Edit tour

Windows Analysis Report
z17invoice.exe

Overview

General Information

Sample name:	z17invoice.exe
Analysis ID:	1504031
MD5:	c418187a5268d408094b89aa79e3a5a2
SHA1:	a5a24c8aeef29107cb3a72acbe45d77274ee3cf9
SHA256:	66f51ee1deb34f149491e55735e671876e22fe37f749fdfa30238041a35bafc6
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

z17invoice.exe (PID: 6332 cmdline: "C:\Users\user\Desktop\z17invoice.exe" MD5: C418187A5268D408094B89AA79E3A5A2)

powershell.exe (PID: 3992 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5604 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

z17invoice.exe (PID: 5752 cmdline: "C:\Users\user\Desktop\z17invoice.exe" MD5: C418187A5268D408094B89AA79E3A5A2)

mpTrle.exe (PID: 5668 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: C418187A5268D408094B89AA79E3A5A2)

mpTrle.exe (PID: 1864 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: C418187A5268D408094B89AA79E3A5A2)

mpTrle.exe (PID: 5036 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: C418187A5268D408094B89AA79E3A5A2)

mpTrle.exe (PID: 4088 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: C418187A5268D408094B89AA79E3A5A2)

mpTrle.exe (PID: 4120 cmdline: "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe" MD5: C418187A5268D408094B89AA79E3A5A2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "wethem@aklaneah-sa.com", "Password": "Password:  )NYyffR0   "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.3282236236.000000000339C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3283273481.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3283273481.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2281400349.0000000003730000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2281400349.0000000003730000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3281780432.000000000312C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2187583552.000000000377B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2187583552.000000000377B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.3282236236.0000000003371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3282236236.0000000003371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2187583552.0000000003702000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2187583552.0000000003702000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3281780432.0000000003101000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.3281780432.0000000003101000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3283273481.00000000033FC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3278015316.0000000000429000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: z17invoice.exe PID: 6332	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: z17invoice.exe PID: 6332	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: z17invoice.exe PID: 6332	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: z17invoice.exe PID: 5752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: z17invoice.exe PID: 5752	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mpTrle.exe PID: 5668	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpTrle.exe PID: 5668	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mpTrle.exe PID: 5668	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mpTrle.exe PID: 1864	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpTrle.exe PID: 1864	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mpTrle.exe PID: 5036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpTrle.exe PID: 5036	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mpTrle.exe PID: 4120	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mpTrle.exe PID: 4120	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.mpTrle.exe.3702270.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.mpTrle.exe.3702270.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.mpTrle.exe.3702270.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.mpTrle.exe.377bef0.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.mpTrle.exe.377bef0.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.mpTrle.exe.377bef0.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.mpTrle.exe.376bdb8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.mpTrle.exe.376bdb8.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.mpTrle.exe.376bdb8.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.mpTrle.exe.3730d98.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.mpTrle.exe.3730d98.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.mpTrle.exe.3730d98.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.mpTrle.exe.3702270.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.mpTrle.exe.3702270.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.mpTrle.exe.3702270.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.z17invoice.exe.36f01f0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z17invoice.exe.36f01f0.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.z17invoice.exe.36f01f0.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.z17invoice.exe.372b210.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z17invoice.exe.372b210.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.z17invoice.exe.372b210.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bd0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31ccc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ed0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.mpTrle.exe.377bef0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.mpTrle.exe.377bef0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.mpTrle.exe.377bef0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e7f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e862:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e8ec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e97e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e9e8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ea5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6eaf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6eb80:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.mpTrle.exe.376bdb8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.mpTrle.exe.376bdb8.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.mpTrle.exe.376bdb8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e7f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e862:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e8ec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e97e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e9e8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ea5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6eaf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6eb80:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.mpTrle.exe.3730d98.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.mpTrle.exe.3730d98.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.mpTrle.exe.3730d98.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e9f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa9810:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ea62:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa9882:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6eaec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa990c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eb7e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa999e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ebe8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9a08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ec5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9a7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ecf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9b10:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.z17invoice.exe.372b210.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z17invoice.exe.372b210.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.z17invoice.exe.372b210.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.z17invoice.exe.372b210.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e7f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e862:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e8ec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e97e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e9e8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ea5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6eaf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d60:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6eb80:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.z17invoice.exe.36f01f0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z17invoice.exe.36f01f0.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.z17invoice.exe.36f01f0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.z17invoice.exe.36f01f0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339d0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e9f0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa9810:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a42:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ea62:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa9882:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33acc:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6eaec:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa990c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b5e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eb7e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa999e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bc8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ebe8:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9a08:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c3a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ec5a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9a7a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cd0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ecf0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9b10:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 33 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z17invoice.exe", ParentImage: C:\Users\user\Desktop\z17invoice.exe, ParentProcessId: 6332, ParentProcessName: z17invoice.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe", ProcessId: 3992, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\z17invoice.exe, ProcessId: 5752, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mpTrle

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\z17invoice.exe, Initiated: true, ProcessId: 5752, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49708

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z17invoice.exe", ParentImage: C:\Users\user\Desktop\z17invoice.exe, ParentProcessId: 6332, ParentProcessName: z17invoice.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe", ProcessId: 3992, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 10.2.mpTrle.exe.3730d98.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "wethem@aklaneah-sa.com", "Password": "Password: )NYyffR0 "}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Virustotal: Detection: 60%			Perma Link

Multi AV Scanner detection for submitted file

Source: z17invoice.exe	Virustotal: Detection: 60%			Perma Link
Source: z17invoice.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: z17invoice.exe

Joe Sandbox ML: detected

Source: z17invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49720 version: TLS 1.2

Source: z17invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: GRXq.pdb source: z17invoice.exe, mpTrle.exe.4.dr
Source:	Binary string: GRXq.pdbSHA256 source: z17invoice.exe, mpTrle.exe.4.dr

Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4x nop then jmp 0B880C4Bh	0_2_0B880323
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4x nop then jmp 0B880C4Bh	0_2_0B8803D2
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 4x nop then jmp 08080C4Bh	7_2_080803D2
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 4x nop then jmp 06C80C4Bh	10_2_06C803D2

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.z17invoice.exe.372b210.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 208.91.198.143:587

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 208.91.198.143:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: z17invoice.exe, 00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3279843502.000000000183C000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3279576468.000000000159E000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3300916961.0000000006A10000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3279660282.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: z17invoice.exe, 00000004.00000002.3279843502.000000000183C000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3300128980.0000000006A26000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3279576468.000000000159E000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3301136987.0000000006A60000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3279660282.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: z17invoice.exe, 00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3279843502.000000000183C000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3279576468.000000000159E000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3301136987.0000000006A60000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3279660282.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: z17invoice.exe, 00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3279843502.000000000183C000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3279576468.000000000159E000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3300916961.0000000006A10000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3279660282.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: z17invoice.exe, 00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3279843502.000000000183C000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3279576468.000000000159E000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3301136987.0000000006A60000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3279660282.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: z17invoice.exe, 00000000.00000002.2048520162.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3283273481.0000000003381000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000007.00000002.2186069151.0000000002719000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.2274721897.000000000270C000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.000000000332C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z17invoice.exe, 00000004.00000002.3283273481.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.000000000312C000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.000000000339C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: z17invoice.exe, 00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000007.00000002.2187583552.0000000003702000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000007.00000002.2187583552.000000000377B000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3278015316.0000000000429000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.2281400349.0000000003730000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: z17invoice.exe, 00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3283273481.0000000003381000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000007.00000002.2187583552.0000000003702000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000007.00000002.2187583552.000000000377B000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3278015316.0000000000429000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.2281400349.0000000003730000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.000000000332C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: z17invoice.exe, 00000004.00000002.3283273481.0000000003381000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.000000000332C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: z17invoice.exe, 00000004.00000002.3283273481.0000000003381000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.000000000332C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: z17invoice.exe, 00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3279843502.000000000183C000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3279576468.000000000159E000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3301136987.0000000006A60000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3279660282.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49720 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, 3DlgK9re6m.cs	.Net Code: sIJKyc
Source: 0.2.z17invoice.exe.372b210.3.raw.unpack, 3DlgK9re6m.cs	.Net Code: sIJKyc
Source: 7.2.mpTrle.exe.377bef0.5.raw.unpack, 3DlgK9re6m.cs	.Net Code: sIJKyc

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.mpTrle.exe.3702270.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.mpTrle.exe.377bef0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.mpTrle.exe.376bdb8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.mpTrle.exe.3730d98.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.mpTrle.exe.3702270.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z17invoice.exe.36f01f0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z17invoice.exe.372b210.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.mpTrle.exe.377bef0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.mpTrle.exe.376bdb8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.mpTrle.exe.3730d98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z17invoice.exe.372b210.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: z17invoice.exe

Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 0_2_0263D5BC	0_2_0263D5BC
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 0_2_04B90006	0_2_04B90006
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 0_2_04B90040	0_2_04B90040
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 0_2_0B882468	0_2_0B882468
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_0179E3E0	4_2_0179E3E0
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_01794AD0	4_2_01794AD0
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_01793EB8	4_2_01793EB8
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_0179F1BB	4_2_0179F1BB
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_0179B308	4_2_0179B308
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_01794200	4_2_01794200
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_017919E8	4_2_017919E8
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_01791ADD	4_2_01791ADD
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_0711C520	4_2_0711C520
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_0711AEFC	4_2_0711AEFC
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_0717C568	4_2_0717C568
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_071755C8	4_2_071755C8
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_071765E0	4_2_071765E0
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_07173488	4_2_07173488
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_0717B212	4_2_0717B212
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_07177D68	4_2_07177D68
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_07175CD7	4_2_07175CD7
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_07177688	4_2_07177688
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_07170006	4_2_07170006
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_07170040	4_2_07170040
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_0717EA48	4_2_0717EA48
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_00D3D5BC	7_2_00D3D5BC
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_06AE8710	7_2_06AE8710
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_06AE6D09	7_2_06AE6D09
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_06AEB700	7_2_06AEB700
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_06AE8700	7_2_06AE8700
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_06AED770	7_2_06AED770
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_06AEB2C2	7_2_06AEB2C2
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_06AED338	7_2_06AED338
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_06AE6D94	7_2_06AE6D94
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_06AEBB29	7_2_06AEBB29
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_06AEBB38	7_2_06AEBB38
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_08082468	7_2_08082468
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_0308EAD8	8_2_0308EAD8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_03084AD0	8_2_03084AD0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_03083EB8	8_2_03083EB8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_0308AD08	8_2_0308AD08
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_03084200	8_2_03084200
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E1ACDC	8_2_06E1ACDC
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E196B0	8_2_06E196B0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E1DBF0	8_2_06E1DBF0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E23490	8_2_06E23490
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E265E8	8_2_06E265E8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E255D0	8_2_06E255D0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E2B220	8_2_06E2B220
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E2C178	8_2_06E2C178
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E27D70	8_2_06E27D70
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E27690	8_2_06E27690
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E2E398	8_2_06E2E398
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E20040	8_2_06E20040
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E25CDF	8_2_06E25CDF
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_00C9D5BC	10_2_00C9D5BC
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_06C82528	10_2_06C82528
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_081A6D09	10_2_081A6D09
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_081A8710	10_2_081A8710
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_081ABB38	10_2_081ABB38
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_081ABB29	10_2_081ABB29
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_081AD338	10_2_081AD338
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_081A86D9	10_2_081A86D9
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_081AB700	10_2_081AB700
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_081AD770	10_2_081AD770
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_03134AD0	12_2_03134AD0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_0313EAD8	12_2_0313EAD8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_03133EB8	12_2_03133EB8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_03134200	12_2_03134200
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_0313AD08	12_2_0313AD08
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E4ACDC	12_2_06E4ACDC
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E4C050	12_2_06E4C050
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E496B0	12_2_06E496B0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E4DBF0	12_2_06E4DBF0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E63490	12_2_06E63490
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E665E8	12_2_06E665E8
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E655D0	12_2_06E655D0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E6B220	12_2_06E6B220
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E6C178	12_2_06E6C178
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E67D70	12_2_06E67D70
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E67690	12_2_06E67690
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E6E398	12_2_06E6E398
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E60040	12_2_06E60040
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 12_2_06E65CDF	12_2_06E65CDF

Source: z17invoice.exe, 00000000.00000002.2055901739.0000000004F60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs z17invoice.exe
Source: z17invoice.exe, 00000000.00000002.2057277569.000000000851F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs z17invoice.exe
Source: z17invoice.exe, 00000000.00000002.2057016131.0000000006C80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs z17invoice.exe
Source: z17invoice.exe, 00000000.00000002.2048520162.000000000271A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename64af20ca-f267-4570-b8a1-6b375e9c5566.exe4 vs z17invoice.exe
Source: z17invoice.exe, 00000000.00000000.2015838963.0000000000308000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGRXq.exe: vs z17invoice.exe
Source: z17invoice.exe, 00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename64af20ca-f267-4570-b8a1-6b375e9c5566.exe4 vs z17invoice.exe
Source: z17invoice.exe, 00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs z17invoice.exe
Source: z17invoice.exe, 00000000.00000002.2047046988.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs z17invoice.exe
Source: z17invoice.exe, 00000000.00000002.2048520162.0000000002671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs z17invoice.exe
Source: z17invoice.exe, 00000000.00000002.2048520162.0000000002766000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs z17invoice.exe
Source: z17invoice.exe, 00000004.00000002.3278441154.00000000011D8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs z17invoice.exe
Source: z17invoice.exe	Binary or memory string: OriginalFilenameGRXq.exe: vs z17invoice.exe

Source: z17invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.2.mpTrle.exe.3702270.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.mpTrle.exe.377bef0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.mpTrle.exe.376bdb8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.mpTrle.exe.3730d98.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.mpTrle.exe.3702270.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z17invoice.exe.36f01f0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z17invoice.exe.372b210.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.mpTrle.exe.377bef0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.mpTrle.exe.376bdb8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.mpTrle.exe.3730d98.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z17invoice.exe.372b210.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: z17invoice.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mpTrle.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, slKb.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, mAKJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, xQRSe0Fg.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, n3rhMa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, MQzE4FWn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, nSmgRyX5a1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, 6IMLmJtk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, 6IMLmJtk.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, 3HroK7qN.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, 3HroK7qN.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, vFeqA82BFuFxdDMn8X.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, vFeqA82BFuFxdDMn8X.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, vFeqA82BFuFxdDMn8X.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, vFeqA82BFuFxdDMn8X.cs	Security API names: _0020.SetAccessControl
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, vFeqA82BFuFxdDMn8X.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, vFeqA82BFuFxdDMn8X.cs	Security API names: _0020.AddAccessRule
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, nEJ4ZgpnZN1celwi9K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, nEJ4ZgpnZN1celwi9K.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/9@2/2

Source: C:\Users\user\Desktop\z17invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z17invoice.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Mutant created: \Sessions\1\BaseNamedObjects\ITbyrwULeTDq
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdwpu5sl.hle.ps1

Jump to behavior

Source: z17invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: z17invoice.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\z17invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\z17invoice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\z17invoice.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z17invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z17invoice.exe	Virustotal: Detection: 60%
Source: z17invoice.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\z17invoice.exe

File read: C:\Users\user\Desktop\z17invoice.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z17invoice.exe "C:\Users\user\Desktop\z17invoice.exe"
Source: C:\Users\user\Desktop\z17invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe"
Source: C:\Users\user\Desktop\z17invoice.exe	Process created: C:\Users\user\Desktop\z17invoice.exe "C:\Users\user\Desktop\z17invoice.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\Desktop\z17invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process created: C:\Users\user\Desktop\z17invoice.exe "C:\Users\user\Desktop\z17invoice.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"

Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\z17invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\z17invoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\z17invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: z17invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: z17invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: z17invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: GRXq.pdb source: z17invoice.exe, mpTrle.exe.4.dr
Source:	Binary string: GRXq.pdbSHA256 source: z17invoice.exe, mpTrle.exe.4.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: z17invoice.exe, MainForm.cs	.Net Code: InitializeComponent
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, vFeqA82BFuFxdDMn8X.cs	.Net Code: DQ2gFg7MWN System.Reflection.Assembly.Load(byte[])
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, vFeqA82BFuFxdDMn8X.cs	.Net Code: DQ2gFg7MWN System.Reflection.Assembly.Load(byte[])
Source: mpTrle.exe.4.dr, MainForm.cs	.Net Code: InitializeComponent

Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 0_2_02639C40 push 5004B093h; iretd	0_2_02639C6D
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_07114F00 push esp; retf	4_2_07114F0D
Source: C:\Users\user\Desktop\z17invoice.exe	Code function: 4_2_0717E1A5 pushad ; ret	4_2_0717E1AD
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_00D3B311 push 14418B02h; ret	7_2_00D3B323
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 7_2_00D3B4C0 push 18418B02h; ret	7_2_00D3B723
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_03080C55 push edi; retf	8_2_03080C7A
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E153E0 push es; ret	8_2_06E153F0
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 8_2_06E1FEFB push es; retf	8_2_06E1FEFC
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_00C901B5 push esp; iretd	10_2_00C901B3
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_00C9CEE5 push 4B18B902h; retf	10_2_00C9CEFB
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_00C992EA push ebp; retf	10_2_00C992EB
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_00C9B311 push 14418B02h; ret	10_2_00C9B323
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Code function: 10_2_00C9B4C0 push 18418B02h; ret	10_2_00C9B723

Source: z17invoice.exe	Static PE information: section name: .text entropy: 7.782349079077635
Source: mpTrle.exe.4.dr	Static PE information: section name: .text entropy: 7.782349079077635

Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, BWNUv2gwCEuXu9LVyY.cs	High entropy of concatenated method names: 'EnD1bEJ4Zg', 'eZN121celw', 'xdM1PCnOkV', 'FnQ18l5n81', 'DGo1Ug9HiE', 'OlC1mis6uZ', 'PMeAlpoCwGZ82KMi8g', 'YVW5kqI4OcCoqRHSOX', 'JMy11N4hns', 'IDa1fKP3Na'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, hn81N8S7ehdR5KGog9.cs	High entropy of concatenated method names: 'mQk54BThYJ', 'Pyf5KyMxjA', 'aFw9VwSaRZ', 'o1D9RAbZUe', 'cQe9hyZpn7', 'NSq9Okg9I0', 'YpQ9eOtic6', 'biM9snTobq', 'svt96k7ZVh', 'QlD9NKadBx'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, TpMpwXHSGkeuOiaAKU.cs	High entropy of concatenated method names: 'B66Fv5HFh', 'RhvvidH0Y', 'VkQY37tfq', 'vqkKYOyFB', 'c5Bagw6cH', 'F7kSRCMTq', 'uTiqGvn6A65iXbd7bT', 'CYMs6UJMokTE3xHusc', 'OWeEEH84g', 'PyH01c0Wb'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, chSg2oadMCnOkVqnQl.cs	High entropy of concatenated method names: 'xxH9vWeVnq', 'A7w9YEbkJE', 'P969p3B6ks', 'hbe9a7mZbM', 'Rhn9UDZJiq', 'JhI9m2Q228', 'abv9wEBaSa', 'v079EIMNTG', 'C8b9GVdW2j', 'HYj90FijEB'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, b4bRv0zdV5wjVSX1OY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sjkGDKjI3o', 'RvqGUloArG', 'MhpGmj6I02', 'USfGwYbUxN', 'JPDGEPJGdh', 'bXvGGEEZoB', 'OIOG0droRM'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, nt6tW0XRD2x6gaLGVp.cs	High entropy of concatenated method names: 'Dispose', 'oRy1ASpbS6', 'TGdHBY4et7', 'xaQYY6STOO', 'M7Y1tYhlXQ', 'L5i1zYBSFY', 'ProcessDialogKey', 'fpLHZHEUL0', 'DPnH15RyJh', 'L36HHxKcbr'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, NZqP6M1ZqQhdWeT0l53.cs	High entropy of concatenated method names: 'xUBGrJrKaO', 'qwaGyKPZrO', 'WFNGFZWmb3', 'kl3Gvg1S7L', 'pFLG4CyD08', 'VfZGYZwu6C', 'zyUGKiX4ux', 'cgXGplDSQx', 'T06GaOP1T4', 'tbXGSmSo4T'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, biEIlCqis6uZnAVSd1.cs	High entropy of concatenated method names: 'HUkLnkiOiB', 'DEhLXAuv0E', 'pAFL507iBm', 'lMdLbFxQrR', 'x2fL2fluQU', 'tS65WkP2eg', 'mkx53VT9ak', 'Ly45CYjNSq', 'pNq5TBFN5K', 'r7R5AcBuqF'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, ogcLX6cEhD4FYcl23J.cs	High entropy of concatenated method names: 'Y7qwP5l516', 'Kxkw88dA2j', 'ToString', 'PaRwJhNfQJ', 'Kv1wXmSFER', 'jYBw9HwNGu', 'VC2w5nqWGu', 'FEDwLrf0Yl', 'KM2wb2iSNB', 'uorw2ZfxTb'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, nEJ4ZgpnZN1celwi9K.cs	High entropy of concatenated method names: 'w8rXuC7sda', 'bQYXi1b15u', 'd6pXQWn3Re', 'Er2Xc4miCF', 'i3JXWCdrPV', 'pkZX3UEv5k', 'LLfXCYSaHU', 'XCuXTyYram', 'uNpXAdakSW', 'QOIXtnXJTV'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, XARcRsdajvftnYXJ7A.cs	High entropy of concatenated method names: 'pijDpMn1Xl', 'eZGDaYFKac', 'EDFDqnsbBN', 'IJIDBy0VyD', 'rqoDRjUnKV', 'WmYDhoNxLp', 'tTRDe796ui', 'UHEDsuSho2', 'PIADN8S6T4', 'gOLDIYG7xg'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, zfpHmGu5eZlB2kBdMT.cs	High entropy of concatenated method names: 'OwNUNBefY3', 'zxtUjYYCWc', 'YkqUu7IZMU', 'YMEUi6Nudy', 'bgVUBiPk1u', 'mIMUVbgCBK', 'uxDURK1gV7', 'IRCUhsoBx3', 'geoUOI1Lgq', 'ztoUeY6Hki'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, u4Ph2Y3HEGsTn4EA2K.cs	High entropy of concatenated method names: 'PnKwTmhqXm', 'todwtqsFIr', 'QXVEZ4enei', 'nMLE1ZHWY3', 's8YwIQnEa4', 'FWCwjkw4sf', 'NK4wdfsZFq', 'LZ8wuDQV86', 'L5Qwi146fH', 'nmbwQYk6vN'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, cY4AorQTkcdQE1Wmpe.cs	High entropy of concatenated method names: 'ToString', 'mxYmIQY1IG', 'LLrmBAtNPu', 'wqKmVgJJ89', 'sFGmRKBLpx', 'aepmhC90HR', 'SCOmO7okiB', 'qDPme0noiH', 'r96msLOcwp', 'xTem6YJDgJ'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, ulp53J1f7ZkodXvaeqN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nJh0udfGrT', 'jSb0iwvBNu', 'bUj0QWwmjE', 'XGL0crY2L6', 'hdG0WrG16G', 'xXM03TR9vX', 'MUV0Cygx9g'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, vFeqA82BFuFxdDMn8X.cs	High entropy of concatenated method names: 'fMMfnlUbuh', 'eXJfJFmGCV', 'TbHfXdC8sj', 'MTxf9xYh0a', 'NXhf5Y2mMF', 'jllfL9EOYs', 'mWMfbVr418', 'mN4f2FZx30', 'lVTfM9wSRi', 'RA1fPXV82D'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, tKcbrHtrpXPIMte5WL.cs	High entropy of concatenated method names: 'UZkG1oVIv0', 'FwHGfWrB3P', 'vCnGgaA3oy', 'KtyGJXFg07', 'MHQGXTeYUr', 'cf6G58u3xA', 'MZnGLNV8m6', 'AolECTXPiO', 'SqDETXtun0', 'x9AEAmyJyF'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, Vq1ouwekWox4TPejHk.cs	High entropy of concatenated method names: 'IGKbJKnYf7', 'ofTb9ynX8j', 'GVNbL3ElLF', 'EVjLt1grsO', 'tIkLz2Syvx', 'wtSbZwWGpT', 'Ts1b1cglLJ', 'A1ObHIKlj7', 'uTKbfpNydL', 'd19bglmB0X'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, iHEUL0AKPn5RyJhs36.cs	High entropy of concatenated method names: 'VbEEqWHyYq', 'WD0EBq9DjD', 'RANEVlPvOt', 'KPfERNpynu', 'mXFEuAFtr3', 'NmoEhLdxWh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, uYYhlXTQe5iYBSFYJp.cs	High entropy of concatenated method names: 'Vj4EJZStBH', 'uvyEXqCbtV', 'JaeE9dv98w', 'TL2E5afikF', 'simELOkdFG', 'rGhEbSMTD7', 'uZtE2DxaXn', 'PCHEM33g3F', 'dp5EP3nx94', 'LB9E8014Ss'
Source: 0.2.z17invoice.exe.6c80000.6.raw.unpack, SgMKSW6lV3WxejO7di.cs	High entropy of concatenated method names: 'opybrjecXB', 'CoqbyCPFAH', 'xoGbFeE0VI', 'J7MbvSZl6l', 'wIeb4SYBj1', 'rHIbYm7Klm', 'hWRbKRLPnI', 'VkibpdMy1P', 'H7PbaNlq9V', 'pxibSnpyB5'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, BWNUv2gwCEuXu9LVyY.cs	High entropy of concatenated method names: 'EnD1bEJ4Zg', 'eZN121celw', 'xdM1PCnOkV', 'FnQ18l5n81', 'DGo1Ug9HiE', 'OlC1mis6uZ', 'PMeAlpoCwGZ82KMi8g', 'YVW5kqI4OcCoqRHSOX', 'JMy11N4hns', 'IDa1fKP3Na'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, hn81N8S7ehdR5KGog9.cs	High entropy of concatenated method names: 'mQk54BThYJ', 'Pyf5KyMxjA', 'aFw9VwSaRZ', 'o1D9RAbZUe', 'cQe9hyZpn7', 'NSq9Okg9I0', 'YpQ9eOtic6', 'biM9snTobq', 'svt96k7ZVh', 'QlD9NKadBx'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, TpMpwXHSGkeuOiaAKU.cs	High entropy of concatenated method names: 'B66Fv5HFh', 'RhvvidH0Y', 'VkQY37tfq', 'vqkKYOyFB', 'c5Bagw6cH', 'F7kSRCMTq', 'uTiqGvn6A65iXbd7bT', 'CYMs6UJMokTE3xHusc', 'OWeEEH84g', 'PyH01c0Wb'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, chSg2oadMCnOkVqnQl.cs	High entropy of concatenated method names: 'xxH9vWeVnq', 'A7w9YEbkJE', 'P969p3B6ks', 'hbe9a7mZbM', 'Rhn9UDZJiq', 'JhI9m2Q228', 'abv9wEBaSa', 'v079EIMNTG', 'C8b9GVdW2j', 'HYj90FijEB'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, b4bRv0zdV5wjVSX1OY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sjkGDKjI3o', 'RvqGUloArG', 'MhpGmj6I02', 'USfGwYbUxN', 'JPDGEPJGdh', 'bXvGGEEZoB', 'OIOG0droRM'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, nt6tW0XRD2x6gaLGVp.cs	High entropy of concatenated method names: 'Dispose', 'oRy1ASpbS6', 'TGdHBY4et7', 'xaQYY6STOO', 'M7Y1tYhlXQ', 'L5i1zYBSFY', 'ProcessDialogKey', 'fpLHZHEUL0', 'DPnH15RyJh', 'L36HHxKcbr'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, NZqP6M1ZqQhdWeT0l53.cs	High entropy of concatenated method names: 'xUBGrJrKaO', 'qwaGyKPZrO', 'WFNGFZWmb3', 'kl3Gvg1S7L', 'pFLG4CyD08', 'VfZGYZwu6C', 'zyUGKiX4ux', 'cgXGplDSQx', 'T06GaOP1T4', 'tbXGSmSo4T'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, biEIlCqis6uZnAVSd1.cs	High entropy of concatenated method names: 'HUkLnkiOiB', 'DEhLXAuv0E', 'pAFL507iBm', 'lMdLbFxQrR', 'x2fL2fluQU', 'tS65WkP2eg', 'mkx53VT9ak', 'Ly45CYjNSq', 'pNq5TBFN5K', 'r7R5AcBuqF'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, ogcLX6cEhD4FYcl23J.cs	High entropy of concatenated method names: 'Y7qwP5l516', 'Kxkw88dA2j', 'ToString', 'PaRwJhNfQJ', 'Kv1wXmSFER', 'jYBw9HwNGu', 'VC2w5nqWGu', 'FEDwLrf0Yl', 'KM2wb2iSNB', 'uorw2ZfxTb'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, nEJ4ZgpnZN1celwi9K.cs	High entropy of concatenated method names: 'w8rXuC7sda', 'bQYXi1b15u', 'd6pXQWn3Re', 'Er2Xc4miCF', 'i3JXWCdrPV', 'pkZX3UEv5k', 'LLfXCYSaHU', 'XCuXTyYram', 'uNpXAdakSW', 'QOIXtnXJTV'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, XARcRsdajvftnYXJ7A.cs	High entropy of concatenated method names: 'pijDpMn1Xl', 'eZGDaYFKac', 'EDFDqnsbBN', 'IJIDBy0VyD', 'rqoDRjUnKV', 'WmYDhoNxLp', 'tTRDe796ui', 'UHEDsuSho2', 'PIADN8S6T4', 'gOLDIYG7xg'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, zfpHmGu5eZlB2kBdMT.cs	High entropy of concatenated method names: 'OwNUNBefY3', 'zxtUjYYCWc', 'YkqUu7IZMU', 'YMEUi6Nudy', 'bgVUBiPk1u', 'mIMUVbgCBK', 'uxDURK1gV7', 'IRCUhsoBx3', 'geoUOI1Lgq', 'ztoUeY6Hki'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, u4Ph2Y3HEGsTn4EA2K.cs	High entropy of concatenated method names: 'PnKwTmhqXm', 'todwtqsFIr', 'QXVEZ4enei', 'nMLE1ZHWY3', 's8YwIQnEa4', 'FWCwjkw4sf', 'NK4wdfsZFq', 'LZ8wuDQV86', 'L5Qwi146fH', 'nmbwQYk6vN'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, cY4AorQTkcdQE1Wmpe.cs	High entropy of concatenated method names: 'ToString', 'mxYmIQY1IG', 'LLrmBAtNPu', 'wqKmVgJJ89', 'sFGmRKBLpx', 'aepmhC90HR', 'SCOmO7okiB', 'qDPme0noiH', 'r96msLOcwp', 'xTem6YJDgJ'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, ulp53J1f7ZkodXvaeqN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nJh0udfGrT', 'jSb0iwvBNu', 'bUj0QWwmjE', 'XGL0crY2L6', 'hdG0WrG16G', 'xXM03TR9vX', 'MUV0Cygx9g'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, vFeqA82BFuFxdDMn8X.cs	High entropy of concatenated method names: 'fMMfnlUbuh', 'eXJfJFmGCV', 'TbHfXdC8sj', 'MTxf9xYh0a', 'NXhf5Y2mMF', 'jllfL9EOYs', 'mWMfbVr418', 'mN4f2FZx30', 'lVTfM9wSRi', 'RA1fPXV82D'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, tKcbrHtrpXPIMte5WL.cs	High entropy of concatenated method names: 'UZkG1oVIv0', 'FwHGfWrB3P', 'vCnGgaA3oy', 'KtyGJXFg07', 'MHQGXTeYUr', 'cf6G58u3xA', 'MZnGLNV8m6', 'AolECTXPiO', 'SqDETXtun0', 'x9AEAmyJyF'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, Vq1ouwekWox4TPejHk.cs	High entropy of concatenated method names: 'IGKbJKnYf7', 'ofTb9ynX8j', 'GVNbL3ElLF', 'EVjLt1grsO', 'tIkLz2Syvx', 'wtSbZwWGpT', 'Ts1b1cglLJ', 'A1ObHIKlj7', 'uTKbfpNydL', 'd19bglmB0X'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, iHEUL0AKPn5RyJhs36.cs	High entropy of concatenated method names: 'VbEEqWHyYq', 'WD0EBq9DjD', 'RANEVlPvOt', 'KPfERNpynu', 'mXFEuAFtr3', 'NmoEhLdxWh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, uYYhlXTQe5iYBSFYJp.cs	High entropy of concatenated method names: 'Vj4EJZStBH', 'uvyEXqCbtV', 'JaeE9dv98w', 'TL2E5afikF', 'simELOkdFG', 'rGhEbSMTD7', 'uZtE2DxaXn', 'PCHEM33g3F', 'dp5EP3nx94', 'LB9E8014Ss'
Source: 0.2.z17invoice.exe.389a7b0.2.raw.unpack, SgMKSW6lV3WxejO7di.cs	High entropy of concatenated method names: 'opybrjecXB', 'CoqbyCPFAH', 'xoGbFeE0VI', 'J7MbvSZl6l', 'wIeb4SYBj1', 'rHIbYm7Klm', 'hWRbKRLPnI', 'VkibpdMy1P', 'H7PbaNlq9V', 'pxibSnpyB5'

Source: C:\Users\user\Desktop\z17invoice.exe

File created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Jump to dropped file

Source: C:\Users\user\Desktop\z17invoice.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mpTrle			Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mpTrle			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\z17invoice.exe

File opened: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe:Zone.Identifier read attributes | delete

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\z17invoice.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: z17invoice.exe PID: 6332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 5668, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\z17invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\z17invoice.exe	Memory allocated: 2420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Memory allocated: 2420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Memory allocated: 87F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Memory allocated: 97F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Memory allocated: 99F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Memory allocated: A9F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Memory allocated: 1790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Memory allocated: 5380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 46C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 8120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 9120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 9300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: A300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 17A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 50B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: C50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 26B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 2590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 81B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 91B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 93A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: A3A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 17E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 3320000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory allocated: 3170000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6183	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3401	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Window / User API: threadDelayed 1747	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Window / User API: threadDelayed 4429	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Window / User API: threadDelayed 1120	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Window / User API: threadDelayed 4360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Window / User API: threadDelayed 3185
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Window / User API: threadDelayed 1852

Source: C:\Users\user\Desktop\z17invoice.exe TID: 6800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5876	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 5596	Thread sleep count: 1747 > 30	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 5596	Thread sleep count: 4429 > 30	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -99779s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -99337s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -99222s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -98930s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -98787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -97998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -97671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -96797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -96687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe TID: 1352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 904	Thread sleep count: 1120 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 904	Thread sleep count: 4360 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -99316s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -99062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -98844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -98188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -97938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -97594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -97469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -97141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -97032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 4484	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 2764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 2616	Thread sleep count: 3185 > 30
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 2616	Thread sleep count: 1852 > 30
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -99671s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -99343s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -99233s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -99124s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -99015s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -98796s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -98687s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -98468s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -98246s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -98140s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -97921s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -97701s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -97593s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -97374s >= -30000s
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe TID: 6084	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\z17invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\z17invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\z17invoice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 99779	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 99337	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 99222	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 98930	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 98787	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 97998	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 96797	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99316	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97032	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99671
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99562
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99343
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99233
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99124
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 99015
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98796
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98687
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98468
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98246
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98140
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97921
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97701
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97593
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 97374
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Thread delayed: delay time: 922337203685477

Source: mpTrle.exe, 0000000C.00000002.3279660282.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: z17invoice.exe, 00000000.00000002.2047046988.00000000009E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: mpTrle.exe, 00000008.00000002.3279576468.000000000159E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: z17invoice.exe, 00000004.00000002.3279843502.000000000183C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\z17invoice.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\z17invoice.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\z17invoice.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\z17invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe"
Source: C:\Users\user\Desktop\z17invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory written: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Memory written: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\z17invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Process created: C:\Users\user\Desktop\z17invoice.exe "C:\Users\user\Desktop\z17invoice.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Process created: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe "C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"

Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Users\user\Desktop\z17invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Users\user\Desktop\z17invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\z17invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 7.2.mpTrle.exe.3702270.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mpTrle.exe.377bef0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.376bdb8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.3730d98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mpTrle.exe.3702270.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.36f01f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.372b210.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mpTrle.exe.377bef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.376bdb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.3730d98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.372b210.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3282236236.000000000339C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3283273481.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2281400349.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3281780432.000000000312C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2187583552.000000000377B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3282236236.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2187583552.0000000003702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3281780432.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3283273481.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3278015316.0000000000429000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z17invoice.exe PID: 6332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: z17invoice.exe PID: 5752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 5668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 1864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 5036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 4120, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\z17invoice.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\z17invoice.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\z17invoice.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 7.2.mpTrle.exe.3702270.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mpTrle.exe.377bef0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.376bdb8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.3730d98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mpTrle.exe.3702270.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.36f01f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.372b210.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mpTrle.exe.377bef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.376bdb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.3730d98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.372b210.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3283273481.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2281400349.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2187583552.000000000377B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3282236236.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2187583552.0000000003702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3281780432.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z17invoice.exe PID: 6332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: z17invoice.exe PID: 5752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 5668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 1864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 5036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 4120, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 7.2.mpTrle.exe.3702270.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mpTrle.exe.377bef0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.376bdb8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.3730d98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mpTrle.exe.3702270.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.36f01f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.372b210.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mpTrle.exe.377bef0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.376bdb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mpTrle.exe.3730d98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.372b210.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z17invoice.exe.36f01f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3282236236.000000000339C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3283273481.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2281400349.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3281780432.000000000312C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2187583552.000000000377B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3282236236.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2187583552.0000000003702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3281780432.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3283273481.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3278015316.0000000000429000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z17invoice.exe PID: 6332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: z17invoice.exe PID: 5752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 5668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 1864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 5036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpTrle.exe PID: 4120, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
z17invoice.exe	61%	Virustotal		Browse
z17invoice.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTeslaFEM
z17invoice.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTeslaFEM
C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe	61%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
us2.smtp.mailhostbox.com	1%	Virustotal		Browse
api.ipify.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org/	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	Avira URL Cloud	safe
http://us2.smtp.mailhostbox.com	0%	Avira URL Cloud	safe
http://us2.smtp.mailhostbox.com	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.198.143	true	true	1%, Virustotal, Browse	unknown
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	z17invoice.exe, 00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3279843502.000000000183C000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3279576468.000000000159E000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3301136987.0000000006A60000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3279660282.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0A	z17invoice.exe, 00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3279843502.000000000183C000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3279576468.000000000159E000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3301136987.0000000006A60000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3279660282.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	z17invoice.exe, 00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3283273481.0000000003381000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000007.00000002.2187583552.0000000003702000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000007.00000002.2187583552.000000000377B000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3278015316.0000000000429000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.2281400349.0000000003730000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.000000000332C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	z17invoice.exe, 00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3279843502.000000000183C000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3279576468.000000000159E000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3301136987.0000000006A60000.00000004.00000020.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3279660282.00000000016F1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://account.dyn.com/	z17invoice.exe, 00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000007.00000002.2187583552.0000000003702000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000007.00000002.2187583552.000000000377B000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3278015316.0000000000429000.00000040.00000400.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.2281400349.0000000003730000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	z17invoice.exe, 00000004.00000002.3283273481.0000000003381000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.000000000332C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	z17invoice.exe, 00000004.00000002.3283273481.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.000000000312C000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.000000000339C000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	z17invoice.exe, 00000000.00000002.2048520162.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, z17invoice.exe, 00000004.00000002.3283273481.0000000003381000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000007.00000002.2186069151.0000000002719000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 00000008.00000002.3281780432.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000A.00000002.2274721897.000000000270C000.00000004.00000800.00020000.00000000.sdmp, mpTrle.exe, 0000000C.00000002.3282236236.000000000332C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.198.143	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1504031
Start date and time:	2024-09-04 13:00:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z17invoice.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/9@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 269 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:00:59	API Interceptor	31x Sleep call for process: z17invoice.exe modified
07:01:01	API Interceptor	14x Sleep call for process: powershell.exe modified
07:01:13	API Interceptor	54x Sleep call for process: mpTrle.exe modified
13:01:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run mpTrle C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
13:01:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run mpTrle C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.91.198.143	z47maaaaaaaaaaaaax.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsx	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	product_list.xls	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Other.Malware-gen.12504.4949.xlsx	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	giehjhgjzJ.hta	Get hash	malicious	Cobalt Strike, MassLogger RAT, Snake Keylogger	Browse
	NGL1Of0ZkJ.hta	Get hash	malicious	Cobalt Strike, AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.19673.26192.exe	Get hash	malicious	AgentTesla	Browse
	Edsha_PO.xls	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Exploit.CVE-2017-0199.04.Gen.20726.10183.xlsx	Get hash	malicious	Snake Keylogger	Browse
	EG240711 EG240712.xls	Get hash	malicious	Snake Keylogger	Browse
172.67.74.152	zE7Ken4cFt.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	FormPlayer.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	PandaClient.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	golang-modules.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	K8mzlntJVN.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	love.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	z47maaaaaaaaaaaaax.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	z55enyioma.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	Statement of Account.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	SOA-Al Daleel -Star Electromechanical.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	RFQ for RIyadh City Water Line Diversion.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	New PO pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsx	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	SecuriteInfo.com.Win32.PWSX-gen.25647.23289.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	product_list.xls	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
api.ipify.org	Payment Confirmation Documents.vbe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	po89654.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	EVER V-2408 - VESSEL DETAILS.xlsx.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	CSC LEADER VOY.1 PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://ipfs.io/ipns/k51qzi5uqu5dhrye4cl9jgj17k94vzpzjxfa8oougs30gvfbtzu2d60vboy90p	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	JAE-2408001146..exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://bergtool-my.sharepoint.com/:f:/p/officemgr/EkAEY_TxWUpGjuhgV5jRSO8BD2acB1HjNb72Far_j2tXBg?e=T7fVyK	Get hash	malicious	EvilProxy	Browse	104.26.13.205
	Inquiry PDA (S.S. Pacific Enlighten)_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	PDA Query - 180397-09-02-2024 Port Agency Appointment.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	love.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	PO_GM_list_30082024202003180817418300824.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	love.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	QUOTE-4K892388-A-C422.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	sZlfJ6FDY9.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	SecuriteInfo.com.Win32.CrypterX-gen.31383.13538.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	https://ayurvedapancreatitisclinic.com/api/aHR0cHM6Ly9nb29nbGUuY29t&sig=ZDUxNjU0ZTllNzZkYTAxNWE4OTNkZTAyM2ZkZDA1MGViMGIzY2UyOTU1MzY1NGMyNjFlOTExM2ZiMzA5MzdmMg&exp=MTcyNDIzOTUzMQ	Get hash	malicious	HTMLPhisher	Browse	103.21.58.139
	UnmxRI.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	119.18.54.85
	z47maaaaaaaaaaaaax.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	Quote# 241048.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	z55enyioma.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
CLOUDFLARENETUS	PRODUCT LIST.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Keyser & Mackay.pdf	Get hash	malicious	Unknown	Browse	104.17.24.14
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	FormBook	Browse	188.114.96.3
	AUG 2024 SOA.exe	Get hash	malicious	FormBook	Browse	172.67.182.66
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.qrcreator.com/qr/1CFCF746	Get hash	malicious	Phisher	Browse	104.17.25.14
	Invoice for 04-09-24 fede39.admr.org.html	Get hash	malicious	Unknown	Browse	104.22.21.144
	http://elink.adityabirlacapital.net.in/vtrack?clientid=180050&ul=V1dUDgFVUQBEBUsHC1AWVRYJQFoHSh0JAFRVJlNNRFxYAExcCl5YX0pDX1ZBAxkGDA9JCwEADgcOAgRQBQFRGA==&ml=UFVTCAJUGQJEBARQVE0=&sl=JB8gRHsrGWF1YUsAD1gKX0wDUV4SQVIHDENVB1FZQFpBAFQbC1VNH1paSwM=&pp=0&ga=utm_source3DLaunch_Email26utm_campaign3DCredit_Card_Open_market_launch_mailer26utm_medium3DEmailer26utm_content*3D&fl=DhcXSEFfSh1XW1IEE0FKVQAEWVMPSlYGER9aCV8XUUZWAhdZCldQXw==&ext=ZHNhX2hhc2g9NmNkNDQ0NzUzYzFjNDUxYjhmMTk3MGQ0ZWY4ODMzNTliMWY1ZGZlMGFiNmJhZGIzNTJmNjkwZmRiZGFhNmU4NA==__;JSUlJSUlJQ!!BHlfX_zbyOAjqHI!03-Fsf1m9LHxf3kl5f_PKtZdC3BdSLEHLybwWH9XZB3yWW9-I2XfZKwh0BYYAkvEXzZMML5XJpRzc_HszKOioGrAKwTWEEqGUdfAguyCT0oq$	Get hash	malicious	Unknown	Browse	104.17.25.14
	_PDF__838754.msi	Get hash	malicious	Metamorfo	Browse	104.20.3.235
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	uxMCGUELJd.exe	Get hash	malicious	Zorab	Browse	172.67.74.152
	PRODUCT LIST.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	FormBook	Browse	172.67.74.152
	Payment Confirmation Documents.vbe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://clicktogo.click/downloads/tra5	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://link.dpd.pt/l/YCaldMErXu	Get hash	malicious	Unknown	Browse	172.67.74.152
	po89654.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	VDF645425140#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.74.152
	bot_library.exe	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z17invoice.exe.log

Download File

Process:	C:\Users\user\Desktop\z17invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380192968514367
Encrypted:	false
SSDEEP:	48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:+LHyIFKL3IZ2KRH9Oug8s
MD5:	2E16D2F2BF61526793175AF057C80E38
SHA1:	C646E8FE846DE9B54BF04679A5A9F5216DD5C7B9
SHA-256:	BA86B69C37F37E218D33B2643466FD3C5D2551C0215ABC36883C7A2D75C9848C
SHA-512:	3E95DF7756044BB4CAFE391CB8860B551621923B795B80FE6753DD5B1D11B9DCB5F41938B65761D6D7EE5689471A0AA7CE3EAF38A03A50399FA29704294AD34E
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dx4w0m4z.x0n.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jwxsp41i.ffi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdwpu5sl.hle.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ydtmjqxy.g4j.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Download File

Process:	C:\Users\user\Desktop\z17invoice.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	688128
Entropy (8bit):	7.724794079243151
Encrypted:	false
SSDEEP:	12288:vvBKYvI8cu/ZRrJt6cGMJIfAXL2RR3IKE0M8wkFoJJprYuBC5o:3OqLrJt3lJbC/3IKUOoJJpfg5
MD5:	C418187A5268D408094B89AA79E3A5A2
SHA1:	A5A24C8AEEF29107CB3A72ACBE45D77274EE3CF9
SHA-256:	66F51EE1DEB34F149491E55735E671876E22FE37F749FDFA30238041A35BAFC6
SHA-512:	81CD5895C5854F7E58B0FBED8F77E93A7A5C89E2A32B9921061E6235CBD4C16A0C7ECD80C83D52B4E388F9C78C8198041BDF36DFE3AFA217F3F2AAEFEF43E822
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66% Antivirus: Virustotal, Detection: 61%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..f..............0..P... ......Ve... ........@.. ....................................@..................................e..O....................................T..T............................................ ............... ..H............text...\E... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\z17invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.724794079243151
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	z17invoice.exe
File size:	688'128 bytes
MD5:	c418187a5268d408094b89aa79e3a5a2
SHA1:	a5a24c8aeef29107cb3a72acbe45d77274ee3cf9
SHA256:	66f51ee1deb34f149491e55735e671876e22fe37f749fdfa30238041a35bafc6
SHA512:	81cd5895c5854f7e58b0fbed8f77e93a7a5c89e2a32b9921061e6235cbd4c16a0c7ecd80c83d52b4e388f9c78c8198041bdf36dfe3afa217f3f2aaefef43e822
SSDEEP:	12288:vvBKYvI8cu/ZRrJt6cGMJIfAXL2RR3IKE0M8wkFoJJprYuBC5o:3OqLrJt3lJbC/3IKUOoJJpfg5
TLSH:	B9E402682A4AE503C65147794FB2F2B9263C5DEDB811D3639FEDAEEFF926C044D04281
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..f..............0..P... ......Ve... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4a6556
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D59142 [Mon Sep 2 10:19:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6501	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x5d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa54c4	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa455c	0xa5000	ba66143d43ee8901fdaa67f0f93e196a	False	0.9304672703598484	data	7.782349079077635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x5d8	0x1000	fd70716b65f882ed142c022aa3faa614	False	0.164306640625	data	1.965556668388912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaa000	0xc	0x1000	4cf05fd319e5bfb5f3e7b9ab2caaf3c8	False	0.009033203125	data	0.016408464515625623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa8090	0x346	data			0.42482100238663484
RT_MANIFEST	0xa83e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 4, 2024 13:01:02.449305058 CEST	49706	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:02.449390888 CEST	443	49706	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:02.449470997 CEST	49706	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:02.453792095 CEST	49706	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:02.453839064 CEST	443	49706	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:02.915483952 CEST	443	49706	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:02.915559053 CEST	49706	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:02.923877001 CEST	49706	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:02.923897028 CEST	443	49706	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:02.924185991 CEST	443	49706	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:02.977638006 CEST	49706	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:03.062041998 CEST	49706	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:03.108504057 CEST	443	49706	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:03.188206911 CEST	443	49706	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:03.188277006 CEST	443	49706	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:03.188330889 CEST	49706	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:03.200090885 CEST	49706	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:03.885452986 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:03.890265942 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:03.890408039 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:04.705415964 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:04.709815979 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:04.714804888 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:04.870009899 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:04.873251915 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:04.878282070 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.101020098 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.102642059 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:05.107441902 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.262693882 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.262711048 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.262722969 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.262737036 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.262773037 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:05.262804985 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:05.355144024 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.392333031 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:05.397280931 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.553157091 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.557431936 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:05.562350988 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.999346972 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.999670029 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:05.999731064 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:06.000508070 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:06.005501986 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.163350105 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.165088892 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:06.171080112 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.331258059 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.331554890 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:06.336436987 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.493940115 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.494348049 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:06.500504017 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.684855938 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.685105085 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:06.690006971 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.846132994 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.846786976 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:06.846868038 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:06.846893072 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:06.846918106 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:06.851846933 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.851893902 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.851903915 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:06.851916075 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:07.230400085 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:07.273451090 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:14.969706059 CEST	49711	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:14.969758034 CEST	443	49711	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:14.969834089 CEST	49711	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:14.974092007 CEST	49711	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:14.974107027 CEST	443	49711	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:15.461869001 CEST	443	49711	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:15.461956978 CEST	49711	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:15.464777946 CEST	49711	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:15.464790106 CEST	443	49711	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:15.465063095 CEST	443	49711	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:15.507843018 CEST	49711	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:15.867101908 CEST	49711	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:15.912513971 CEST	443	49711	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:15.984430075 CEST	443	49711	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:15.984509945 CEST	443	49711	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:15.984575033 CEST	49711	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:15.987541914 CEST	49711	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:16.463738918 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:16.470772028 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:16.470853090 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:17.041685104 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.042040110 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:17.047007084 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.207070112 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.207653999 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:17.212526083 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.365940094 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.366447926 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:17.371309996 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.524765968 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.524785995 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.524796963 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.524802923 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.524888039 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:17.614980936 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.616796970 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:17.621646881 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.778609991 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.784312010 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:17.789155960 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.942346096 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:17.943403006 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:17.949112892 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.105381012 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.105734110 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:18.111085892 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.269253969 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.269546986 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:18.274435043 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.429495096 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.430489063 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:18.435305119 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.615150928 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.615389109 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:18.620199919 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.774732113 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.775521994 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:18.775582075 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:18.775608063 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:18.775623083 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:18.780911922 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.780951023 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:18.780992985 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:19.446417093 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:19.446888924 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:19.446968079 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:23.696661949 CEST	49720	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:23.696705103 CEST	443	49720	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:23.696799040 CEST	49720	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:23.699881077 CEST	49720	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:23.699898958 CEST	443	49720	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:24.169136047 CEST	443	49720	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:24.169215918 CEST	49720	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:24.174036026 CEST	49720	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:24.174046993 CEST	443	49720	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:24.174283028 CEST	443	49720	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:24.226583004 CEST	49720	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:24.237968922 CEST	49720	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:24.284492016 CEST	443	49720	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:24.350796938 CEST	443	49720	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:24.350857973 CEST	443	49720	172.67.74.152	192.168.2.5
Sep 4, 2024 13:01:24.350970984 CEST	49720	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:24.353688955 CEST	49720	443	192.168.2.5	172.67.74.152
Sep 4, 2024 13:01:24.844070911 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:24.848958969 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:24.849076986 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:25.429033041 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:25.429244041 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:25.434931993 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:25.588136911 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:25.600202084 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:25.605156898 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:25.760747910 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:25.762156010 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:25.767033100 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:25.920514107 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:25.920531034 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:25.920542955 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:25.920588017 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:25.920598984 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:25.920627117 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:26.011149883 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:26.014522076 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:26.019391060 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:26.172900915 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:26.178714991 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:26.183499098 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:26.336738110 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:26.337084055 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:26.341897011 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:26.497797012 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:26.498157978 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:26.503031015 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:26.661727905 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:26.662071943 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:26.666827917 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:26.823132992 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:26.823395967 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:26.828284979 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:27.008934975 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:27.009561062 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:27.014341116 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:27.169615030 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:27.170461893 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:27.170572042 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:27.170593977 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:27.170620918 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:27.175638914 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:27.175652981 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:27.175661087 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:27.175674915 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:27.565984964 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:27.617245913 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:28.649229050 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:28.649363995 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:28.649702072 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:28.649858952 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:01:28.650144100 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:01:28.650191069 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:02:43.898881912 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:02:43.908960104 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:02:44.064609051 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:02:44.065393925 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:02:44.065677881 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:02:44.065689087 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:02:44.065741062 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:02:44.065758944 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:02:44.070509911 CEST	587	49708	208.91.198.143	192.168.2.5
Sep 4, 2024 13:02:44.070558071 CEST	49708	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:02:56.492770910 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:02:56.497579098 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:02:56.650942087 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:02:56.651382923 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:02:56.651428938 CEST	587	49712	208.91.198.143	192.168.2.5
Sep 4, 2024 13:02:56.651439905 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:02:56.651480913 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:02:56.651480913 CEST	49712	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:03:04.867424965 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:03:04.872298956 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:03:05.029479027 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:03:05.030008078 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:03:05.030483961 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:03:05.030546904 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:03:05.030587912 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:03:05.030627966 CEST	49721	587	192.168.2.5	208.91.198.143
Sep 4, 2024 13:03:05.034869909 CEST	587	49721	208.91.198.143	192.168.2.5
Sep 4, 2024 13:03:05.034909964 CEST	49721	587	192.168.2.5	208.91.198.143

