2cab19426d06cee759e81d712af3874ca55f396a54b9abebef27e2f12169
                                          • Instruction ID: a8f926bae1dca720d9ca4a9c6a98133cdf313dec9017f03f66c517ce611dcb07
                                          • Opcode Fuzzy Hash: fd1e2cab19426d06cee759e81d712af3874ca55f396a54b9abebef27e2f12169
                                          • Instruction Fuzzy Hash: 301130B5C003498FCB20DFAAD645BCEBBF4EB08320F20881AD958A3210D378A545CFA5
                                          Function 06A2B498 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06A2AA57), ref: 06A2B4FD
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749063930.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a20000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: DispatchMessage
                                          • String ID:
                                          • API String ID: 2061451462-0
                                          • Opcode ID: f87adde87fee15edc823ba65a37fde4cdb0cf827a329f2a59fa6470cad4f9c9a
                                          • Instruction ID: 254d5a0d5d4dae120bd0f8bf3f94b46d7e811dfe0d2eb18441dd5fe2e76e2b01
                                          • Opcode Fuzzy Hash: f87adde87fee15edc823ba65a37fde4cdb0cf827a329f2a59fa6470cad4f9c9a
                                          • Instruction Fuzzy Hash: EC11F2B5D00259CFCB20DF9AD544BCEBBF4EB48314F10841AD519A7350D378A545CFA5
                                          Function 02FAC2A1 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FAC267
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 19794abec991ae4db5073e5492740eaaa86e0a3c89898aeea06f45ccbc1eb629
                                          • Instruction ID: d4e0574a2cccbb3f2493d82150d1ac7b080dc78b8b945c0a8b011689468da1d3
                                          • Opcode Fuzzy Hash: 19794abec991ae4db5073e5492740eaaa86e0a3c89898aeea06f45ccbc1eb629
                                          • Instruction Fuzzy Hash: 100148B69002089FDB10CFD9D884BDEBBF4EB48714F10800AE614A7211C3349955CF61
                                          Function 02FAC2A3 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FAC267
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3740856199.0000000002FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_2fa0000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 99be27de53592f345a73e528d5728ad59c7f38ef285960d26f96bbed4fbb04ac
                                          • Instruction ID: a9fbf2cb8b25dbc49628c1644dc9c03fbe5b537e803c5a7747d79d660475e88f
                                          • Opcode Fuzzy Hash: 99be27de53592f345a73e528d5728ad59c7f38ef285960d26f96bbed4fbb04ac
                                          • Instruction Fuzzy Hash: C00152B2904308AFEB118FE9D844BEEBBF4EF49310F24804AE204A7260C3389944CB61
                                          Function 06A47265 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq
                                          • API String ID: 0-3820536768
                                          • Opcode ID: d73e82e97bf9f993c52bc57a533f54ab20bc835b48c5a3e96d485d10f38670fd
                                          • Instruction ID: d48a258dd20e1678b26b61f3d3b098dc4041ce2b6f34b809141ba2b3fd39d86b
                                          • Opcode Fuzzy Hash: d73e82e97bf9f993c52bc57a533f54ab20bc835b48c5a3e96d485d10f38670fd
                                          • Instruction Fuzzy Hash: 2E31C031B002158FDB69BF349854BAE7BA6EBC5610B248579E802DB385DF35DC0687D1
                                          Function 06A47278 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq
                                          • API String ID: 0-3820536768
                                          • Opcode ID: 5c19963b57e078948daa794a266e2fd95d89a81c6a9cf4c381b20642d0ca50af
                                          • Instruction ID: 3fd15838d4decdfa3bf274e80f6b767665888436db035dd874163e62cada6912
                                          • Opcode Fuzzy Hash: 5c19963b57e078948daa794a266e2fd95d89a81c6a9cf4c381b20642d0ca50af
                                          • Instruction Fuzzy Hash: 8B319E31B002458FDB69BF75885476E7AA2BBC8610B249969E806DB384DF35EC068791
                                          Function 06A493DF Relevance: .3, Instructions: 288COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dcff8eb6871ee8b9ff87932bec8ca65fdbde196c5e67fd2e9ab08c81801df789
                                          • Instruction ID: b86fad8f1db62bb3c31c22eb82cf33950ce77601d1c59f6578cacd90ccf5f15e
                                          • Opcode Fuzzy Hash: dcff8eb6871ee8b9ff87932bec8ca65fdbde196c5e67fd2e9ab08c81801df789
                                          • Instruction Fuzzy Hash: CBA18D31A053454FDB55EB79C86079F7FB2AF8A300F1484AAD409DF295EA34DC46C792
                                          Function 06A4120C Relevance: .2, Instructions: 243COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73cb3010fc418fa0321e4553642c357ca612e0056c05132263dc634b33420e00
                                          • Instruction ID: cbfb6b6d5b9e4f615a6b2f22c50ec7378785c3f8b6c99ba7a739adcc50e985db
                                          • Opcode Fuzzy Hash: 73cb3010fc418fa0321e4553642c357ca612e0056c05132263dc634b33420e00
                                          • Instruction Fuzzy Hash: 7B916174A002148FDB55EF68D984ABDBBF2EF88311F148569E806EB354DB35ED82CB50