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 4, 2024 13:01:02.432848930 CEST	64287	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:01:02.439883947 CEST	53	64287	1.1.1.1	192.168.2.5
Sep 4, 2024 13:01:03.874705076 CEST	50980	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:01:03.884618044 CEST	53	50980	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 4, 2024 13:01:02.432848930 CEST	192.168.2.5	1.1.1.1	0x8146	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:01:03.874705076 CEST	192.168.2.5	1.1.1.1	0x9877	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 4, 2024 13:01:02.439883947 CEST	1.1.1.1	192.168.2.5	0x8146	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:01:02.439883947 CEST	1.1.1.1	192.168.2.5	0x8146	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:01:02.439883947 CEST	1.1.1.1	192.168.2.5	0x8146	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:01:03.884618044 CEST	1.1.1.1	192.168.2.5	0x9877	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:01:03.884618044 CEST	1.1.1.1	192.168.2.5	0x9877	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:01:03.884618044 CEST	1.1.1.1	192.168.2.5	0x9877	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:01:03.884618044 CEST	1.1.1.1	192.168.2.5	0x9877	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	172.67.74.152	443	5752	C:\Users\user\Desktop\z17invoice.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:01:03 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-09-04 11:01:03 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 04 Sep 2024 11:01:03 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8bdd7ab67b2c4392-EWR
2024-09-04 11:01:03 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	172.67.74.152	443	1864	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:01:15 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-09-04 11:01:15 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 04 Sep 2024 11:01:15 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8bdd7b0679e9c411-EWR
2024-09-04 11:01:15 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49720	172.67.74.152	443	4120	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:01:24 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-09-04 11:01:24 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 04 Sep 2024 11:01:24 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8bdd7b3aca2c0f99-EWR
2024-09-04 11:01:24 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 4, 2024 13:01:04.705415964 CEST	587	49708	208.91.198.143	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Sep 4, 2024 13:01:04.709815979 CEST	49708	587	192.168.2.5	208.91.198.143	EHLO 841618
Sep 4, 2024 13:01:04.870009899 CEST	587	49708	208.91.198.143	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Sep 4, 2024 13:01:04.873251915 CEST	49708	587	192.168.2.5	208.91.198.143	STARTTLS
Sep 4, 2024 13:01:05.101020098 CEST	587	49708	208.91.198.143	192.168.2.5	220 2.0.0 Ready to start TLS
Sep 4, 2024 13:01:17.041685104 CEST	587	49712	208.91.198.143	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Sep 4, 2024 13:01:17.042040110 CEST	49712	587	192.168.2.5	208.91.198.143	EHLO 841618
Sep 4, 2024 13:01:17.207070112 CEST	587	49712	208.91.198.143	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Sep 4, 2024 13:01:17.207653999 CEST	49712	587	192.168.2.5	208.91.198.143	STARTTLS
Sep 4, 2024 13:01:17.365940094 CEST	587	49712	208.91.198.143	192.168.2.5	220 2.0.0 Ready to start TLS
Sep 4, 2024 13:01:25.429033041 CEST	587	49721	208.91.198.143	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Sep 4, 2024 13:01:25.429244041 CEST	49721	587	192.168.2.5	208.91.198.143	EHLO 841618
Sep 4, 2024 13:01:25.588136911 CEST	587	49721	208.91.198.143	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Sep 4, 2024 13:01:25.600202084 CEST	49721	587	192.168.2.5	208.91.198.143	STARTTLS
Sep 4, 2024 13:01:25.760747910 CEST	587	49721	208.91.198.143	192.168.2.5	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	07:00:58
Start date:	04/09/2024
Path:	C:\Users\user\Desktop\z17invoice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z17invoice.exe"
Imagebase:	0x260000
File size:	688'128 bytes
MD5 hash:	C418187A5268D408094B89AA79E3A5A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2049081796.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:00:59
Start date:	04/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z17invoice.exe"
Imagebase:	0xb40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:00:59
Start date:	04/09/2024
Path:	C:\Users\user\Desktop\z17invoice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z17invoice.exe"
Imagebase:	0xfa0000
File size:	688'128 bytes
MD5 hash:	C418187A5268D408094B89AA79E3A5A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3283273481.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3283273481.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3283273481.0000000003404000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3283273481.00000000033FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:00:59
Start date:	04/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:01:02
Start date:	04/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	07:01:12
Start date:	04/09/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0x2c0000
File size:	688'128 bytes
MD5 hash:	C418187A5268D408094B89AA79E3A5A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2187583552.000000000377B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2187583552.000000000377B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2187583552.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2187583552.0000000003702000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs Detection: 61%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:01:13
Start date:	04/09/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0xd90000
File size:	688'128 bytes
MD5 hash:	C418187A5268D408094B89AA79E3A5A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3281780432.000000000312C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3281780432.0000000003134000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3281780432.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3281780432.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3278015316.0000000000429000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	07:01:20
Start date:	04/09/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0x220000
File size:	688'128 bytes
MD5 hash:	C418187A5268D408094B89AA79E3A5A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2281400349.0000000003730000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2281400349.0000000003730000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:01:22
Start date:	04/09/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0x10000
File size:	688'128 bytes
MD5 hash:	C418187A5268D408094B89AA79E3A5A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:01:22
Start date:	04/09/2024
Path:	C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe"
Imagebase:	0xf10000
File size:	688'128 bytes
MD5 hash:	C418187A5268D408094B89AA79E3A5A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3282236236.000000000339C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3282236236.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3282236236.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3282236236.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	93
Total number of Limit Nodes:	4

Executed Functions

Function 0B8803D2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058936624.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd50ec31963cb128999988c2ead6b44e9f101c97b60047fa3f5a43ee27bd62d3
Instruction ID: c5fdbd9f1b7a22b28e9cd50cccc922ca3a6cdcf8e582350fa5346e27a64fea8b
Opcode Fuzzy Hash: dd50ec31963cb128999988c2ead6b44e9f101c97b60047fa3f5a43ee27bd62d3
Instruction Fuzzy Hash: 77E08C75D4910CCFDB00EF40E4000F8F7B8E74EB19F0020A2D51DE7221C3305A99CA18

Function 0B880323 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058936624.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355a3b0362be2f51a37b017f0a11c2d7ae1fac45d81b6d51333d021e30ebfe23
Instruction ID: 1e35d609668b66e0de10413b8b40091a13ce842fe0cb61987244a70da9b36e2b
Opcode Fuzzy Hash: 355a3b0362be2f51a37b017f0a11c2d7ae1fac45d81b6d51333d021e30ebfe23
Instruction Fuzzy Hash: 4BB09226ECE40CD389002C8474000F9E73ED28BA2EE153063C22EE71328110822E41AD

Function 0263ADA8 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0263AFFE

Memory Dump Source

Source File: 00000000.00000002.2048423460.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2630000_z17invoice.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 93116a969f928107ad8edc4ff5a8a75f1afe08feea017e25a68f586921654a64
Instruction ID: 3bafca473130823cb4681a4061ccb5a393ce791c9013da74c9b1ac2585e45de3
Opcode Fuzzy Hash: 93116a969f928107ad8edc4ff5a8a75f1afe08feea017e25a68f586921654a64
Instruction Fuzzy Hash: 4A813270A00B458FD725DFA9D4447AABBF1FF88708F00892ED08A97B50D775E84ADB90

Function 02635914 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026359D1

Memory Dump Source

Source File: 00000000.00000002.2048423460.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2630000_z17invoice.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 620417714eab17398327fcf90776f39810c5c3df1904247f5439219cb41b791c
Instruction ID: 67191faf4b5ac32015ff84b98d70c70742ae07e2424572ab9fba78f6c59b646b
Opcode Fuzzy Hash: 620417714eab17398327fcf90776f39810c5c3df1904247f5439219cb41b791c
Instruction Fuzzy Hash: 4B4102B0C00719CBDB25DFA9C844BCEBBF5BF48304F60806AD409AB264DB75694ACF91

Function 026344C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026359D1

Memory Dump Source

Source File: 00000000.00000002.2048423460.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2630000_z17invoice.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b8fa39ad175d8a681706f3f9e3fcf3f42e4e017d3390ceb657d9fd82c639cd6b
Instruction ID: 4727e74c65c682c63632f3f75cc5683872b72d3c54a087068ebf5e52df8fc9b7
Opcode Fuzzy Hash: b8fa39ad175d8a681706f3f9e3fcf3f42e4e017d3390ceb657d9fd82c639cd6b
Instruction Fuzzy Hash: CC41EFB0C00719CBDB25DFA9C844B9EBBB5FF48304F60806AD409AB260DB75694ACF91

Function 04B94040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04B94101

Memory Dump Source

Source File: 00000000.00000002.2053920309.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_z17invoice.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e41cc556b8e3f60ffecdbba5ff769d96177789c00edd1b69a9e5d1584eef4b68
Instruction ID: 662d14bca15844eac9fa475188ee089b50bb236a44d027e987f70b303ddc7f99
Opcode Fuzzy Hash: e41cc556b8e3f60ffecdbba5ff769d96177789c00edd1b69a9e5d1584eef4b68
Instruction Fuzzy Hash: 654115B5A003199FDB14CF99C848AAABBF5FF89314F24C499D519AB321D375A841CFA0

Function 0263D27C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0263D656,?,?,?,?,?), ref: 0263D717

Memory Dump Source

Source File: 00000000.00000002.2048423460.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2630000_z17invoice.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2d571f19ce879bea5b7f174293615c9b570024e013320c9ac7ed38fe4dd0b0fc
Instruction ID: 9269cd86c85aea92c74bf16f50813b749e16ca9ec9f9d51fff0daed1bcdd36dd
Opcode Fuzzy Hash: 2d571f19ce879bea5b7f174293615c9b570024e013320c9ac7ed38fe4dd0b0fc
Instruction Fuzzy Hash: 7621E4B59003489FDB10CF9AD584AEEBBF9FB48314F14845AE918A3350D378A950CFA5

Function 0263D689 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0263D656,?,?,?,?,?), ref: 0263D717

Memory Dump Source

Source File: 00000000.00000002.2048423460.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2630000_z17invoice.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 83b7d69b06b83164b207910cde306de44dc32de35e8dce0f32436de859bb72be
Instruction ID: 52c14506d776d89ee855e60675aea99e8a6449b25def0ace4bf38acf12e90c9f
Opcode Fuzzy Hash: 83b7d69b06b83164b207910cde306de44dc32de35e8dce0f32436de859bb72be
Instruction Fuzzy Hash: 0721E4B59003489FDB10CF9AD584ADEBBF9FB48314F14841AE918A3350C378A940CFA5

Function 0263A130 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0263B079,00000800,00000000,00000000), ref: 0263B28A

Memory Dump Source

Source File: 00000000.00000002.2048423460.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2630000_z17invoice.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 30cf0f680fa467580ee75f9d11345759befdff5009e74bf59506c3d485f476a3
Instruction ID: 2e73cf5b656584bbe340f5001d619091ccf08d2fe5359ac7ae8eca4ec56f0fca
Opcode Fuzzy Hash: 30cf0f680fa467580ee75f9d11345759befdff5009e74bf59506c3d485f476a3
Instruction Fuzzy Hash: 031103B69003099FDB10DF9AC484AAEFBF5FB48314F10852AD519A7210C379A545CFA5

Function 0263B219 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0263B079,00000800,00000000,00000000), ref: 0263B28A

Memory Dump Source

Source File: 00000000.00000002.2048423460.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2630000_z17invoice.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0aa7ac29356c3b8b6e90782c33d8fe9787cfc59db136271111fd357fb013a42b
Instruction ID: 1934c214338ab3af28107317d2a6e09fe2f3dd84ac33e3f59f007a4562872ad5
Opcode Fuzzy Hash: 0aa7ac29356c3b8b6e90782c33d8fe9787cfc59db136271111fd357fb013a42b
Instruction Fuzzy Hash: B11112B69003498FDB10DF9AC584AEEFBF4BB48314F14856AD819A7310C379A545CFA5

Function 0B881160 Relevance: 1.5, APIs: 1, Instructions: 49
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B8811C5

Memory Dump Source

Source File: 00000000.00000002.2058936624.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_z17invoice.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d8c570e3619ed2ec61ef7880bcbe3f5ec940f4869a29d202d8383f42537344dd
Instruction ID: fa4904523f2206c9df3cfe67dc0a7a741bd2f3264cc48ecc134383dbdae26301
Opcode Fuzzy Hash: d8c570e3619ed2ec61ef7880bcbe3f5ec940f4869a29d202d8383f42537344dd
Instruction Fuzzy Hash: EF1136B58003489FCB10EF99D888BDEBFF8EB48310F108409D518A3610C379A545CFA1

Function 0263AF98 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0263AFFE

Memory Dump Source

Source File: 00000000.00000002.2048423460.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2630000_z17invoice.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 09454e2cd2590e258f2ec4fb5ba4dbf0aa20c6c16417a180d59f8fb445b6a191
Instruction ID: f4a5d42fb30d69e46495a28d5094e1e4d7ab7073610ea2253d691e39fb89ebd9
Opcode Fuzzy Hash: 09454e2cd2590e258f2ec4fb5ba4dbf0aa20c6c16417a180d59f8fb445b6a191
Instruction Fuzzy Hash: 6E11DFB6C007498FCB10DF9AC544A9EFBF5AB88318F14845AD529A7210D379A545CFA1

Function 0B881168 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B8811C5

Memory Dump Source

Source File: 00000000.00000002.2058936624.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_z17invoice.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 33cfaca6474e892170bd7b3a169731701c736d2c7d60b2da20c9bb8fc55e2fd3
Instruction ID: a39d83d4fc9a417d9aa617f4a2eb891c0aa13c7d3c6777725d22e9f20692f2d7
Opcode Fuzzy Hash: 33cfaca6474e892170bd7b3a169731701c736d2c7d60b2da20c9bb8fc55e2fd3
Instruction Fuzzy Hash: 2311D3B58003499FDB10DF9AD849BDEBBF8EB49310F108459D518A7650C379A944CFA5

Function 00BCD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047803960.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32940edb165f93e9ba834a6ccc2ccec40d37639ae28f7fcabb664d410463f5ac
Instruction ID: 289593aad8b5509d39a991092ecac15dcbb3502d5ec52d63201a31a61f5f9a46
Opcode Fuzzy Hash: 32940edb165f93e9ba834a6ccc2ccec40d37639ae28f7fcabb664d410463f5ac
Instruction Fuzzy Hash: B721E279500204DFDB09DF14D9C0F26BFA5FB98314F20C5BDDA094A356C33AE856D6A2

Function 00BDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047866449.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bdd000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35d0dd9c58e9cd3483473355e019b107697d9d3204e6a299940ad1dee0b0735
Instruction ID: 5f80942277ab22a1f92c84248a37dc78a3c41e93c11d253de46fd335a1d16017
Opcode Fuzzy Hash: a35d0dd9c58e9cd3483473355e019b107697d9d3204e6a299940ad1dee0b0735
Instruction Fuzzy Hash: F521D075604204DFCB14DF24D9D4B26FBA5EB88314F24C5AAD98A4B396D33AD806CAA1

Function 00BDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047866449.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bdd000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85c85e61bea8837c7cb383a964477d0ea89d72fd8db7893f995d0f400d3a6aa
Instruction ID: 8d76053d66dbfdc95ab9bac49d1964a19456aaefb87836daf7f0a1310e0a38da
Opcode Fuzzy Hash: d85c85e61bea8837c7cb383a964477d0ea89d72fd8db7893f995d0f400d3a6aa
Instruction Fuzzy Hash: F121F271644204EFDB05DF64D9C0F26FBA5FB88314F20C5AEE9894B396D33AD806CA61

Function 00BDD005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047866449.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bdd000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873562e31c2691b2300e8d77cb04283a1e40d1765e2069ce503dcb35544c0fba
Instruction ID: 7214868f65f6704246760ec64be48bec322cb585042679d934a83100a7006d89
Opcode Fuzzy Hash: 873562e31c2691b2300e8d77cb04283a1e40d1765e2069ce503dcb35544c0fba
Instruction Fuzzy Hash: B52195755093808FCB12CF24D594715FF71EB45314F28C5DBD8898B697C33A980ACB62

Function 00BCD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047803960.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 2a227553d9826aa419a041b8bb8937b8a3664c1c285dfde75e91062577adbb4c
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3E11DF76504240DFCB06CF00D9C4B16BFB1FB94324F24C6ADD9090B256C33AE85ACBA2

Function 00BDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047866449.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bdd000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: f1faea125bc83c7d3b5be50582310029e7aec22980982cb534ac42f409409a6d
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: B1118B75504280DFDB16CF14D5C4B15FBB1FB84314F24C6AAD8894B796D33AD84ACB62

Function 00BCD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047803960.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdf610b67e0bfe2b494ffc354ae6d458fa9216368de890707c0b2e85eae7c7a
Instruction ID: 56d21d0c69a159de2c48349741f7082e784c725606e445c0e4c90efed69a50b6
Opcode Fuzzy Hash: cbdf610b67e0bfe2b494ffc354ae6d458fa9216368de890707c0b2e85eae7c7a
Instruction Fuzzy Hash: EF01DF351043449AE7209A29CDC4F66BFD8EF86320F18C5BFED080A286D2799C01CAB1

Function 00BCD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2047803960.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c9b38793f7bb9370f654d7e7bf9ac3e6394509d3e0f783e46c6cbe5db213f3
Instruction ID: 64126178430f074abd9d75e35411b38ab6ed93956b909bdb1857a4ae04c0e656
Opcode Fuzzy Hash: 14c9b38793f7bb9370f654d7e7bf9ac3e6394509d3e0f783e46c6cbe5db213f3
Instruction Fuzzy Hash: 8DF0C275004344AEE7108F1AC888B62FFD8EF95734F18C46AED080A286C3799C40CBB0

Non-executed Functions

Function 0B882468 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058936624.000000000B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b880000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0339232ea279a416265740a4719353fb8472791cbf96b39c7b30a89ce56a50a
Instruction ID: 3f8d254b85ee2b03e5f54f7447522073e0685dc5a2ff26f8ebc0abfbb3710779
Opcode Fuzzy Hash: d0339232ea279a416265740a4719353fb8472791cbf96b39c7b30a89ce56a50a
Instruction Fuzzy Hash: DFD18A747016048FDB2AEF79C8607AAB7FBAF89700F14446DD186DB2A1DB34E902CB51

Function 04B90040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053920309.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087eb0f75f4b1f7f6f494a4064232cb6c5b1313f3c043eb30998268a9a2c27a8
Instruction ID: 7e627da70df75281f950520be1d99016231b59a22574a7915f8ac5d92d10ae02
Opcode Fuzzy Hash: 087eb0f75f4b1f7f6f494a4064232cb6c5b1313f3c043eb30998268a9a2c27a8
Instruction Fuzzy Hash: 751295B2C81766CAD710CF25E84C18D7BB1BB41328FD06B09D2621B2E1DBB415EACF49

Function 0263D5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2048423460.0000000002630000.00000040.00000800.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2630000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414724bfd2ab59750ba01dc84207953d88d3b3e529b9dd1859d866cbb6da6015
Instruction ID: 42ab0d588b314ac4cf114d3183567190ee2b7f43d6f5ea84c5000d40a026debf
Opcode Fuzzy Hash: 414724bfd2ab59750ba01dc84207953d88d3b3e529b9dd1859d866cbb6da6015
Instruction Fuzzy Hash: F2A17D32E002158FCF0ADFB4D94099EB7B2FF85304F25856AE805AB665DB71E955CF80

Function 04B90006 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053920309.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1694c279df25eebc0889d6dec50f7c476389b156f19c0e8f91bd3d62044adf
Instruction ID: 403a9eb277c39f4c1715f5f223ff0815323a5c5c621f81148826cf7fe5413b3d
Opcode Fuzzy Hash: cd1694c279df25eebc0889d6dec50f7c476389b156f19c0e8f91bd3d62044adf
Instruction Fuzzy Hash: 87C11AB2C80765CBD711DF25E84C19D7BB1BB81318F906B09D1626B2E1DBB414EACF49

Analysis Process: z17invoice.exePID: 5752, Parent PID: 6332COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	91
Total number of Limit Nodes:	9

Executed Functions

Function 07173488 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 07173BD4
$]q, xrefs: 07173BBC
$]q, xrefs: 07173B87
$]q, xrefs: 07173BE0
$]q, xrefs: 07173B93
$]q, xrefs: 07173BB0

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 40d9831a911c755a6f412aeb0f038f93a6869538d3f0eb04efd8ca96fabada73
Instruction ID: 10c1a38606d96ef2378c603e6e3888970b649253fb62f40865a412193fb86a03
Opcode Fuzzy Hash: 40d9831a911c755a6f412aeb0f038f93a6869538d3f0eb04efd8ca96fabada73
Instruction Fuzzy Hash: EE324E70E1065ACFCB15DF75D89459DB7B6FF89300F2086AAD419AB264EB30AD85CB80

Function 07177D68 Relevance: 3.0, Strings: 2, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0717830F
$]q, xrefs: 07178303

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 533f9d6f9f14523711236814602df93c38f8bd167f7f03db078c63243878ac0a
Instruction ID: 8e7911d8a08b7cb6baa633f76e2ecda8668729357c5f41e7e10183f691e27530
Opcode Fuzzy Hash: 533f9d6f9f14523711236814602df93c38f8bd167f7f03db078c63243878ac0a
Instruction Fuzzy Hash: 1B029B70B002069FCB29DF69D894AAEB7F6FF84314F248529D4099B394DB35EC46CB91

Function 07175CD7 Relevance: 2.9, Strings: 2, Instructions: 427
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPbq, xrefs: 07175E1D
\Obq, xrefs: 07175E4D

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: XPbq$\Obq
API String ID: 0-409418754
Opcode ID: 58a951c24c7e2210e6823b7a42e8b71383fbd1c7266188041ef9fe3d8e473625
Instruction ID: d85c83524a5ee81bb19545e6640234a08b08cda494d4c4d1c5442b987b6a03b9
Opcode Fuzzy Hash: 58a951c24c7e2210e6823b7a42e8b71383fbd1c7266188041ef9fe3d8e473625
Instruction Fuzzy Hash: 54E1F271B001158FDB25DB68C894AAEBBF6FF89310F25846AE40ADB392CB71DC51C791

Function 071765E0 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef729a1dbe59508189075a0e0630bf39618c6c0f7b0ed75810cb69c8d6c164b9
Instruction ID: 75e76333be8386b0102155610b2938a190107c5fe603337964d9b8c182009bd1
Opcode Fuzzy Hash: ef729a1dbe59508189075a0e0630bf39618c6c0f7b0ed75810cb69c8d6c164b9
Instruction Fuzzy Hash: AC62DF74B006069FCB25DB68D594AADB7F2FF88314F108469E40AEB394DB35EC46CB91

Function 0717C568 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5043d4c9ece5dd48fb087a95c22ae704a6deb8a1d34305755fff75be57c152a7
Instruction ID: 703268ff2a8747b30a2ac7261c043f6741be35469d0d9cb45c7a2bb8b4d45431
Opcode Fuzzy Hash: 5043d4c9ece5dd48fb087a95c22ae704a6deb8a1d34305755fff75be57c152a7
Instruction Fuzzy Hash: 5E324274B0020A9FDF15DF68D590AADB7BAFB88310F108529E405EB395DB35EC46CBA1

Function 071755C8 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4073a23a9d809e18ca8e6a360bd7453da2e5b185f093b67eb08627f6d0c9d7db
Instruction ID: f83ae2f9662626bce56d6071dc1be54844549e3a579d9ba11e59a1bde36ddde7
Opcode Fuzzy Hash: 4073a23a9d809e18ca8e6a360bd7453da2e5b185f093b67eb08627f6d0c9d7db
Instruction Fuzzy Hash: 4512E3B1F002069BDB25CF65C8806AEB7B7FB84314F248869D84A9B3C5DB34DD56CB91

Function 0717B212 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92f59fb9f6f2d1bda378b5a75d709475ab5d2f45e357065facb05f003920dab
Instruction ID: 5275aaebd3a7bdcffe53d70f547002b01be145215339a1a06641e9454fc3f58b
Opcode Fuzzy Hash: e92f59fb9f6f2d1bda378b5a75d709475ab5d2f45e357065facb05f003920dab
Instruction Fuzzy Hash: 9E225DF0A0420A8FDF35CA69D4907ADB7B6EB49310F24882AE459DB3D5DB38DC85CB51

Function 0717ACB8 Relevance: 10.4, Strings: 8, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0717AE84
$]q, xrefs: 0717AE38
$]q, xrefs: 0717AE2C
$]q, xrefs: 0717AE67
$]q, xrefs: 0717ADE5
$]q, xrefs: 0717AE5B
$]q, xrefs: 0717ADD9
$]q, xrefs: 0717AE90

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 365310862f6c69552cd0ad9ef4eca1e52dc307bb7cefa9dbd9f8ab7228ea180e
Instruction ID: 7d07cdf07af0b0a847ad6be79fb39c68ab6f2c2dc3f409ebe1b4d972d573ea22
Opcode Fuzzy Hash: 365310862f6c69552cd0ad9ef4eca1e52dc307bb7cefa9dbd9f8ab7228ea180e
Instruction Fuzzy Hash: BDE14170A1020A8FDF29DF69D4906AEB7B7FF89304F208529D409AB395DB35DC46CB91

Function 07113A0A Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 07113A96
GetCurrentThread.KERNEL32 ref: 07113AD3
GetCurrentProcess.KERNEL32 ref: 07113B10
GetCurrentThreadId.KERNEL32 ref: 07113B69

Memory Dump Source

Source File: 00000004.00000002.3302069421.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7110000_z17invoice.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3a75e42138304eadaf683b9c6782bd06cfd2afdf601ee31fb98f53ebbb78141b
Instruction ID: 1a1c39fc2dd327c2b6d56275905e6d98b0e07689c494d1c14beb2ef6dfa6b4eb
Opcode Fuzzy Hash: 3a75e42138304eadaf683b9c6782bd06cfd2afdf601ee31fb98f53ebbb78141b
Instruction Fuzzy Hash: 715168B09003099FDB14DFA9D548BAEBBF5FF48314F208469E419AB3A0D7386985CB65

Function 07113A18 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 07113A96
GetCurrentThread.KERNEL32 ref: 07113AD3
GetCurrentProcess.KERNEL32 ref: 07113B10
GetCurrentThreadId.KERNEL32 ref: 07113B69

Memory Dump Source

Source File: 00000004.00000002.3302069421.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7110000_z17invoice.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cb164b582e3b8cc439555cfa18bae9709005bf261ed23c54eec8f79f316e811d
Instruction ID: 590896de5b6248d560ae31c0e3cc58989bc7c0ed4770e05d77e7cb785701e1f9
Opcode Fuzzy Hash: cb164b582e3b8cc439555cfa18bae9709005bf261ed23c54eec8f79f316e811d
Instruction Fuzzy Hash: AB5137B09003099FDB14DFA9D548BAEBBF5FF48314F208469D419AB3A0D738A985CB65

Function 07179140 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 07179193
$]q, xrefs: 071791CE
$]q, xrefs: 071791C2
$]q, xrefs: 07179187

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 0ebacdb6342739cab45836868cffe0d246a917c03e83137c04d41ef1c4c261db
Instruction ID: c3cc6a8c42232d7b10db7cb6f79829ba952f6fd077c3b910b56d89822dc5c172
Opcode Fuzzy Hash: 0ebacdb6342739cab45836868cffe0d246a917c03e83137c04d41ef1c4c261db
Instruction Fuzzy Hash: 41915170B0020A8FDB59DB65D950BAEB3F6FF89340F108469C419EB384EB34AD46CB91

Function 07174B90 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPbq, xrefs: 07174CBD
\Obq, xrefs: 07174D47
fbq, xrefs: 0717529D

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: ff2aff8d3d5a609129794d7c313bd34d6a46cf7e989ac47255b1f9ef1a423dd4
Instruction ID: 772fc2532cd2247183658c99b355c400fcd800a6b5e36ec8e8b9874453e91063
Opcode Fuzzy Hash: ff2aff8d3d5a609129794d7c313bd34d6a46cf7e989ac47255b1f9ef1a423dd4
Instruction Fuzzy Hash: 65618170B002099FEB559FA5C8547AEBBF7FB88310F20842AD50AEB395DB748C41CB51

Function 07179130 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 071791C2
$]q, xrefs: 07179187

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 531cb6fe1fec8e064956c7249bc06f213151d2abea75d544ad6c62ab9ee1928a
Instruction ID: a9e345d1170190d73dfeafc73091b8fbfb4120f6585f75cbd19810c16eaf8cf9
Opcode Fuzzy Hash: 531cb6fe1fec8e064956c7249bc06f213151d2abea75d544ad6c62ab9ee1928a
Instruction Fuzzy Hash: CA515F70B011069FDB59DB79D850BAEB3F6FB88750F108469C419DB384EB35AC46CB91

Function 0711BE38 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0711C09E

Memory Dump Source

Source File: 00000004.00000002.3302069421.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7110000_z17invoice.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 60ba74769b4b824f077f71ff3add6f729841674065c9afdee8c4ccab87997da7
Instruction ID: 21ffe8d62c33776a499acbfe5f07f0a8f6f6e6e938b7dcb97589de798838e6e4
Opcode Fuzzy Hash: 60ba74769b4b824f077f71ff3add6f729841674065c9afdee8c4ccab87997da7
Instruction Fuzzy Hash: 328156B0A04B068FD725DF29D4447AABBF5FF88300F00892ED48ADBA91D735E945CB91

Function 0711E424 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0711E542

Memory Dump Source

Source File: 00000004.00000002.3302069421.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7110000_z17invoice.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 37cdfc896caf0796d3a9e7d4ea0fe1ed1a4c80e892249c0ab6b7c76e1546959d
Instruction ID: 6f42b411caf1870dc32e40d01f841938553cea74bc475788d120da6e9ce48c34
Opcode Fuzzy Hash: 37cdfc896caf0796d3a9e7d4ea0fe1ed1a4c80e892249c0ab6b7c76e1546959d
Instruction Fuzzy Hash: 7751C1B5D10309DFDB14CF9AD884ADEBBB5FF48310F24812AE819AB250D7749985CF91

Function 0711E430 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0711E542

Memory Dump Source

Source File: 00000004.00000002.3302069421.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7110000_z17invoice.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 53e5109424a31390c22be0363b0057fc238e32956542a08636efadf10b760dcc
Instruction ID: c76b06b10e3a42f74ba430aecd2190faa87e6474dd513a917cc63281940ebae2
Opcode Fuzzy Hash: 53e5109424a31390c22be0363b0057fc238e32956542a08636efadf10b760dcc
Instruction Fuzzy Hash: 8141C0B1D10309DFDB14CF9AC884ADEBBB5FF48310F24812AE819AB250D774A885CF91

Function 07113C58 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 07113CE7

Memory Dump Source

Source File: 00000004.00000002.3302069421.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7110000_z17invoice.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8accab1bf4fdb922ef832c2b7294757fe0bed5419496ad2df7aa5da692518b4c
Instruction ID: c7cfcee6e4d7f61788996d680624c3e1e649ebfee151c73bfbeba0c37425ce3e
Opcode Fuzzy Hash: 8accab1bf4fdb922ef832c2b7294757fe0bed5419496ad2df7aa5da692518b4c
Instruction Fuzzy Hash: 2221E5B5D00259AFDB10CF9AD584ADEFFF8FB48320F14841AE914A7250D379A950CFA5

Function 01798668 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 01798700

Memory Dump Source

Source File: 00000004.00000002.3279751475.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1790000_z17invoice.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 35172697383fb910fa561cc9eb1ca22c55aac2093cf5175ff94860c80f1319b4
Instruction ID: 5e32f4d5ec288b51135cd9458a060b6f5a3330860066c8b5f9f25dbfe5fbd0f8
Opcode Fuzzy Hash: 35172697383fb910fa561cc9eb1ca22c55aac2093cf5175ff94860c80f1319b4
Instruction Fuzzy Hash: E62107B6C012099FDB10CF99E884ADEFFF5FB89310F14845AE918AB205D7755944CBA1

Function 01797838 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 01798700

Memory Dump Source

Source File: 00000004.00000002.3279751475.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1790000_z17invoice.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: b44bd3d07732b36569f659565b359efa384b8ae78f6147ba872482018456f254
Instruction ID: 7da52e60bb5bb68ce4a60573be0ddfc2b9f02318ba1fe0a99a73fa82d5c007f2
Opcode Fuzzy Hash: b44bd3d07732b36569f659565b359efa384b8ae78f6147ba872482018456f254
Instruction Fuzzy Hash: 8B2105B6C012099FCF50CF99E884ADEFBF5FB89310F14845AE918AB205D375A944CBA5

Function 07113C60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 07113CE7

Memory Dump Source

Source File: 00000004.00000002.3302069421.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7110000_z17invoice.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a034e2dd4aa5dc16259b63822c295ae8632f2af4723fb6b7450fb89cdc58e12c
Instruction ID: 99468990193ecdcd26a2e74ea4c2baf2ace6a9e4b4e9a33535a30cf0af4cb7c0
Opcode Fuzzy Hash: a034e2dd4aa5dc16259b63822c295ae8632f2af4723fb6b7450fb89cdc58e12c
Instruction Fuzzy Hash: 2921E4B59002099FDB10CF9AD584ADEBFF8FB48310F14841AE918A7350D379A940CFA1

Function 01798098 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 01798110

Memory Dump Source

Source File: 00000004.00000002.3279751475.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1790000_z17invoice.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d76cef72207eb8ead01d7b1a21fb723862e2311e991fd8f06803cf2d20c8f651
Instruction ID: 5a7cbfaf31badb4ba37079abb10672ae78fe09a1c5992771db5bceabf5cd010b
Opcode Fuzzy Hash: d76cef72207eb8ead01d7b1a21fb723862e2311e991fd8f06803cf2d20c8f651
Instruction Fuzzy Hash: 4D2127B1C006599BCB14CFAAD845ADEFBB4FF48310F14816AD918A7240D778A944CFE6

Function 0179F651 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0179F6BF

Memory Dump Source

Source File: 00000004.00000002.3279751475.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1790000_z17invoice.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8797186d3f8520b1b88a8d39ec30f841c99df238ff275ad4168b627080d71b6d
Instruction ID: 1dbcb35dcf88abede402cd11323ebba4919d1df2a8dd812ccf0b676c15c1c280
Opcode Fuzzy Hash: 8797186d3f8520b1b88a8d39ec30f841c99df238ff275ad4168b627080d71b6d
Instruction Fuzzy Hash: 8B1133B1C002599BCB10CFAAD444ADEFFF8EF48320F10812AE918A3250D778A954CFE5

Function 017980A0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 01798110

Memory Dump Source

Source File: 00000004.00000002.3279751475.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1790000_z17invoice.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: dfbd0c528a891c548139ef91fecbc7f194619c38c5ad104eb2d5b6f9f19de03e
Instruction ID: 98544e6c8728b6c847c37efbb69c96b3de0843f5a62c87f458c2d1d9d017e48c
Opcode Fuzzy Hash: dfbd0c528a891c548139ef91fecbc7f194619c38c5ad104eb2d5b6f9f19de03e
Instruction Fuzzy Hash: B21130B1C0065A9BCB14CF9AD445AAEFBB4FF48320F10812AD918A7240D778A944CFA6

Function 0711B058 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0711C119,00000800,00000000,00000000), ref: 0711C30A

Memory Dump Source

Source File: 00000004.00000002.3302069421.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7110000_z17invoice.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4ad24415b0765d4c43ba5b614600ba9272e6685c3c0f6b35a55fcabe289c5562
Instruction ID: dce525126bfa88be068aa543085f35e63dedc02b6fb655531d840efeb01767a9
Opcode Fuzzy Hash: 4ad24415b0765d4c43ba5b614600ba9272e6685c3c0f6b35a55fcabe289c5562
Instruction Fuzzy Hash: C21123B6C003099FCB10CF9AD444ADEFBF9EB88310F10842AE919BB240C379A544CFA5

Function 0711C299 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0711C119,00000800,00000000,00000000), ref: 0711C30A

Memory Dump Source

Source File: 00000004.00000002.3302069421.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7110000_z17invoice.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ce3250c765a5b314de67428de6e678e0723ebbfd3b6eeb8a2e6d95095ae750ca
Instruction ID: 221ebf605b971f11c58daedfb74a0d5e115b5f176898db35bdfeb518f08bbc46
Opcode Fuzzy Hash: ce3250c765a5b314de67428de6e678e0723ebbfd3b6eeb8a2e6d95095ae750ca
Instruction Fuzzy Hash: 8F11F0B6C002098FDB10CF9AD944ADEFBF5EB88310F14842AE559BB250C379A545CFA5

Function 0179F658 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0179F6BF

Memory Dump Source

Source File: 00000004.00000002.3279751475.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1790000_z17invoice.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 9601bb8370d107651f771203e33c615929bbeeb46e6f3ab2643c162e8b7c521a
Instruction ID: 5af24ca564bdeadc533442a9b25b569ece2d47676cee41d3dc2fa7a07dc0a1c5
Opcode Fuzzy Hash: 9601bb8370d107651f771203e33c615929bbeeb46e6f3ab2643c162e8b7c521a
Instruction Fuzzy Hash: 93111FB1C0065A9BCB10DFAAD444A9EFBF8EF48320F10812AD918A7250D378A954CFE5

Function 0711C038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0711C09E

Memory Dump Source

Source File: 00000004.00000002.3302069421.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7110000_z17invoice.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b6568b126ae1fc396f03b78a5530b3306dcf28b20ef1a1ee63366fe97aa7459a
Instruction ID: 1c1dd4bc82f84e02f2b5773162463343f1c4df1fb24c89dd4d20de83785a285c
Opcode Fuzzy Hash: b6568b126ae1fc396f03b78a5530b3306dcf28b20ef1a1ee63366fe97aa7459a
Instruction Fuzzy Hash: 0711E0B5C002498FCB10DF9AD444BDEFBF8EF88314F10842AD919A7250D379A545CFA1

Function 07174B81 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

XPbq, xrefs: 07174CBD

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: XPbq
API String ID: 0-864591470
Opcode ID: 7a3f3c2a16e24e17975ce9996bd17a5247edebba82e7192ade9aa4b7e0ab9a12
Instruction ID: 4c131c647ab3be9aebecdbf3bfe7e3f78f1b04d61d23dbd0fce046bcdd4294e9
Opcode Fuzzy Hash: 7a3f3c2a16e24e17975ce9996bd17a5247edebba82e7192ade9aa4b7e0ab9a12
Instruction Fuzzy Hash: 1D414D71A002099FDB55DFA5C854BAEBBF7FF88710F20852AD106AB395DB749C01CB91

Function 0717DEAB Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0717DFF9

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: a86b28d530f4c8be41822da320a83964da4065fef8bfa7fc6b4fcaee4263b1e5
Instruction ID: 68289405180f1f254db1ed51b8f21bc7c9312599c42d4d03fd2c2f9eecd41921
Opcode Fuzzy Hash: a86b28d530f4c8be41822da320a83964da4065fef8bfa7fc6b4fcaee4263b1e5
Instruction Fuzzy Hash: A64182B0B0030A9FDB25DF65D85469EBBB6FF85310F208429E445E7288EF74D946CB91

Function 071725F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 07172733

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 25700dea34865962f30b3bcebe69b09bb3bdaec013d2ec84c1cdf4ab7d320113
Instruction ID: fea9933880325c142fe8273f81ff64bc74ef695225c126654062507d2879fd18
Opcode Fuzzy Hash: 25700dea34865962f30b3bcebe69b09bb3bdaec013d2ec84c1cdf4ab7d320113
Instruction Fuzzy Hash: D531BE70B002028FCB199B74D55466E7AF7BF89310F208429E406DB399DF78DD46CB95

Function 071782B8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$]q, xrefs: 07178303

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 2a08b64a352903ef02b8f428fbbac7f1035ee1d31eaa99d4cbdce047d2a25eab
Instruction ID: e299bf03349055eefc0290595f795bc65a1cf80cc1433aa6d2a16a7476ba79f0
Opcode Fuzzy Hash: 2a08b64a352903ef02b8f428fbbac7f1035ee1d31eaa99d4cbdce047d2a25eab
Instruction Fuzzy Hash: F2F0C2B1B04206DBCF2D9E8DE99867CB7BAEB44314F14446AC909DB2C1C735DD05C761

Function 07172770 Relevance: 1.0, Instructions: 1019COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976411d7f736649469569b4518a4c24cc6b01ac128695f51405bdf1cf4d96d97
Instruction ID: f0952a711fbba09da760fcb9ab7c2540eb3600568a1c8c9d3204d15a3693d972
Opcode Fuzzy Hash: 976411d7f736649469569b4518a4c24cc6b01ac128695f51405bdf1cf4d96d97
Instruction Fuzzy Hash: 75926674A00205CFDB25CB68C584AADB7F2FF49314F5484A9D45AEB3A5DB35EC86CB80