                                          Function 06A4976C Relevance: .2, Instructions: 243COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2ca318a5d8bf939807439beea37fa6526c24441f326c0a794b72dee4b7a44bce
                                          • Instruction ID: 491f3d5cd4b0146ad4755c29b2f155680ea8421acbd16b6e1513c65612424cf2
                                          • Opcode Fuzzy Hash: 2ca318a5d8bf939807439beea37fa6526c24441f326c0a794b72dee4b7a44bce
                                          • Instruction Fuzzy Hash: 5AA15E30E003198FDF60EF68C890B9EBBB1FF85310F208599D449BB255DB71A986CB91
                                          Function 06A4B3B0 Relevance: .2, Instructions: 229COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c961f0c1ea0eff499975f08a450df0e1e5507aa91d3ed17b62998394c5dd3faf
                                          • Instruction ID: 28be0227fd38e2c4dbd8ba18d7101d0050ca4cb44428f786e20e9298b324565c
                                          • Opcode Fuzzy Hash: c961f0c1ea0eff499975f08a450df0e1e5507aa91d3ed17b62998394c5dd3faf
                                          • Instruction Fuzzy Hash: 26617271F001204BDF54AB7ECC806AEBAD7AFC4254B194439D80AEB364DEB5ED4287D2
                                          Function 06A41740 Relevance: .2, Instructions: 219COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b4749845fd79b9516e3bcc78428fac07ddb9c9185e91f77a7c0f107330e367f
                                          • Instruction ID: 19d468f075f40d8658b57032b4994b7c4187798d1e76c10a03523b37ddce4fd7
                                          • Opcode Fuzzy Hash: 6b4749845fd79b9516e3bcc78428fac07ddb9c9185e91f77a7c0f107330e367f
                                          • Instruction Fuzzy Hash: AA813975A002049FDB54EF69D884BADBBB6FF88310F148169E908AB395EB71DC45CB90
                                          Function 06A49460 Relevance: .2, Instructions: 218COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 969ae22154c916da071754707d2bf28ee274fa6234512ebf721f18c7c9070a46
                                          • Instruction ID: 3f7c5298e6c7f877a8932f74fd99cc3a934dce86f88fab73a5ca31f407dbf8c7
                                          • Opcode Fuzzy Hash: 969ae22154c916da071754707d2bf28ee274fa6234512ebf721f18c7c9070a46
                                          • Instruction Fuzzy Hash: 6C811C35B002098FDF54EF69D854B6F7BB6AFC9300F208569E40AEB344EA74DD468791
                                          Function 06A49780 Relevance: .2, Instructions: 210COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1998d2c24915d63f637d7d0631b488e0a0e1249b011da5319c66864b0a232a2
                                          • Instruction ID: 21a9e26c7e6eed09539b45d6176174f6909c5cae35580937e6140ba294c49e5c
                                          • Opcode Fuzzy Hash: a1998d2c24915d63f637d7d0631b488e0a0e1249b011da5319c66864b0a232a2
                                          • Instruction Fuzzy Hash: E8913C34E102198BDF60DF68C890B9EB7B1FF89310F208699D549BB285DB71A985CF91
                                          Function 06A4A783 Relevance: .2, Instructions: 157COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c57e42e7e815b9d0d63313dac2bf4d938c18b3f6a30a72b0f8cda1234a01cad1
                                          • Instruction ID: b01f36519257d813c77182c0022d4f9122ad6b83d6f6f17148df79dd700c36d4
                                          • Opcode Fuzzy Hash: c57e42e7e815b9d0d63313dac2bf4d938c18b3f6a30a72b0f8cda1234a01cad1
                                          • Instruction Fuzzy Hash: FC51F134E441458FEF60FB68C880B7EBBB1EB85320F258465E655DF29AC635DC82CB90
                                          Function 06A4A5D0 Relevance: .1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d973c7c57b70660d6cda63ab1c18b7b24e8e2735d91ce27588e68b662bd4f34
                                          • Instruction ID: c159050d95642f33c7c7c37675f23de7956fffac0a6c7aea150c2987d27393f1
                                          • Opcode Fuzzy Hash: 4d973c7c57b70660d6cda63ab1c18b7b24e8e2735d91ce27588e68b662bd4f34
                                          • Instruction Fuzzy Hash: 32418075E006098FDF70EF99DC80AAFF7F2FB84210F10492AE256D7648D734A8458B90
                                          Function 06A48C50 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a992dfac3ad88dca910586a96871847e1f0798d444b003b06d3433268a017e21
                                          • Instruction ID: 5246f585e69a771c22f13db6f25e76bb6e13799669b33c17183d4d18818b1123
                                          • Opcode Fuzzy Hash: a992dfac3ad88dca910586a96871847e1f0798d444b003b06d3433268a017e21
                                          • Instruction Fuzzy Hash: D2414C75E012089FDB50EFA9E880BDEBBF5EF88310F14856AE914E7250D738D940CB90
                                          Function 06A47129 Relevance: .1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c15da665dafbdd912f4c7218d4b6520bcd892d2b1f2cc94acd429bad9cf2e834
                                          • Instruction ID: c616e19b3a7a2f0dc79bff275a3a8a0a42a4b9f327fcae2ff8e06045513a6be9
                                          • Opcode Fuzzy Hash: c15da665dafbdd912f4c7218d4b6520bcd892d2b1f2cc94acd429bad9cf2e834
                                          • Instruction Fuzzy Hash: 46315E34E106559FDB59EF68D894AAEB7B2BFC8300F10C519E906AB754DB30ED428B90