Function 0717B638 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b6d27ba2303ba97a2e104fe3a63c7b4cd7d3546619d3bf96e42dbea3da66ca
Instruction ID: 5de1012eb3a7c3dfa5f0dd8d8dde5d4ce93b361e8395f07c0ac3ca30a1604c67
Opcode Fuzzy Hash: 73b6d27ba2303ba97a2e104fe3a63c7b4cd7d3546619d3bf96e42dbea3da66ca
Instruction Fuzzy Hash: C2A149F0E0420A8BDF36CA68D480BADB7B5EB49314F24896AE459DF2D1D734DC86CB51

Function 071761E0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d38a4371221820db5b4142bed27a5fa3fed21d46495b3005f933f9f52e64b5e
Instruction ID: a99d4ea248f2bbd49c479cef584498284e88543d406e8fc6c832995866165490
Opcode Fuzzy Hash: 7d38a4371221820db5b4142bed27a5fa3fed21d46495b3005f933f9f52e64b5e
Instruction Fuzzy Hash: 9561C1B1F005124BDB159A6AC880A5FBAEBAFD4210F254479D80EDB364EF69DD0287D2

Function 071742C0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5785bd745fb4712268ac73a249dd6959c078e2b7f1ccd05b151084ed1d6c15
Instruction ID: 95fe19597cf9d9beed9d973aa7f02d21b0b95d121f304214f0ae097ddfbcfb73
Opcode Fuzzy Hash: 2d5785bd745fb4712268ac73a249dd6959c078e2b7f1ccd05b151084ed1d6c15
Instruction Fuzzy Hash: 95814B70B0020A8FDB15DFB5D4546AEB7F7AB89304F208529D80ADB394EB34DC46CB92

Function 071745E0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1ef179445ce6be608d2472d5633ea8521ef182acd185bea5716296c32df73a
Instruction ID: c2b638c41254fa799b3a7afaf551c34c6a7655790f91349d63a84538d0400bcc
Opcode Fuzzy Hash: ab1ef179445ce6be608d2472d5633ea8521ef182acd185bea5716296c32df73a
Instruction Fuzzy Hash: F5914F70E0065A8FDF21DFA8C890B9DB7B1FF85300F208599D54DAB295DB70AA85CF91

Function 071745F8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2a390ed7e47ca138413cb76ecf2bbb1240c4baccb976540eb3157443cf5b8e
Instruction ID: 18d01824d475ad8994f94aae4811d0ce672b69299e519b48fb63eab4cce5f12d
Opcode Fuzzy Hash: 4d2a390ed7e47ca138413cb76ecf2bbb1240c4baccb976540eb3157443cf5b8e
Instruction Fuzzy Hash: A9913170E0065A8BDF20DFA4C890B9DB7B1FF85304F208599D54DBB295DB70AA85CF91

Function 0717EEF3 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4173c634175546a3ac46f94bc20ea4501745aa33a91008969561e02c406077
Instruction ID: 82965b9b20590dc1b08ec3de883c60006084d53cb7f2ea4b42e425962c1e7cc4
Opcode Fuzzy Hash: df4173c634175546a3ac46f94bc20ea4501745aa33a91008969561e02c406077
Instruction Fuzzy Hash: 8C711D70A002099FDB15DFA8D994AAEF7FAFF88300F248469D409AB355DB34ED46CB51

Function 0717EEF8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00657bd122c0c81513d161653c0989bc8bc5b37f8af73ddae1f160448dff7560
Instruction ID: 5c68a13ea0f2504092fef016b5ddc7eb78f2c5875614f1d6ecfbbd7031e8f0c3
Opcode Fuzzy Hash: 00657bd122c0c81513d161653c0989bc8bc5b37f8af73ddae1f160448dff7560
Instruction Fuzzy Hash: 12711C70A002099FDB15DFA8D994AAEF7FAFF88300F248469D409AB355DB34ED46CB51

Function 0717FC5B Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e341e182a494470c0e6c1afe5f01393aa0e561b9fa5e33897dea26017ba9bc
Instruction ID: 2190e56030c578dfd1350a749e8e4f51399c9671541144cb65fef853a7bde5b7
Opcode Fuzzy Hash: 87e341e182a494470c0e6c1afe5f01393aa0e561b9fa5e33897dea26017ba9bc
Instruction Fuzzy Hash: D851D5B1A00105DFCB24AB78E4846AEB7BAFF84315F108869E10AD7291DB359947CB91

Function 0717FA13 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d59ca099dfe7065a4e5f04546e4286fb0a3a1d6c6768ed5c1542b2956c3d4a8
Instruction ID: 74308e716f9dd04d73459f56744aec3c1698d65407d9fcdaea467e9bb902e06c
Opcode Fuzzy Hash: 8d59ca099dfe7065a4e5f04546e4286fb0a3a1d6c6768ed5c1542b2956c3d4a8
Instruction Fuzzy Hash: 0451C2F07002069FEF25566CE95473F666EEB89710F20492AE40AD73D5CA2CCC47C3A2

Function 0717FA18 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d536fb163072a039b3f68f0cadf3c55366b5ef79e9c3f1c776ccccb69e36cf3
Instruction ID: 8ec68bfc25262a330511a99f370da57bf37e48f12c244e5c955ba148453dde27
Opcode Fuzzy Hash: 7d536fb163072a039b3f68f0cadf3c55366b5ef79e9c3f1c776ccccb69e36cf3
Instruction Fuzzy Hash: 3251A3F07102069FEF25566CE85473F666EEB89750F20492AE40AD73D5CA6CCC47C3A2

Function 0717FA0B Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8634b04f1e5b49e3f0ef2601491a1c23b8ddb704ff17c179eb4b70fff02a906
Instruction ID: f0d26e5aa95d01054ab6892bc5d0314be86ae35e95e4231797e11d0249eab495
Opcode Fuzzy Hash: e8634b04f1e5b49e3f0ef2601491a1c23b8ddb704ff17c179eb4b70fff02a906
Instruction Fuzzy Hash: 1E4183F07102069FEF25566CE95473F666EDB89750F20492AE40AD73E5CA6CCC47C3A2

Function 07175439 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f7451c351fb4523c30295d7f98a4cf577cb9b1f989cb53605ce54956d6798a
Instruction ID: 67e51afd45eea1c45e4c5e59768dbc44411c35ed089e33d6606ea17d967d66fb
Opcode Fuzzy Hash: 19f7451c351fb4523c30295d7f98a4cf577cb9b1f989cb53605ce54956d6798a
Instruction Fuzzy Hash: 784160B1A002068FDB21CFA9D8C1AAFBBB3EB85310F50492AE116D7690D730E955CB91

Function 07172418 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54684779562b758a9a7a18e9df0a0b907fef58b9a935651cdb46ad4d42f17cd5
Instruction ID: 2e976efde43a73d86e3da791c2a1ffa707cef28594a0d77107cbedfd63bc87af
Opcode Fuzzy Hash: 54684779562b758a9a7a18e9df0a0b907fef58b9a935651cdb46ad4d42f17cd5
Instruction Fuzzy Hash: 1541F271E042568FCB16CF68C8A469ABBB2FF85300F108529E446EB391EB74D847CB91

Function 071755B8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc94c956ac03c978fd0c65145c55f4104d4e713c8aac58836e4b5188ed458fe
Instruction ID: 2a2e8bfb7c0297d3ae1ead373dee730fcc51d94acb318ed41e3409e680673fa3
Opcode Fuzzy Hash: 1fc94c956ac03c978fd0c65145c55f4104d4e713c8aac58836e4b5188ed458fe
Instruction Fuzzy Hash: D53194B4E002069BDF318E69C48076EFBB3FB85310F64892AE459DB2C1D735D961DB91

Function 0717DD5B Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0293f859864fe19cbd5ac4ec5216fd328af9182834817d9051ccaa1a4847ca10
Instruction ID: dd83548a85678c066f2554846bb696f4856cff8e7c1440fcdb494b90a8450631
Opcode Fuzzy Hash: 0293f859864fe19cbd5ac4ec5216fd328af9182834817d9051ccaa1a4847ca10
Instruction Fuzzy Hash: A2319870A0030E9BCF29DF65D580A9EBBB6FF85304F104529D445AB394EB74E946CB91

Function 0717DD60 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9453ff0ac2b7834c13ad74efcff66c86f6e473c169ad314ed4304abb3550ef
Instruction ID: 2f301d567219e98c7e6d9549e741aa3993c4ea730cc2f1a5ceb3bf23127b532a
Opcode Fuzzy Hash: db9453ff0ac2b7834c13ad74efcff66c86f6e473c169ad314ed4304abb3550ef
Instruction Fuzzy Hash: BA319670A0030E8BCF2ADF65D580A9EBBB6FF85304F108529D445AB394EB74E946CB41

Function 07175FE0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cbb87ec89454629745baef4d4af838b32f718f9a892bd340260143535efc16
Instruction ID: 94c22c0de1138417788a0189713bf378e12a58c8ba639538bb3463468ab3a97a
Opcode Fuzzy Hash: 51cbb87ec89454629745baef4d4af838b32f718f9a892bd340260143535efc16
Instruction Fuzzy Hash: F3318C357100148FCB54DF78D498A9ABBF6FF89720F2180A9E506CB3A5CA71DC058B91

Function 071724B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e730f14b325d137dd5d752c94469ac0a0f3ec73f1dabc0bc30c28ec02daada
Instruction ID: 9f963ba0ce7b61b5d6b96896ba765f12c470b4927d553c0cfd5f2b9abf500c30
Opcode Fuzzy Hash: a7e730f14b325d137dd5d752c94469ac0a0f3ec73f1dabc0bc30c28ec02daada
Instruction Fuzzy Hash: 11313A71E0020A9BCB19CF65D8A469EB7B2FF89300F508529E806E7394DB70AC83CB51

Function 07173EC9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5804f64111e72bab0b4435f02bd7b5c3ad3b86cf478c23cdc037c929640c2790
Instruction ID: d035938c7a8a3ab0b2ad7306b372371de254cdbecc8a597ae959bd9dc768b0ff
Opcode Fuzzy Hash: 5804f64111e72bab0b4435f02bd7b5c3ad3b86cf478c23cdc037c929640c2790
Instruction Fuzzy Hash: C2217C76A012569FCB11CF69D881AEEBBF5EB4C310F004066E915EB380D774DD42CBA1

Function 07173ED8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402923af6f10654d1f944c14d9db46a601af6bd1f2b10809973590e3a45185e2
Instruction ID: 86ce7f44929417cd7e39ebe5ebcf546d06692ed4a27f9d64dde1f6a447b72fde
Opcode Fuzzy Hash: 402923af6f10654d1f944c14d9db46a601af6bd1f2b10809973590e3a45185e2
Instruction Fuzzy Hash: 9C217AB5E012169FDF10CF69D880AAEBBF5EB48710F108069E915EB380E735DD02CB92

Function 0174D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3279243616.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_174d000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26832939416c529269fe84e1b5d734bfd6d69a0ee794e1e65b28f620107482b9
Instruction ID: 175f179db5c29df7946ce9ea7e4251dd39fdf9a83ae68ac71ae0348c49c6befd
Opcode Fuzzy Hash: 26832939416c529269fe84e1b5d734bfd6d69a0ee794e1e65b28f620107482b9
Instruction Fuzzy Hash: D9210771504204DFDB25CF68C9C4B26FBA5FB98314F20C5ADE9894B362C77AD446CA61

Function 07173FE8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc5467f01ebd14e28aa6fe914b9af427093bf37cf09dd6aa9a2575be81020a5
Instruction ID: fcae7535dcfd18635d6433151426a413065ef557f9136efc528f9416b837b963
Opcode Fuzzy Hash: 6dc5467f01ebd14e28aa6fe914b9af427093bf37cf09dd6aa9a2575be81020a5
Instruction Fuzzy Hash: 4A118235B000294BCB15D678C8146EE73BAEBC8311F014539D90AE7384DF76DC068BE1

Function 07174222 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080f2680c685c576a7d731f2fd9179823892e0ab818e5fc7b643703be2485802
Instruction ID: 405fcb91c5b26475a80c063abfcde1630c773723b239d101a13b79e45810ec7c
Opcode Fuzzy Hash: 080f2680c685c576a7d731f2fd9179823892e0ab818e5fc7b643703be2485802
Instruction Fuzzy Hash: EC01D6717000020FDB5286ADE850B1AB7EBDFC9710F20843AE90AC7391EF25DC128791

Function 07173CA0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d063fdafd729c7b76b1d8fe0b02d6b45070fbd393fc9b5cfcec3a3d8d01be0
Instruction ID: dba28fdd931131f8b5b3cdfceaba64845af2d416fb13fbe9a7956c898c384473
Opcode Fuzzy Hash: 43d063fdafd729c7b76b1d8fe0b02d6b45070fbd393fc9b5cfcec3a3d8d01be0
Instruction Fuzzy Hash: A821E3B5C01259AFCB10DF9AD884ACEFFB8FB48310F10851AE518A7240D378A550CFA5

Function 0717A2F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea7f8fedc102f13eed2152e1d5dafa3222c682825d42f5c12a3b5aa643cddf7
Instruction ID: 4f73d079cc3fee8191d9d0f5871a9cf54333490ee561ee7be48f549fd071b3e1
Opcode Fuzzy Hash: fea7f8fedc102f13eed2152e1d5dafa3222c682825d42f5c12a3b5aa643cddf7
Instruction Fuzzy Hash: 8711C4317412154BD722DB2CE450B6E7BE6EF86214F108429E50ACB391DF25DD45C7A1

Function 07172154 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e439f536e882d1f68150c35e3eb292f07f62d2e9fd3e96b578f99b3d835e6524
Instruction ID: 02f1d753594c56c781b4a09ca93b57fc7db593e454a46791f6937759020d3b7c
Opcode Fuzzy Hash: e439f536e882d1f68150c35e3eb292f07f62d2e9fd3e96b578f99b3d835e6524
Instruction Fuzzy Hash: 7721C4B5D01259EFCB00DF9AD984ADEFBB4FB49310F10852AE918A7240D374A954CFE5

Function 0174D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3279243616.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_174d000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 46067f1de46d8cc3e4f51da34a3c8d8b78af4717b3bebb1efc30e1e81bb62963
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 6D11BB75504284CFDB22CF54C9C4B15FFA2FB88314F24C6ADD8894B262C33AD44ACB62

Function 07173FD7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098b013355bebbadaa3ab678f5438a619fd171a6cda24e9a7cc5d06237246dca
Instruction ID: a12eac64b32a49b5401b8014454bf455e11d018c2cefac652028493e4fabe5b6
Opcode Fuzzy Hash: 098b013355bebbadaa3ab678f5438a619fd171a6cda24e9a7cc5d06237246dca
Instruction Fuzzy Hash: A401D432B000195BDB258669DC14AEF73BAEBC8701F014035D90AD7380EF65CC068BE2

Function 07174230 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265b87e22fced8ffad35d5f3ce7544cdbc4940ed951ba51485625b84daf1122c
Instruction ID: 8c0677a8d61084d7560bc29c0b642af51e9fa253e81c86716b3da0e152ffbbee
Opcode Fuzzy Hash: 265b87e22fced8ffad35d5f3ce7544cdbc4940ed951ba51485625b84daf1122c
Instruction Fuzzy Hash: AF01D6317000120BDB6595ADE454B2BF6EFDBC9714F20843AE90EC7390DF25DC028395

Function 0717F173 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd1664567ae66257e560351ac44160a933fb0c463f4cf45741eb7ec38e6d728
Instruction ID: de60e17d4a5a907b24202d7f870c854ec2b3be39abf98ff2421a527057fde44f
Opcode Fuzzy Hash: 0bd1664567ae66257e560351ac44160a933fb0c463f4cf45741eb7ec38e6d728
Instruction Fuzzy Hash: 310181317000125BDB26967DD854B2FA7EBEBC9615F24883AE10AC7384DE25DD038395

Function 0717F178 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0beedf087f6c73cca84785fdab81ac6e9c9f5c9f8f9871938e29c8061c93f8c4
Instruction ID: 4293d848cf2a792339c7d60c86c051f847da67767e8817d7fa00951223fc7fb5
Opcode Fuzzy Hash: 0beedf087f6c73cca84785fdab81ac6e9c9f5c9f8f9871938e29c8061c93f8c4
Instruction Fuzzy Hash: 680181317000165BDB26966DD854B2FB6EBEBC9625F10883AE50AC7380DE25DD038391

Function 0717A300 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08450c2d97518b3bc992c1645605855a57b283e332c7c93b422724b60983bdcf
Instruction ID: d54e5a3a51840a6df6f09d99f70c0c4df9a39e1a3f2fde3b4d0095b41560b43f
Opcode Fuzzy Hash: 08450c2d97518b3bc992c1645605855a57b283e332c7c93b422724b60983bdcf
Instruction Fuzzy Hash: DE0181717001150BDB269B7DD854B2EB7EAEB8A711F108438E20ECB390DE26DC028791

Function 07176460 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2c66b135b4b26ae3b1267565c3031f03e8201278cc2980928c0775cfd59745
Instruction ID: 411e450a4d961fd6e760d8efa114d2bd5e592c5656454f064ead5da67c4a550e
Opcode Fuzzy Hash: 4d2c66b135b4b26ae3b1267565c3031f03e8201278cc2980928c0775cfd59745
Instruction Fuzzy Hash: 15E0D8F1A0560DABDB21CEB4C94679E7BBDE741204F3048A1E409CB181F276DA41C791

Non-executed Functions

Function 07177688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 07177BE0
$]q, xrefs: 071777B5
$]q, xrefs: 07177784
$]q, xrefs: 07177BEA
$]q, xrefs: 07177778
$]q, xrefs: 07177B41
$]q, xrefs: 07177BF6
$]q, xrefs: 07177BD4
$]q, xrefs: 07177B35
$]q, xrefs: 071777A9

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: fae5556053bfabdec64d9c9274ee9743fe0235d583927d242b6b9ceec57c978d
Instruction ID: 9a4e159ed8fe6a042b68cadaac478b32f5606d17a1a071a2483f16aadac6160c
Opcode Fuzzy Hash: fae5556053bfabdec64d9c9274ee9743fe0235d583927d242b6b9ceec57c978d
Instruction Fuzzy Hash: 04125E70A0021ACFDB29DF69C994A9DB7F6FF88714F208969D409AB394DB349D45CF80

Function 0717A928 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 0717AADA
$]q, xrefs: 0717AA85
$]q, xrefs: 0717AAB0
$]q, xrefs: 0717AA79
$]q, xrefs: 0717AA1E
$]q, xrefs: 0717AA2A
$]q, xrefs: 0717AAA4
$]q, xrefs: 0717AAE6

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 9a3385e7b48004210cde9abde07cfdfc730d666a76d2964d287f74fdaf224600
Instruction ID: ac14ee6b55d25ed7668e5384fd22eef3937d2bb1310806ddb9c64e5e00829d22
Opcode Fuzzy Hash: 9a3385e7b48004210cde9abde07cfdfc730d666a76d2964d287f74fdaf224600
Instruction Fuzzy Hash: 06915FB0A1020ADFDB29DF69DA94B6EB7B6EF84710F10C429E4019B3D4DB789D45CB90