                                          Function 06A48FA7 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a785ec8c892c20ca1b881de33cf9e518bb830041007319749a4fdfffdc9eb58c
                                          • Instruction ID: d959d2853b053bce2798613183ebf8408284a93b3023d96dde220fd1cb2e4bff
                                          • Opcode Fuzzy Hash: a785ec8c892c20ca1b881de33cf9e518bb830041007319749a4fdfffdc9eb58c
                                          • Instruction Fuzzy Hash: 6821DD317042505FDB65E77CD86476FBBD79BC5250F10846AE10ACF291DE2ADC0687A1
                                          Function 06A47138 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6201bbd61d38575854b58951f59187378ccd1b7696b17986254e2aac8c82f396
                                          • Instruction ID: bc17ac8727f440b982c72a281a7adc905dfb765858994cbd1e3f7abeb9319ed8
                                          • Opcode Fuzzy Hash: 6201bbd61d38575854b58951f59187378ccd1b7696b17986254e2aac8c82f396
                                          • Instruction Fuzzy Hash: 38317E34E102459FCB59EF68D854A9EB7B2BF89300F10C519E916EB754DB70EC42CB50
                                          Function 06A48AE0 Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82eb17bef022df99301ee6ad3ae01cea15c3096cc01fd4089223ab579d9d931f
                                          • Instruction ID: 4a7244ad613c6dd7411ccce787c7e8119f3592d1f62633eeeb497c8ad8012e20
                                          • Opcode Fuzzy Hash: 82eb17bef022df99301ee6ad3ae01cea15c3096cc01fd4089223ab579d9d931f
                                          • Instruction Fuzzy Hash: 6E31E4B5D002199FDB10DF99D985BDEFBB4FB48324F10822AE918B7240C379A954CBA5
                                          Function 06A410F8 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a22d66bb432c144433cbbe5cf5390d5c71b61210fd651844f01a8a50fcc2515f
                                          • Instruction ID: 5f9db6bfee44b90e5d1913d427a12a11aa8bd3adfc43bdcc780e2b05b0fdf989
                                          • Opcode Fuzzy Hash: a22d66bb432c144433cbbe5cf5390d5c71b61210fd651844f01a8a50fcc2515f
                                          • Instruction Fuzzy Hash: D9317170E102169FDB49EFA8C8547AEFBB2BF85300F14C619E401AB245DB709C86CB90
                                          Function 06A48D60 Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ddb2f587fc2caf73bf6b645f05f6b02c86c6458491f9a2062ccb9d32361dd5ae
                                          • Instruction ID: 8c5b215bc09c230a72b0f096cb22daf26d794922a41bfc47d5658cc2f93a331e
                                          • Opcode Fuzzy Hash: ddb2f587fc2caf73bf6b645f05f6b02c86c6458491f9a2062ccb9d32361dd5ae
                                          • Instruction Fuzzy Hash: D7218136B051145FDB94BA69FC50AEE7BFADBC8310F048176E515EB284DA28CD0187E1
                                          Function 06A48C60 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 20b0c1eacdeea4a74d302f860b708960eca2a413133928be556d82531f0321a9
                                          • Instruction ID: e7dbb6cf5fc20a8f0a4dd48dcb66e9fc637ce59e89f507953377293782862dca
                                          • Opcode Fuzzy Hash: 20b0c1eacdeea4a74d302f860b708960eca2a413133928be556d82531f0321a9
                                          • Instruction Fuzzy Hash: 98214C76E012159FDB50EF69EC80AAEBBF6EB88310F148076E905E7354E739DD418B90
                                          Function 06A41108 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d599add00f636c609e1ce9b6433cb96d6ae834f04cfe42717a30ae8d4ca1cd14
                                          • Instruction ID: a524b286d5e47fcbef7295a54a4a25eb714aa91c446d0e26c72792da6371ff50
                                          • Opcode Fuzzy Hash: d599add00f636c609e1ce9b6433cb96d6ae834f04cfe42717a30ae8d4ca1cd14
                                          • Instruction Fuzzy Hash: 4F215130E1021A9BDB59EF69C8546AEFBB2FF85300F10C619E815EB244DB709C85CB90
                                          Function 06A40FF8 Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a2e6c40e9f2a78cc0d20e7387ead9c27f87d512601aef3b2aeca59ed860cbc4b
                                          • Instruction ID: 65d8f8d616dbf0078709256b4d77d372501ded9a73e669523c634fe7908bc6aa
                                          • Opcode Fuzzy Hash: a2e6c40e9f2a78cc0d20e7387ead9c27f87d512601aef3b2aeca59ed860cbc4b
                                          • Instruction Fuzzy Hash: 1C218330E103559BDB59EF64D8506AEB7B2EFC5300F10C615E812EB644EB719C868B90
                                          Function 0131D118 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3738187372.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_131d000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07806b4dc4fea9ffb80dff4dd2ccbd0be8b09da35ea2e45776300cf47dff3eb0
                                          • Instruction ID: 2a4ffeedade24a2af0e53fb06557cb0bd52f8c62b64fa6c3df0926074d7cdaae
                                          • Opcode Fuzzy Hash: 07806b4dc4fea9ffb80dff4dd2ccbd0be8b09da35ea2e45776300cf47dff3eb0
                                          • Instruction Fuzzy Hash: D6212271604304DFEB49DF54D9C8B16BB65FB85318F20C57DE80A4B38AC336D846CA62
                                          Function 0131D200 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3738187372.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_131d000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7908408230576e649121d0472391ffd775e4c312b3d8bbdb939bded92777ea8
                                          • Instruction ID: 2d585e2b21bd1594a60b6d338f9ed6a088201bea5477bf5c0748dfe5393c161f
                                          • Opcode Fuzzy Hash: e7908408230576e649121d0472391ffd775e4c312b3d8bbdb939bded92777ea8
                                          • Instruction Fuzzy Hash: 54213471604304DFDB19DF94D9C8B16BFA5EB89328F20C66DE8094B74AC336D847CA62
                                          Function 06A41008 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b68be8ba6b605a7a5e691b5e07897502b7dc59a9b6fabc46339ba2cb9e55705c
                                          • Instruction ID: 3c65a23bfa964dd0dff72e820e826f6735336bf9110e44d784d0c6be886e9da9
                                          • Opcode Fuzzy Hash: b68be8ba6b605a7a5e691b5e07897502b7dc59a9b6fabc46339ba2cb9e55705c
                                          • Instruction Fuzzy Hash: 4A217130E103459BDB59EFA4C850AAEB7B2EFC9310F10C519E816AB744EB719C858B50
                                          Function 06A4BEE0 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 89d0e13d8719e2b4f39a48cb78abca66e50201e2cb4f7fd36d01950ea40a6f82
                                          • Instruction ID: bb7f82c9973eafadce9a2bcadd82ea8126d7cf8107f2c51b97b57213f596001d
                                          • Opcode Fuzzy Hash: 89d0e13d8719e2b4f39a48cb78abca66e50201e2cb4f7fd36d01950ea40a6f82
                                          • Instruction Fuzzy Hash: 30218E30B121189FDF54FBA9E954A9DBBA7EBC4320F248465E409EB344DB31EC418B90
                                          Function 06A48D70 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 457e2fc092e38dea752a99da5f0db67ccce9611704ccfeed7e8561c64c5200a0
                                          • Instruction ID: fe939ce2e61427287e0e90938bc1d364964de6c29f7fcd9969c37399c15a1633
                                          • Opcode Fuzzy Hash: 457e2fc092e38dea752a99da5f0db67ccce9611704ccfeed7e8561c64c5200a0
                                          • Instruction Fuzzy Hash: 5A11A532B041149FDB94AB69EC546AE7BEBEBC8310F008579D505EB344EE38DC0287D1
                                          Function 06A48A2A Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b659312639624f8909f6ca805cd5a84406bb1dfff528f7e5b14ee1b4346f9875
                                          • Instruction ID: 0191fca2b03c280cf8e26773d1ac8a952f81bc9f744a497ef344237abdb51c2e
                                          • Opcode Fuzzy Hash: b659312639624f8909f6ca805cd5a84406bb1dfff528f7e5b14ee1b4346f9875
                                          • Instruction Fuzzy Hash: E121F4B5D01219AFCB10DF9AD885ADEFFB4FB48310F50812AE918A7340D375A941CFA5
                                          Function 06A4F4C8 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 84a1caad7052ef3dee179c33f106d719b8197fe59ec8e7d76ccf7917ff6efcfc
                                          • Instruction ID: 76e427e16a4434119622b6a58af03895bb4c85b0d0f5ec7d0ec48069e99bdd49
                                          • Opcode Fuzzy Hash: 84a1caad7052ef3dee179c33f106d719b8197fe59ec8e7d76ccf7917ff6efcfc
                                          • Instruction Fuzzy Hash: 4301D8307101100FE762FB3CDC50B6B77E6DBC9354F10C869E54ACB249DA24DC028792
                                          Function 06A48210 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 62373e38b1b82ce723df0762bba52a1724964071256fb1bb54630258b9c7c1d2
                                          • Instruction ID: 0419b10f76f8a005e02bf0b37c8feba756029fb892da2915f8a8daa55bc8bd14
                                          • Opcode Fuzzy Hash: 62373e38b1b82ce723df0762bba52a1724964071256fb1bb54630258b9c7c1d2
                                          • Instruction Fuzzy Hash: A2018E71E006189BCFA8EBA9DC405DEF7B5AFC9310F1085AAD516EB204EA35DA40CB90
                                          Function 0131D113 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3738187372.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_131d000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                          • Instruction ID: ea95c620567d960343cc60945879d52ef3f88d9ba1c167f98b9d9187056cc931
                                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                          • Instruction Fuzzy Hash: 4C11BE75504280CFDB06CF54D9C4B15BB72FB85318F24C6A9D8494B25BC33AD44ACB51
                                          Function 06A48A30 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: af30f9642a12c98d97b1eca07c6d2cf71acb280d41b950bbda875e04a99bbdfd
                                          • Instruction ID: c064c42638cb5701726eae12679f70388f465c86474997c4a301a57921e91efc
                                          • Opcode Fuzzy Hash: af30f9642a12c98d97b1eca07c6d2cf71acb280d41b950bbda875e04a99bbdfd
                                          • Instruction Fuzzy Hash: 981100B1C00219AFCB10DF9AD884ACEFFB4FB48310F50812AE918A7340C378A940CFA5
                                          Function 0131D1FB Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3738187372.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_131d000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e9cca0ddad5a86085491794687953ae07ced3ba403328ac5bf8e948dc3c1e61