Function 07177088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 0717759C
$]q, xrefs: 0717736A
.5uq, xrefs: 071770E3
$]q, xrefs: 071773C4
$]q, xrefs: 071773D0
$]q, xrefs: 07177590
$]q, xrefs: 07177524

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 19a335605b5065ad1429c629f5e200867f630eec8d5866d2a106546dc66109ba
Instruction ID: 16236b815bfb97b24e9bdbe99f71b7296473ea28cfeb2a18f4d7ab3bfa937c4d
Opcode Fuzzy Hash: 19a335605b5065ad1429c629f5e200867f630eec8d5866d2a106546dc66109ba
Instruction Fuzzy Hash: B1F14F70A01209DFDB19EF65D594A6EB7BAFF88300F208568D4059B3E8CB35EC46CB91

Function 0717BDE8 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$]q, xrefs: 0717BFB5
$]q, xrefs: 0717BFE9
$]q, xrefs: 0717BF8D
$]q, xrefs: 0717BF81
$]q, xrefs: 0717BFF5
$]q, xrefs: 0717BFC1

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 0cc6c89fa93656d07ea045df454ccf191e2de4f21a0f586aedf28914a845f10e
Instruction ID: 470d708dd1a3359440ee5819427264873ea5dcef3afe8e56dc773c3ce52fd7d0
Opcode Fuzzy Hash: 0cc6c89fa93656d07ea045df454ccf191e2de4f21a0f586aedf28914a845f10e
Instruction Fuzzy Hash: 9E71C0B0A0420A8FDB29CFA8D9406ADB7FAFF85700F208429D406EB284DB75DD45CBD1

Function 071783C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 07178626
$]q, xrefs: 0717861A
$]q, xrefs: 0717867F
$]q, xrefs: 0717868B

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: fcabfc8303c404267d207b4ce91aad5a7012be96b8df07fd9986a20ea709569e
Instruction ID: 681aba4949759d3633a7d458dd9d9cf6e58ee85c15f0d5850a2431ef37a884e6
Opcode Fuzzy Hash: fcabfc8303c404267d207b4ce91aad5a7012be96b8df07fd9986a20ea709569e
Instruction Fuzzy Hash: 0AB17170A00209CFCB29DFA9D99866EB7B6FF84314F248429D406DB394DB74DC86CB91

Function 071787D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR]q, xrefs: 071788CB
$]q, xrefs: 07178857
LR]q, xrefs: 0717891A
$]q, xrefs: 07178863

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 256514a6b90eea0df5b92c9495570c45199d23ff42cce4e3c17f3b7fe61c1ab5
Instruction ID: e40207c34e12bdd2d6059d56287f608d3dbf6bef40769f1c82e6993a32778d71
Opcode Fuzzy Hash: 256514a6b90eea0df5b92c9495570c45199d23ff42cce4e3c17f3b7fe61c1ab5
Instruction Fuzzy Hash: EA51BE70B002029FCB29DB29D999A6EB7FAFF88304F148569D4069B3E5DB34EC01CB51

Function 0717ACA8 Relevance: 5.2, Strings: 4, Instructions: 165COMMON

Download Yara Rule

Strings

$]q, xrefs: 0717AE84
$]q, xrefs: 0717AE2C
$]q, xrefs: 0717AE5B
$]q, xrefs: 0717ADD9

Memory Dump Source

Source File: 00000004.00000002.3303206784.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7170000_z17invoice.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 84b81b3f2f8ce9326bb42276097d3f4479319a5e971b7d869ea5cceb7deb8a79
Instruction ID: 0d44350ad37c2f0cd5be69520c8bd42a667bd3ae57eb8fe183ac33a140b38cfd
Opcode Fuzzy Hash: 84b81b3f2f8ce9326bb42276097d3f4479319a5e971b7d869ea5cceb7deb8a79
Instruction Fuzzy Hash: A9518370A102069FCF2ADB6CE8806ADB7BAFF89311F14C529D405A7394DB35DC41CB51

Analysis Process: mpTrle.exePID: 5668, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	197
Total number of Limit Nodes:	15

Executed Functions

Function 00D3D031 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D3D0BE
GetCurrentThread.KERNEL32 ref: 00D3D0FB
GetCurrentProcess.KERNEL32 ref: 00D3D138
GetCurrentThreadId.KERNEL32 ref: 00D3D191

Memory Dump Source

Source File: 00000007.00000002.2185353728.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_mpTrle.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 03ff784a576e65da09ff55476a9e36bfc615f8c55deb2d1f31ae4f998cea439f
Instruction ID: f44e7991a0e1b86690c007f4f530f056fe268d2469e32761b73c6c015501126b
Opcode Fuzzy Hash: 03ff784a576e65da09ff55476a9e36bfc615f8c55deb2d1f31ae4f998cea439f
Instruction Fuzzy Hash: DB5178B09013498FDB14DFA9D948BAEBBF2EF88304F248459E409A73A1C7795984CF65

Function 00D3D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D3D0BE
GetCurrentThread.KERNEL32 ref: 00D3D0FB
GetCurrentProcess.KERNEL32 ref: 00D3D138
GetCurrentThreadId.KERNEL32 ref: 00D3D191

Memory Dump Source

Source File: 00000007.00000002.2185353728.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_mpTrle.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 46ceb8cc717934d56b1c9d64f917b5e3b167e974e9e9383dbea374e98c5c36ce
Instruction ID: 63da5fd85eeb9be28a2a78832b41c4c7846bd106c23a275a84f51f8d54d9dc65
Opcode Fuzzy Hash: 46ceb8cc717934d56b1c9d64f917b5e3b167e974e9e9383dbea374e98c5c36ce
Instruction Fuzzy Hash: 35516AB09013498FDB14DFA9D948BAEBBF2FF48304F248559D409A7350D7785984CF65

Function 06AEE468 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06AEE69E

Memory Dump Source

Source File: 00000007.00000002.2190794068.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ae0000_mpTrle.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4e711b3c53f648255e6ca30a20a9a39f2655a4146ba8af3d9a3fe8b798de7bbe
Instruction ID: 94bc8187844e9ecbdd86014db81059554a9885e4e871204395a78faf8a4989c5
Opcode Fuzzy Hash: 4e711b3c53f648255e6ca30a20a9a39f2655a4146ba8af3d9a3fe8b798de7bbe
Instruction Fuzzy Hash: 7E916C71D00219CFDB64DF68C841BEDBBB2FF48314F1485AAE819A7250EB749985CFA1

Function 00D3ADA8 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D3AFFE

Memory Dump Source

Source File: 00000007.00000002.2185353728.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6691dee54efcbd5e10a598724c7e80acbaf5521d18a97e58af6e2729e58d87d1
Instruction ID: b5ebb0fe196e669337e4ea67379c5e57c9b45d8cbc050dedc80d31630648625d
Opcode Fuzzy Hash: 6691dee54efcbd5e10a598724c7e80acbaf5521d18a97e58af6e2729e58d87d1
Instruction Fuzzy Hash: 5D714670A00B058FD724DF69D445B5ABBF5FF88700F048A2EE48AD7A50D775E849CBA1

Function 00D344C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D359D1

Memory Dump Source

Source File: 00000007.00000002.2185353728.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_mpTrle.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fe0ef443f4be48d6ce08d3ebe262197740d8e563c36fbed87c9b33fa852bbc0e
Instruction ID: 62eff22d8fe3e75d299b2e75b63f7d9f34440cc1b711b5a0c024e99a63871e3a
Opcode Fuzzy Hash: fe0ef443f4be48d6ce08d3ebe262197740d8e563c36fbed87c9b33fa852bbc0e
Instruction Fuzzy Hash: 3341F0B0C0061DCBDB24DFA9C844B9EBBF5FF48304F20816AD408AB255DB756946CFA1

Function 00D35914 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D359D1

Memory Dump Source

Source File: 00000007.00000002.2185353728.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_mpTrle.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 14eeadcd3cab20885d9afe830e28c8026868a82fa2b2896ea3cb0042bc727a70
Instruction ID: ba17d97fe627b140cf9c8ab19ea309cb00104e988b84407dea2ce285b9bf4d53
Opcode Fuzzy Hash: 14eeadcd3cab20885d9afe830e28c8026868a82fa2b2896ea3cb0042bc727a70
Instruction Fuzzy Hash: A04112B0C00619CBDB24DFA9C884BCEBBF6BF48304F24815AD409AB255DB756946CF60

Function 06AEE1E0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06AEE270

Memory Dump Source

Source File: 00000007.00000002.2190794068.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ae0000_mpTrle.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0bf4386e50c5272cdf39f3167c603c1e8d6e3d0d518bb6a62f8fa7ed3e62f92f
Instruction ID: 97217083fcc96ad9f325a4a9ca547d49afec008f4469e5d579663fa73f56385e
Opcode Fuzzy Hash: 0bf4386e50c5272cdf39f3167c603c1e8d6e3d0d518bb6a62f8fa7ed3e62f92f
Instruction Fuzzy Hash: 372124B19003499FCF10DFAAC885BEEBBF5FF48310F50842AE919A7240C7789945CBA0

Function 00D3D689 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D3D717

Memory Dump Source

Source File: 00000007.00000002.2185353728.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2a0a2d27cb91d022cf3aed939f0c002c066ee745981c9466e35f23276a0c483d
Instruction ID: 6e52b1c99d55b5513b47da4582c198547b9fc3336c085c83172f348537353484
Opcode Fuzzy Hash: 2a0a2d27cb91d022cf3aed939f0c002c066ee745981c9466e35f23276a0c483d
Instruction Fuzzy Hash: E921E5B59002499FDB10CFAAD584ADEBBF5EB48714F14801AE914A7351C378A940CFA1

Function 06AEE2D0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06AEE350

Memory Dump Source

Source File: 00000007.00000002.2190794068.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ae0000_mpTrle.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 756c59ec039a01b8c9914579358b6278a1bd8f195e7374e9f767a9f7b7e8779d
Instruction ID: 72dd909677ad10fd6e441560814824b4abf5ba1b7f42ab791d55cb9a2359ef96
Opcode Fuzzy Hash: 756c59ec039a01b8c9914579358b6278a1bd8f195e7374e9f767a9f7b7e8779d
Instruction Fuzzy Hash: 7A2107B1C003599FCB10DFAAC885AEEFBF5FF48310F50842AE519A7250C7799945CBA1

Function 06AEE048 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06AEE0C6

Memory Dump Source

Source File: 00000007.00000002.2190794068.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ae0000_mpTrle.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 709223ee8458bd40a6df72e1c17110dd9323477aec69fad91a0a5303525bae26
Instruction ID: a2f0db9767b80eca76a2adaa0a89839c87048d8a9a164771339ba077a037c219
Opcode Fuzzy Hash: 709223ee8458bd40a6df72e1c17110dd9323477aec69fad91a0a5303525bae26
Instruction Fuzzy Hash: 7A2134B1D002098FDB10DFAAC485BAEBBF5FF88310F50842AD519A7241CB78A945CFA1

Function 00D3D690 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D3D717

Memory Dump Source

Source File: 00000007.00000002.2185353728.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d75b9f16b8c23168be3efcfed0f36efe3aaf63fb7bcbbf11fee8c361f07509f6
Instruction ID: 577819806ac14bca7efd0a19110919f0f9df09e27311ca2a3986ed3fc7bf7b6e
Opcode Fuzzy Hash: d75b9f16b8c23168be3efcfed0f36efe3aaf63fb7bcbbf11fee8c361f07509f6
Instruction Fuzzy Hash: FC21E2B59002489FDB10CFAAD984ADEFBF9FF48310F14801AE918A3310C378A940CFA1

Function 00D3A130 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D3B079,00000800,00000000,00000000), ref: 00D3B28A

Memory Dump Source

Source File: 00000007.00000002.2185353728.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cd15a47f46d2a0d81e4064437505bb3a76c4e816b08e09567768a0d265296192
Instruction ID: c82c6faa7e5429ea10ea1e6375590dbd688aed9abcda293400922b8600585dda
Opcode Fuzzy Hash: cd15a47f46d2a0d81e4064437505bb3a76c4e816b08e09567768a0d265296192
Instruction Fuzzy Hash: B31114B68003099FCB10DF9AC444ADFFBF5EB48720F14852ED919A7210C379A945CFA9

Function 00D3B219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D3B079,00000800,00000000,00000000), ref: 00D3B28A

Memory Dump Source

Source File: 00000007.00000002.2185353728.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 37edbd76db72b74f49cb08cf52832027c63c493f9b34295967d6ae6fb58d8dbb
Instruction ID: 993917c6dae96dfc2564b903859dd4e9ac29a0d234327aec0c79c9ae9089137f
Opcode Fuzzy Hash: 37edbd76db72b74f49cb08cf52832027c63c493f9b34295967d6ae6fb58d8dbb
Instruction Fuzzy Hash: F51114B68002498FCB10DFAAC444ADEFBF5EF88720F14852ED519A7200C779A546CFA5

Function 06AEE120 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06AEE18E

Memory Dump Source

Source File: 00000007.00000002.2190794068.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ae0000_mpTrle.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 60feeed3fd49efd4b2d48431b42f296e9655cc18624539083ba67d5d07c4575b
Instruction ID: 0e77733fa1d3f817769de33f8d5b688175909305b346e67d88e44d2f0b10201e
Opcode Fuzzy Hash: 60feeed3fd49efd4b2d48431b42f296e9655cc18624539083ba67d5d07c4575b
Instruction Fuzzy Hash: 3C1137B18002499FCB10DFAAC844AEEFFF5FF48710F108819E519A7250CB79A940CFA1

Function 08082444 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,08082F21,?,?), ref: 080834D0

Memory Dump Source

Source File: 00000007.00000002.2191096641.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8080000_mpTrle.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 593bd53a4cb0a11fa195e26ff8f9270f269f113546b5b9eddbb4705cffdf0956
Instruction ID: 1081350bcab31e5631c8052d2e6f46beca353b9081b4f0061d23580f29e14948
Opcode Fuzzy Hash: 593bd53a4cb0a11fa195e26ff8f9270f269f113546b5b9eddbb4705cffdf0956
Instruction Fuzzy Hash: 591143B2800208CFCB20EF9AC444BAEBBF5EF48720F108419D558A7341C338A984CFA5

Function 08083074 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,08082F21,?,?), ref: 080834D0

Memory Dump Source

Source File: 00000007.00000002.2191096641.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8080000_mpTrle.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2affba4e0c25d12b1847d2c454a8d4cd7152cb03ec84a0aa1e6f58e744aaa777
Instruction ID: 54a6c144a181d041e59e8b8aeab1a34ed8d2179a3a414dbcacb83648edcc9c84
Opcode Fuzzy Hash: 2affba4e0c25d12b1847d2c454a8d4cd7152cb03ec84a0aa1e6f58e744aaa777
Instruction Fuzzy Hash: 7C1143B2800209CFCB20EF9AC444BAEBBF5EF88720F108419D558A7341D338A984CFA5

Function 08083090 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,08082F21,?,?), ref: 080834D0

Memory Dump Source

Source File: 00000007.00000002.2191096641.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8080000_mpTrle.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: df4c2d8ad99a7dd635dea38465fc4ff80711bda2c9ce8877258439b245570a5c
Instruction ID: 8f9bd874c6e218ead064c08896e93a1e2f4cf9b954bae7bcd477c167449ab64b
Opcode Fuzzy Hash: df4c2d8ad99a7dd635dea38465fc4ff80711bda2c9ce8877258439b245570a5c
Instruction Fuzzy Hash: FC1146B1800348CFCB20EF99C445BAEBBF5EB48720F108459D558A7340D339A584CFA1

Function 06AEDF98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06AEDFFA

Memory Dump Source

Source File: 00000007.00000002.2190794068.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6ae0000_mpTrle.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 035a4ef470e7df0bd0377202a96c41d5515f087229151d985e402520d673ba78
Instruction ID: 9af4f65a2a1b81ded4db15898343d66f9aa5970a6e7ba4ddc193aa2a33d68f29
Opcode Fuzzy Hash: 035a4ef470e7df0bd0377202a96c41d5515f087229151d985e402520d673ba78
Instruction Fuzzy Hash: 6C1128B1D002488BCB20EFAAC4457AEFBF5EF88714F208419D519A7240CB79A545CBA5

Function 00D3AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D3AFFE

Memory Dump Source

Source File: 00000007.00000002.2185353728.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aef1fee617b85d6b73a1b6c8164c22bfe0dca9b8aee3dee2d2b32cdc545bb332
Instruction ID: 66a0ed5d20db5e4fb0f4540407b6c712fdb03cd0eb24a821dfca5e55adb08cf8
Opcode Fuzzy Hash: aef1fee617b85d6b73a1b6c8164c22bfe0dca9b8aee3dee2d2b32cdc545bb332
Instruction Fuzzy Hash: 271110B5C003498FCB14DF9AC444ADEFBF5EF88724F14841AD528A7210C379A545CFA1

Function 0808347A Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,08082F21,?,?), ref: 080834D0

Memory Dump Source

Source File: 00000007.00000002.2191096641.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8080000_mpTrle.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5430da49393e7042a52ad1af8c49fc3e2768d23a4537294d2561ef98dd9ee0ad
Instruction ID: c13ed998f4dbdd20dc58d9c025625e937ad08289fd8a15dfc24beb3021634011
Opcode Fuzzy Hash: 5430da49393e7042a52ad1af8c49fc3e2768d23a4537294d2561ef98dd9ee0ad
Instruction Fuzzy Hash: 371103B6800249CFCB20DF99C544BEEBBF5EF88720F10845AD558A7340C739A584CFA5

Function 08081162 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 080811C5

Memory Dump Source

Source File: 00000007.00000002.2191096641.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8080000_mpTrle.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2ca1bf06ee31f42155549faa719857553a66458d9a7b85d69f0579c459117923
Instruction ID: 5960db60e26a885d0742a2ebd96b1dc37416b6e6ad271b8f75e7b79b6ef0c454
Opcode Fuzzy Hash: 2ca1bf06ee31f42155549faa719857553a66458d9a7b85d69f0579c459117923
Instruction Fuzzy Hash: FA11F2B58003499FDB10DF9AC844BDEFBF8EB49710F108419E559A7600C379A584CFA1

Function 08081168 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 080811C5

Memory Dump Source

Source File: 00000007.00000002.2191096641.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8080000_mpTrle.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 685462dc6a6b440b244107be292eb028ad3dbb5100c8b76eb7279dc4e6238adf
Instruction ID: 303b7d42dd8bfd00275a0d5a4af01033abb0e64ee81306148fc6bce604e632db
Opcode Fuzzy Hash: 685462dc6a6b440b244107be292eb028ad3dbb5100c8b76eb7279dc4e6238adf
Instruction Fuzzy Hash: 1711C2B58003499FDB10DF9AD845BDEBBF8EB49710F108419D558A7600C379A584CFA5

Function 00B2D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2184840820.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b2d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fac6b9daaa73e42d563de04c4517884c99e0e34fc192bedbffc3631e4f84d95
Instruction ID: de9e1208a5197c8173b9fe51ec6dc3f5326932ebc202980e9c642aa2e4d9647a
Opcode Fuzzy Hash: 4fac6b9daaa73e42d563de04c4517884c99e0e34fc192bedbffc3631e4f84d95
Instruction Fuzzy Hash: 3221D072504244DFDB05DF54E9C4B2ABFA5FB88310F24C6A9E9090B256C33AD816DBA2