                                          • Instruction ID: 1fec0e4117a579c178ce76b4a764f347ccb4e477f473aba05f794c4cce0c35f2
                                          • Opcode Fuzzy Hash: 2e9cca0ddad5a86085491794687953ae07ced3ba403328ac5bf8e948dc3c1e61
                                          • Instruction Fuzzy Hash: 6811DD75504280CFDB1ACF54C5C4B55BFA1FB85328F24C6ADD8494B65AC33AD84BCB51
                                          Function 06A48FB8 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b88c6b4c20d808ad62e2e2b6d825f2f98b0d0e6fa715018e08348044c97cada5
                                          • Instruction ID: 41b356235e6193d03d17076330304d07b5a0fb881e86a3a67b984e0ae9dacf56
                                          • Opcode Fuzzy Hash: b88c6b4c20d808ad62e2e2b6d825f2f98b0d0e6fa715018e08348044c97cada5
                                          • Instruction Fuzzy Hash: 63016D31B101105BDB65B66DE855B2FABDBEBC9650F10883AF10ACB344DD66DC024391
                                          Function 06A4F4D8 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83b1f8160aa58f1bf6b707f390963f14b969ba9986cd54c44eba580064ebd726
                                          • Instruction ID: 05d051917e2f04e5496dc2ed0f62ae67fc536af06787620c76d58119789c883b
                                          • Opcode Fuzzy Hash: 83b1f8160aa58f1bf6b707f390963f14b969ba9986cd54c44eba580064ebd726
                                          • Instruction Fuzzy Hash: 2F018130B101140FDBA0FB6DD850B2A77D6EBC9364F10C838E50ADB344EA25EC428791
                                          Function 06A4B631 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbf38b28fb5bc533ff519d12b3fdb7020339c202f96ce51a5baa68933e09490f
                                          • Instruction ID: 68096e2cc0f51edd67c4b6546cb03e9916beb5d62414ff9e79809a2146911519
                                          • Opcode Fuzzy Hash: bbf38b28fb5bc533ff519d12b3fdb7020339c202f96ce51a5baa68933e09490f
                                          • Instruction Fuzzy Hash: A9F09270E191456FDB51EA748E45AABBBAED7C2204F2489A6E408CF192D136CE0383A1
                                          Function 06A4B640 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 917c725bf7a689fce1337059c707fdbca5e63f76f228c5a9805e90cf94fe9561
                                          • Instruction ID: 3003ab407a97d7dd59d424b8bb5e56334ee4c2a149b045e1269455d8d472115e
                                          • Opcode Fuzzy Hash: 917c725bf7a689fce1337059c707fdbca5e63f76f228c5a9805e90cf94fe9561
                                          • Instruction Fuzzy Hash: 32E01271E1010DABDF90FFB4CE4579FB7ADD782218F2085A5D409DB201E576DE1187A0

                                          Non-executed Functions

                                          Function 06A4C868 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                          • API String ID: 0-1298971921
                                          • Opcode ID: 60ff5f096f37cc1be134ca4f9d624661e22bcd629076c98e07c14188f9823a78
                                          • Instruction ID: df72ba9ab8d2e4d89df83603d680d90c1231bf8fe5408a00739457e9912148f1
                                          • Opcode Fuzzy Hash: 60ff5f096f37cc1be134ca4f9d624661e22bcd629076c98e07c14188f9823a78
                                          • Instruction Fuzzy Hash: 71123930E012198FDB64EF65D895B9EBBF2FF89311F2085A9D40AAB254DB359D41CF80
                                          Function 06A2C8C8 Relevance: 4.6, APIs: 3, Instructions: 85keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyState.USER32(00000010), ref: 06A2C925
                                          • GetKeyState.USER32(00000011), ref: 06A2C96A
                                          • GetKeyState.USER32(00000012), ref: 06A2C9AF
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749063930.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a20000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: State
                                          • String ID:
                                          • API String ID: 1649606143-0
                                          • Opcode ID: 8ba8007c4bd3b26f95f57572b31fe5d57a970eb2feeeed21bcd0e156be2f09ec
                                          • Instruction ID: 70775b7426636032cba64211b6111838357de4d0362e433ce31fa67faf22df3f
                                          • Opcode Fuzzy Hash: 8ba8007c4bd3b26f95f57572b31fe5d57a970eb2feeeed21bcd0e156be2f09ec
                                          • Instruction Fuzzy Hash: 8D31E4B1C0035ACFDBA1DF99C9093AFBFF4AB05318F10440AD05AB7280C7799549CBA2
                                          Function 06A2C8D8 Relevance: 4.6, APIs: 3, Instructions: 76keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyState.USER32(00000010), ref: 06A2C925
                                          • GetKeyState.USER32(00000011), ref: 06A2C96A
                                          • GetKeyState.USER32(00000012), ref: 06A2C9AF
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749063930.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a20000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID: State
                                          • String ID:
                                          • API String ID: 1649606143-0
                                          • Opcode ID: 87a59e7611f67c9b652d3525ed30853496618f6cb5b6b29f894f4dbfb5642a2e
                                          • Instruction ID: cec686ff6c673f79390e29bb8151340389dfdab9aea4dbc99eaf27540b46ecd4
                                          • Opcode Fuzzy Hash: 87a59e7611f67c9b652d3525ed30853496618f6cb5b6b29f894f4dbfb5642a2e
                                          • Instruction Fuzzy Hash: 9A318271C0075A8EDBA0EF9AC9497AFBFF4AB05319F104419D05AA7280C7B99545CFA2
                                          Function 06A4FAF8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                          • API String ID: 0-3886557441
                                          • Opcode ID: 59460fae52c40ffbd933c4312d956e203887420d7fca6391aafd51c603b8959f
                                          • Instruction ID: d71d40ce54bded4183ddf6df5f68737435419997553b32e2af377264d6fc2434
                                          • Opcode Fuzzy Hash: 59460fae52c40ffbd933c4312d956e203887420d7fca6391aafd51c603b8959f
                                          • Instruction Fuzzy Hash: 5F915E30A012099FEB64FB65ED55B6EBBF2BFC4305F149429E801AB255DB74AC42CB90
                                          Function 06A4C268 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q$$q$$q
                                          • API String ID: 0-2069967915
                                          • Opcode ID: 758ba5a30141298661bad8507a2f029824134ec4ce7e81bc5e4802e7f86c2fb8
                                          • Instruction ID: 5b828b57fde4e03aac49be31980c46469dd878a8ac5dd9ded8746c47921fd93b
                                          • Opcode Fuzzy Hash: 758ba5a30141298661bad8507a2f029824134ec4ce7e81bc5e4802e7f86c2fb8
                                          • Instruction Fuzzy Hash: 59F11934A012088FDB59FFA5D854B6EBBB7FB84351F248569D406AB394CB35EC42CB80
                                          Function 06A4D5A0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q
                                          • API String ID: 0-4102054182
                                          • Opcode ID: 981a10cca04974e48b152dc3102e9129a7847f9c116a38615686e078b7a8455f
                                          • Instruction ID: 39632d8c726c16be71d38e0051b9b517e1054b22a3cef628b6af55936c87fec8
                                          • Opcode Fuzzy Hash: 981a10cca04974e48b152dc3102e9129a7847f9c116a38615686e078b7a8455f
                                          • Instruction Fuzzy Hash: 90B12870A002098FDB64FB69D8A476EBBB2FF84341F248869D4059B395DB35DC42CB90
                                          Function 06A4D9B8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.3749135759.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6a40000_aspnet_compiler.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq$LRq$$q$$q
                                          • API String ID: 0-2204215535
                                          • Opcode ID: 5bfe51efbb0e414ff234e89f5150913fa4eef9922f10922f5031922d808490c0
                                          • Instruction ID: d3510be54c5dc6468f4e34aa3ec27ad96ea605e0d2733777e70a1bd7c6acf59f
                                          • Opcode Fuzzy Hash: 5bfe51efbb0e414ff234e89f5150913fa4eef9922f10922f5031922d808490c0
                                          • Instruction Fuzzy Hash: 68519D34B012059FDB58FB68DC54A6A7BF6FF88700B148969E4029F395DA71EC41CB90

                                          Executed Functions

                                          Function 00DA0C20 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1427055469.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_da0000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: tPq
                                          • API String ID: 0-789928099
                                          • Opcode ID: 962b51550c7c06807f650d510cea7cd28e414d079f1548684d07f18b3947703e
                                          • Instruction ID: 63a9082a1959a14ea8685f7cb9cd6182e6eb4292639f5b96af397385f3052f2d
                                          • Opcode Fuzzy Hash: 962b51550c7c06807f650d510cea7cd28e414d079f1548684d07f18b3947703e
                                          • Instruction Fuzzy Hash: 73318C357517108FCB59AB78C86892D3FE2EF8A71636504A9E402CF3B6DA35DC42CB90
                                          Function 00DA0D58 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1427055469.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_da0000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8q
                                          • API String ID: 0-4083045702
                                          • Opcode ID: e6e60970cb75eece875a7ad794739601297663406bb4dd73691f950cdb569184
                                          • Instruction ID: 0331ab2c99ef3c580aef53332c5226f0e7ea473950cb16e40d82da618039213e
                                          • Opcode Fuzzy Hash: e6e60970cb75eece875a7ad794739601297663406bb4dd73691f950cdb569184
                                          • Instruction Fuzzy Hash: 3AF0A7756012448FCB52E7B8E465BB9BFF1EF8530071855E9D0458F3AADA20AC07CB90
                                          Function 00DA0D68 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1427055469.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_da0000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8q
                                          • API String ID: 0-4083045702
                                          • Opcode ID: 69d27366227baff3cabd5f71abbf655f164499936b8d0e703bf9d791ddc3917e
                                          • Instruction ID: c26fe0380ea46eef46c359ccdc16d7f055af88c223e5eec9cb4bee15bb4bd00e
                                          • Opcode Fuzzy Hash: 69d27366227baff3cabd5f71abbf655f164499936b8d0e703bf9d791ddc3917e
                                          • Instruction Fuzzy Hash: 75E0D8752002008FCB41FBA9E514B39BBD9EFC8300B145468E1098F3ACDB30AC058BE0
                                          Function 00DA06E0 Relevance: .3, Instructions: 320COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1427055469.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_da0000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 32ba2e0294ed78f788f7b8c223c6f9ae2ca91eba905868d4e32764a34dca3d0c
                                          • Instruction ID: 53babaecc3c477b66bd85e7fbe22b2d456bd25a4f7a3d2bb5637c9edc1649c13
                                          • Opcode Fuzzy Hash: 32ba2e0294ed78f788f7b8c223c6f9ae2ca91eba905868d4e32764a34dca3d0c
                                          • Instruction Fuzzy Hash: 2F51AE30E003089FDB15EBB8C4186AEBBF6EF89300F6884AAD40597355DF359D468B91
                                          Function 00DA0848 Relevance: .2, Instructions: 220COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1427055469.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_da0000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f64b965634be094d8c81aa34e8cdc30d562db6297a3e95d21271bdc2625cdcac
                                          • Instruction ID: dd059e543fcaad8b5296c1b7b761730f9fc747c1b6a64401b5c874a52960b0e9
                                          • Opcode Fuzzy Hash: f64b965634be094d8c81aa34e8cdc30d562db6297a3e95d21271bdc2625cdcac
                                          • Instruction Fuzzy Hash: 8A81DE35A003048FDB11EBB8D8547AEBBE6EFC9310F288569D4059B359DF31AD46CB92
                                          Function 00DA08A8 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1427055469.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_da0000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 551039aec3ec6d642bf5f9d05814a1449c5c6442642ce184c40a1e79ba339865
                                          • Instruction ID: d000544c4073f6e772886d759f77a73b179e167ff25c68444db5a1012f2b3568
                                          • Opcode Fuzzy Hash: 551039aec3ec6d642bf5f9d05814a1449c5c6442642ce184c40a1e79ba339865
                                          • Instruction Fuzzy Hash: 0D41D031E003048FDB15EBB9C4186AEBBE6FFC8300F688469D40697359DF359C428B91
                                          Function 00DA092D Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1427055469.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_da0000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 60ecf3a7c72b4a0a68989d21bc6c927bb1e06917fafd82a004fc3ad27e8cb3e8
                                          • Instruction ID: 27f2a298d2db8c593a469cc79719cf1ef95162308e087beb91adeb3936b333af
                                          • Opcode Fuzzy Hash: 60ecf3a7c72b4a0a68989d21bc6c927bb1e06917fafd82a004fc3ad27e8cb3e8
                                          • Instruction Fuzzy Hash: 88217834F002048FDB14ABB8C41876DBBE6BB88311F688469D80697358DF36DC428B91
                                          Function 00DA0D21 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.1427055469.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_12_2_da0000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c67e081d62d42b589826b9ac7799a142ed7661e90d748c45d8d772151ca2c788
                                          • Instruction ID: 359b67b19fb7b3eaca6e949982ef6bb604bc8e9410b0967fbcf19374a56c569c
                                          • Opcode Fuzzy Hash: c67e081d62d42b589826b9ac7799a142ed7661e90d748c45d8d772151ca2c788
                                          • Instruction Fuzzy Hash: 67E0C2791486849FC706AF30E0199343F70DF0A210B1540D5EC888B337C731CC44CB00

                                          Executed Functions

                                          Function 00D60C23 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1508763969.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_d60000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: tPq
                                          • API String ID: 0-789928099
                                          • Opcode ID: 87ed42faa032313864fc06551fe72bb69b6647f2da613820991c85222363e5f7
                                          • Instruction ID: 8c4883aa324c3c4c02745c7ac03f1b1024e9082758a1f085141a205d896d460c
                                          • Opcode Fuzzy Hash: 87ed42faa032313864fc06551fe72bb69b6647f2da613820991c85222363e5f7
                                          • Instruction Fuzzy Hash: 62314B347506108FC759AB38C45892D7BE2AF8971236508F8E506CF775DE35DC42CB90
                                          Function 00D60D58 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1508763969.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_d60000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8q
                                          • API String ID: 0-4083045702
                                          • Opcode ID: a946971afc4a5afdfe16e409185af32ab71a84265ea276a33540181bc40036eb
                                          • Instruction ID: ba52c2640d9d57b2c7632ba028c85275cdf6775943f03bdbf5137267036270ec
                                          • Opcode Fuzzy Hash: a946971afc4a5afdfe16e409185af32ab71a84265ea276a33540181bc40036eb
                                          • Instruction Fuzzy Hash: 7DF0C2741052008FCB16EBACE854B6ABFA0EF8530571405E9E1498F366DB70AC06CF91
                                          Function 00D60D68 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1508763969.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_d60000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8q
                                          • API String ID: 0-4083045702
                                          • Opcode ID: 9b35524dfc8d21d46b1c51a4a3e235f9f57708c2712587195adabc3fd17b6134
                                          • Instruction ID: cc4daa5ee686ea62d2b0e1c04c7c91b275b8ac2b6f82fff296315e30c57509af
                                          • Opcode Fuzzy Hash: 9b35524dfc8d21d46b1c51a4a3e235f9f57708c2712587195adabc3fd17b6134
                                          • Instruction Fuzzy Hash: 46E04F75200604CFC752FBA9E544F6ABBD5EFC9312B5448A8E1098F369DFB0AC468BD1
                                          Function 00D606E0 Relevance: .3, Instructions: 309COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1508763969.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_d60000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8662edab981b3352236fc283579478c3b1f7e019021d53a091a23eac649425ff
                                          • Instruction ID: a1b4f2dbc10d853294a534605f14c7c0bfdf16c4f59a8335a14db9387d917d92
                                          • Opcode Fuzzy Hash: 8662edab981b3352236fc283579478c3b1f7e019021d53a091a23eac649425ff
                                          • Instruction Fuzzy Hash: 7E519A30E013089FDB15EBB8C4186ADBBF2BF88301F5984AAD405D7365EB759D46CB91
                                          Function 00D60848 Relevance: .2, Instructions: 220COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1508763969.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_d60000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34a8d05815559bc2276b421e186603261349e51459bdb48b1b031bb8f1c81878
                                          • Instruction ID: ea139464ef5e88416cf2c5ddf9f9e33499be37b40026cbfbf9e79ef1763845e0
                                          • Opcode Fuzzy Hash: 34a8d05815559bc2276b421e186603261349e51459bdb48b1b031bb8f1c81878
                                          • Instruction Fuzzy Hash: E481B035A003088FDB15EBB8D84476EBBE2FF88301F18886AD4159B355DB75AD46CB91
                                          Function 00D608A8 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1508763969.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_d60000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3042adf66f3c05f13d891d3c4105fd78b6ea7d415f73c0652e0308f6a303ea1a
                                          • Instruction ID: 38c7c6db2c2928ee5664df8265d289c643f0b0e518d626945b16ec72d107de5c
                                          • Opcode Fuzzy Hash: 3042adf66f3c05f13d891d3c4105fd78b6ea7d415f73c0652e0308f6a303ea1a
                                          • Instruction Fuzzy Hash: 8E419C34E007088FDB15EBB8D4186AEBBE6BFC8301F58856AD406D7365DF759C428BA1
                                          Function 00D6092D Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1508763969.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_d60000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5656231b5d0d164024651c743f2bbcf7b2d7d654aa57b9614b2a58ab3c3a3664
                                          • Instruction ID: c5f12921383b610d009c56887a3c6155ff9338c860df06e8b3556725b007598e
                                          • Opcode Fuzzy Hash: 5656231b5d0d164024651c743f2bbcf7b2d7d654aa57b9614b2a58ab3c3a3664
                                          • Instruction Fuzzy Hash: A1213934B003048FDB14ABB8D51876DBBE2BF88315F5884AAD806D7365DF75DC428BA2
                                          Function 00D60DB7 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1508763969.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_d60000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 31ebab6732cf5a9939ea92ed53649494215f25d8349d86658691d3034e035530
                                          • Instruction ID: e970bf75357029224e57388f2ab846f71b59f264624eeac6e56faa8bf91c9c38
                                          • Opcode Fuzzy Hash: 31ebab6732cf5a9939ea92ed53649494215f25d8349d86658691d3034e035530
                                          • Instruction Fuzzy Hash: A4F06D792046449FCB02ABA4F4459A93FB4EF4A226B1146D9E808CB732C765D8459F52
                                          Function 00D60D21 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1508763969.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_d60000_QGwHqTR.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e9955295d7b7f0b8b1d1b0322c70dcf60d1c68fa030a6957d6390cab9bd5d65
                                          • Instruction ID: 23ff114b6a03693d23fff8dc38ca9a69efea02aca8c064a7bde467d7b37da8c3
                                          • Opcode Fuzzy Hash: 1e9955295d7b7f0b8b1d1b0322c70dcf60d1c68fa030a6957d6390cab9bd5d65
                                          • Instruction Fuzzy Hash: 97E04F78108784AFCB029B78F8589653FB0AF4A214B1544D9E8848B377C6719855CB26