Function 00B2D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2184840820.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b2d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c982ccb79c349ac1f934d5f2221587b493cded8649e667d1b1b5ecc72ba1840
Instruction ID: 2ea81ee94214fd41fcc019d068e5f582330b259c6d5afb03460e1319bafa01a4
Opcode Fuzzy Hash: 8c982ccb79c349ac1f934d5f2221587b493cded8649e667d1b1b5ecc72ba1840
Instruction Fuzzy Hash: 91210071504240DFDB05DF14E9C0F26BFA5FBA8318F20C5A9E9090B256C37AD856DAA2

Function 00C4D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2185000987.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c4d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a492212aad7702b3d62fe94cf12db0ee2dea01bad71dc3f9305477df505ad916
Instruction ID: 1e9bbb175b915a3951bc523d1ed6effc6b0eb3c3dbac706e0ecda06babf17d28
Opcode Fuzzy Hash: a492212aad7702b3d62fe94cf12db0ee2dea01bad71dc3f9305477df505ad916
Instruction Fuzzy Hash: 65210771604204DFDB15EF14D5C0F26BBA5FB84314F20C6ADE90A4B356C3BADC46CA61

Function 00C4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2185000987.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c4d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf2bf974e96b60e81e568d959c03dae0e877d5ca76db5dca38b3295072d4dca
Instruction ID: 398ac899c017a30acb466511c6c3a098c96000bda043356d2fe0f93e3d0baa32
Opcode Fuzzy Hash: 1cf2bf974e96b60e81e568d959c03dae0e877d5ca76db5dca38b3295072d4dca
Instruction Fuzzy Hash: 2621F271604204DFCB14EF24D9C4B26BF65FB88314F20C5ADE90A4B396C33AD807CA62

Function 00C4D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2185000987.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c4d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2347db983d0358d218332e93c8b3f4ada9b4d6f30794ebeaffd5d9303e8d92
Instruction ID: d2cf42a773e9eca5b6db2191da05cd10523f1bd35548061617092bad6cbbb160
Opcode Fuzzy Hash: 1d2347db983d0358d218332e93c8b3f4ada9b4d6f30794ebeaffd5d9303e8d92
Instruction Fuzzy Hash: 73218E755093808FCB02DF24D994715BF71FB46314F28C5EAD8898B2A7C33A980ACB62

Function 00B2D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2184840820.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b2d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: 591b585598dac16c18aa2a22db6c059d62f8d053fe24cd725d37597e3bd311a0
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: A821B176504240DFDB06CF50D9C4B56BFB2FB88314F24C6A9DD490B656C33AD82ACBA2

Function 00B2D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2184840820.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b2d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: e9ba30bb55ffb134a12ba0a6c511fb40463a9d2d42f309567a755007f066ab1f
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 02112672504280CFCB02CF10D5C4B16BFB1FBA8314F24C6E9D8490B256C33AD85ACBA2

Function 00C4D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2185000987.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c4d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 2c766823859d713cfbfe78261b910b97cd59c9f290d1c0965768f5aec328e173
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: E911BB75904280DFCB12DF10C5C4B15BBA1FB84314F24C6A9D84A4B296C37AD84ACB62

Analysis Process: mpTrle.exePID: 1864, Parent PID: 5668COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	157
Total number of Limit Nodes:	12

Executed Functions

Function 06E23490 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E23B8F
$]q, xrefs: 06E23BB8
$]q, xrefs: 06E23BC4
$]q, xrefs: 06E23BDC
$]q, xrefs: 06E23B9B
$]q, xrefs: 06E23BE8

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 90269ecf4cd81f055e62d4f006086e8d6030a868e9d84313bf9b3717d6bd4352
Instruction ID: 7d0e181aa492a6f30f1bcf8f63f59d455e83cda7390afb1175329fcd85b67b20
Opcode Fuzzy Hash: 90269ecf4cd81f055e62d4f006086e8d6030a868e9d84313bf9b3717d6bd4352
Instruction Fuzzy Hash: D9323D30E1071A8FCB14EF65C99459DB7B2FF89300F14D6AAD449AB264EB34AD85CB90

Function 06E27D70 Relevance: 3.0, Strings: 2, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E2830B
$]q, xrefs: 06E28317

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: c8c7e076aee97c3412c93456d4157b6484e8112ef1961f606cbfc537d4943528
Instruction ID: 783b83b970483bc6fc5b45e249e524b8123c01bacc26c2aceef22af9f9fba83f
Opcode Fuzzy Hash: c8c7e076aee97c3412c93456d4157b6484e8112ef1961f606cbfc537d4943528
Instruction Fuzzy Hash: 6B02AE30B002269FDB58DF68D594AAEB7E7FF84308F148529D4069B394DB35EC86CB91

Function 06E265E8 Relevance: .8, Instructions: 818COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ef25638b57046c8436f3ff9bdfff5c977800e2afb22abe958c4c8e57bcbbc6
Instruction ID: 6e2912a4420171157f3f74dd3082c681db87b78bde72b5b8ec119a6699058e88
Opcode Fuzzy Hash: 22ef25638b57046c8436f3ff9bdfff5c977800e2afb22abe958c4c8e57bcbbc6
Instruction Fuzzy Hash: 55628C34B002268FDB54DB68D594BADB7B3EF88318F249529D406EB394DB35EC46CB90

Function 06E2C178 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8774d6d2d95eb48c43c7a202de1894d67f26281e4c83ef1e0d8363e95b78847
Instruction ID: 738ae6e2770f837d9e22b6fbadaafeb8797bdf9afa44ab30686d54f107b1fda7
Opcode Fuzzy Hash: e8774d6d2d95eb48c43c7a202de1894d67f26281e4c83ef1e0d8363e95b78847
Instruction Fuzzy Hash: 5B328E34B0021A9FDB94DF68D980AADB7B6FF88714F209925D505E7390DB38EC46CB91

Function 06E255D0 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe098951117c45b7d84e3ddcbd27567662181dd1781e7f03a2b5335a1bad929
Instruction ID: f3067970d193b94795fac173e9eb830d5ceac63f78b92f8028eaac189ffc21c4
Opcode Fuzzy Hash: dfe098951117c45b7d84e3ddcbd27567662181dd1781e7f03a2b5335a1bad929
Instruction Fuzzy Hash: DF12D335E003269BDB64DF64C9C06AEB7B3EF84318F248439D95A9B380DA34DC46CB91

Function 06E2B220 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055d78916698bd4f8717150d0ebbaf787883a107e7dab3feab00a587101f1140
Instruction ID: 59b2b43afb17be1b4528407c4b5525208297842a3260ddb9b963edd4e1bcd97e
Opcode Fuzzy Hash: 055d78916698bd4f8717150d0ebbaf787883a107e7dab3feab00a587101f1140
Instruction Fuzzy Hash: E7227C30E1031A8FEF64DB69D9C07ADB7A6EB45318F249826E409DB391DA38DC85CB51

Function 06E2ACC8 Relevance: 10.4, Strings: 8, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E2AE3C
$]q, xrefs: 06E2AE77
$]q, xrefs: 06E2ADF5
$]q, xrefs: 06E2AE94
$]q, xrefs: 06E2ADE9
$]q, xrefs: 06E2AE48
$]q, xrefs: 06E2AEA0
$]q, xrefs: 06E2AE6B

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: b2d0fe82da9cfef37e6539f1398ef4fbf3bed9c2ef39236ab56102fc0d5d913d
Instruction ID: 784387facac6cde032a308114ff1d9feb61dbd467aafdab02847242b69e17e44
Opcode Fuzzy Hash: b2d0fe82da9cfef37e6539f1398ef4fbf3bed9c2ef39236ab56102fc0d5d913d
Instruction Fuzzy Hash: 90E14C30E1031A8FDB68DF69D5906AEB7B7EF85208F209529D805AB354DB34D886CB91

Function 06E2B648 Relevance: 8.0, Strings: 6, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E2BBC5
$]q, xrefs: 06E2BB91
$]q, xrefs: 06E2BB9D
$]q, xrefs: 06E2BC05
$]q, xrefs: 06E2BBF9
$]q, xrefs: 06E2BBD1

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: ff3d8b49e00deda59b416a8b0ac249c5ac3aeed7fae40f023abca7597ad5cb5b
Instruction ID: 60e0d00865647e6cbecc489c6cb1fd08591c0d36f5d8872a22d1309a50a08c87
Opcode Fuzzy Hash: ff3d8b49e00deda59b416a8b0ac249c5ac3aeed7fae40f023abca7597ad5cb5b
Instruction Fuzzy Hash: 04029D30E1032A8FDBA4DF69D5806ADB7B2FF45308F24992AD409DB255DB34DC85CB91

Function 06E29148 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E2918F
$]q, xrefs: 06E2919B
$]q, xrefs: 06E291D6
$]q, xrefs: 06E291CA

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 9b7f17acaf8b92b322ec6ddd5b3b702545f3d6d61477aa32c5bfddfdd0da851e
Instruction ID: 8909ea51e0600c660609a5b44eca4c3c7d04ca46fcc448baf5bdbf1cb92ec953
Opcode Fuzzy Hash: 9b7f17acaf8b92b322ec6ddd5b3b702545f3d6d61477aa32c5bfddfdd0da851e
Instruction Fuzzy Hash: F0917030F0021A8FDB94DF76D9907AEB3F6FF84204F109469C80AEB355EA349D468B91

Function 06E2CF38 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E2D343
$]q, xrefs: 06E2D32F
$]q, xrefs: 06E2D337

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: 4066e6cb056de46fca46bbfe2dd2a398b3b003761bb259ed3a34d69d9cf892ef
Instruction ID: 0b730da82ae9536bbaab4b5ed110f344289ebcc1a01a9329cc65b80ca9887403
Opcode Fuzzy Hash: 4066e6cb056de46fca46bbfe2dd2a398b3b003761bb259ed3a34d69d9cf892ef
Instruction Fuzzy Hash: 7A623F3064021A8FCB55EF68D990A9DB7B6FF85304B20C938D1099F359DB79EC46CB81

Function 06E24B98 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 06E252A5
XPbq, xrefs: 06E24CC5
\Obq, xrefs: 06E24D4F

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 32efc572b37e39b7dee74cecbbe58337eb3fd5ac1b08325cff1eea928d36523e
Instruction ID: 8f1dc5d9cc1e41a4bda5f11ae3ab0450327f4aa2678206fed6a307d413edef2f
Opcode Fuzzy Hash: 32efc572b37e39b7dee74cecbbe58337eb3fd5ac1b08325cff1eea928d36523e
Instruction Fuzzy Hash: D1617D70F00219DFEB549FA8C8547AEBAF7FF88304F208429E106AB395DA758C418F91

Function 06E29139 Relevance: 2.7, Strings: 2, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E2918F
$]q, xrefs: 06E291CA

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 191e715fc57fc47e424f18d88f62ebb6807157169840c67e86c0ae1b7cafea44
Instruction ID: b7809aacbae0c7f8fb9ca24b4d585e7667bed848d0193ea7a957456c1bb02ad3
Opcode Fuzzy Hash: 191e715fc57fc47e424f18d88f62ebb6807157169840c67e86c0ae1b7cafea44
Instruction Fuzzy Hash: CB516330B002169FDB94DF76D950BAE77F6FF88644F109429C80ADB395EA349C46CB91

Function 06E1B720 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3302004358.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e10000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d62aa0c613df0d3360585fdc02fb621af3a960ab49816a5888a1b772b35a523a
Instruction ID: 5a18c25bc344441d6fde40dd4930fdcc82062f5cc5e52b5b774cc0e1b914f364
Opcode Fuzzy Hash: d62aa0c613df0d3360585fdc02fb621af3a960ab49816a5888a1b772b35a523a
Instruction Fuzzy Hash: 15815970A00B058FD764DF2AD49076ABBF5FF48304F008A2ED49ADBA50DB74E805CB90

Function 06E1D890 Relevance: 1.7, APIs: 1, Instructions: 152COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E1DA02

Memory Dump Source

Source File: 00000008.00000002.3302004358.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e10000_mpTrle.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: de98843c15873f16c05dd5be4537c909c9db76b5fc89ea78a1d55e419c342285
Instruction ID: 44acc9b25550879a56d054a187c25dd120fa572f65742cf1586cd06cce26c4ea
Opcode Fuzzy Hash: de98843c15873f16c05dd5be4537c909c9db76b5fc89ea78a1d55e419c342285
Instruction Fuzzy Hash: 2A5111B1C04349AFCB11CFA9C884ADDBFB6BF49314F14816AE918AB220D3759991CF50

Function 06E1D8F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E1DA02

Memory Dump Source

Source File: 00000008.00000002.3302004358.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e10000_mpTrle.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a79636166ec3072852ff39d81278b86a5f18a32cba577f3c2d6b129b3cf462f3
Instruction ID: 269845f8e110764b9d4cef453061be6011b4e78403edaefacd2c3c5a7f9166c3
Opcode Fuzzy Hash: a79636166ec3072852ff39d81278b86a5f18a32cba577f3c2d6b129b3cf462f3
Instruction Fuzzy Hash: 8E41B0B1D00349DFDB14CF99C894ADEFBB5BF88314F24812AE919AB210D775A985CF90

Function 0308F018 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0308F0BF

Memory Dump Source

Source File: 00000008.00000002.3281602323.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3080000_mpTrle.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b9c92a3c2f88d1d24e956a237b6fdaa61436cf7fd7ed7676934b45be58428a7b
Instruction ID: ba93bc259154f525236c008142125f452b7e30339a841af4ac1c9371e193c679
Opcode Fuzzy Hash: b9c92a3c2f88d1d24e956a237b6fdaa61436cf7fd7ed7676934b45be58428a7b
Instruction Fuzzy Hash: 822177B1C0025A9FCB24EFAAD4446EEFBF4EF48310F15855AD948A3250D7389945CFA1

Function 06E132D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06E1335F

Memory Dump Source

Source File: 00000008.00000002.3302004358.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e10000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e0ba87268dd0f2bc315419b8e0412c0a2a6fc5544eb9ca5d3bcbe5362c76e0c4
Instruction ID: a27d344af259ca2e6e5c63614a4c189b56e8e9c9fc725b31d07229bc4605fd18
Opcode Fuzzy Hash: e0ba87268dd0f2bc315419b8e0412c0a2a6fc5544eb9ca5d3bcbe5362c76e0c4
Instruction Fuzzy Hash: EB21E2B5D002489FDB10CFAAD984AEEBBF5FB48310F14801AE918A7350D378A941CFA4

Function 06E132D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06E1335F

Memory Dump Source

Source File: 00000008.00000002.3302004358.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e10000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 71787085ee66e7b25d145251c95b202bdaf628be9d89f32ebd625aa9451f24a0
Instruction ID: 3cbf1c3e6af3d42f287b083704744fa541a555e015b1787fe7d16e2b1d782ba9
Opcode Fuzzy Hash: 71787085ee66e7b25d145251c95b202bdaf628be9d89f32ebd625aa9451f24a0
Instruction Fuzzy Hash: 6C21C4B5D002489FDB10CFAAD984ADEFBF9FB48310F14841AE918A7350D378A944CFA5

Function 06E1BB73 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 06E1BBE2

Memory Dump Source

Source File: 00000008.00000002.3302004358.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e10000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fb5c3cc077e671e71e9f90cf76238ae28e6aca48d499d46880df784a8d0ad22e
Instruction ID: 97e7504d074c141b1010c67e891b9a9eed87f70168b6de5e4a6a9a5c1df726d8
Opcode Fuzzy Hash: fb5c3cc077e671e71e9f90cf76238ae28e6aca48d499d46880df784a8d0ad22e
Instruction Fuzzy Hash: 491112B6C003498FCB10CFAAC884ADEFBF4EB89310F10842AD519A7604C379A545CFA0

Function 0308F058 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0308F0BF

Memory Dump Source

Source File: 00000008.00000002.3281602323.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3080000_mpTrle.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 980d667c7c633947d8c153376e8604f1e85754c13c1519c39c0acd0510e69ff3
Instruction ID: 3243d3c96e684aab0c55cb9d5a52dd9fce9141a67685a67d2ef6768b77e18e34
Opcode Fuzzy Hash: 980d667c7c633947d8c153376e8604f1e85754c13c1519c39c0acd0510e69ff3
Instruction Fuzzy Hash: 2E11EFB1C0065A9FCB10DFAAD544AAEFBF4EF48320F15816AD918A7240D778A944CFA5

Function 06E1BB78 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 06E1BBE2

Memory Dump Source

Source File: 00000008.00000002.3302004358.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e10000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: efd2927c4432a19c136d4a805f07825784e18ff7b2bf948f1ef15b195c58451e
Instruction ID: 3de6dc7112260ce9a8f7d3b7841daf2af9180f24b00f93b03caaa9a969806dc1
Opcode Fuzzy Hash: efd2927c4432a19c136d4a805f07825784e18ff7b2bf948f1ef15b195c58451e
Instruction Fuzzy Hash: 0C11F0B6C003498FDB10DF9AC884ADEFBF8EB88310F10842ED519A7614C379A545CFA5

Function 06E1AAD0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06E1B73C), ref: 06E1B976

Memory Dump Source

Source File: 00000008.00000002.3302004358.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e10000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e326c51f25347453b2df519af91e4c41ef812791d7bca87a036a85c7aefbc1d1
Instruction ID: fca35235f17be620b8f83c7cc09c48acd294d284bd743d6ba25346579e380e9e
Opcode Fuzzy Hash: e326c51f25347453b2df519af91e4c41ef812791d7bca87a036a85c7aefbc1d1
Instruction Fuzzy Hash: 031102B5C007498FCB10DF9AC484ADEFBF4EB99214F10842AD519BB210C379A545CFA1

Function 06E24B88 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

XPbq, xrefs: 06E24CC5

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: XPbq
API String ID: 0-864591470
Opcode ID: 5354528028d8e1e7aa3243373d8dcb13a6c551460615a9ed6dbd78bf89ce3ed3
Instruction ID: 74757e49c108e7cdd7ec6e8f3d30006dd9e87fb24fdb57072cfd9a17b13652e6
Opcode Fuzzy Hash: 5354528028d8e1e7aa3243373d8dcb13a6c551460615a9ed6dbd78bf89ce3ed3
Instruction Fuzzy Hash: C2416E70B002199FDB54DFA9C854BAEBBF7FF88704F208529E106AB395DA748C058F91

Function 06E2DAAD Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06E2DC09

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: e49ce6b0cffc13493fbd767959f1c70618daa87b01aea169c8cf69be204cfe71
Instruction ID: d890c3f54e48b96e38eb281c970dc82e12840c06c8af97c574be1420e3f00707
Opcode Fuzzy Hash: e49ce6b0cffc13493fbd767959f1c70618daa87b01aea169c8cf69be204cfe71
Instruction Fuzzy Hash: 6941AF70E0031A9FDB64DF64C89069EBBB6FF85304F208929E502EB244EB74D946CB81

Function 06E221E5 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06E22333

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 29d373499c755be3b65082ba74813d4e607f600005cb29564940f7a8252e9948
Instruction ID: 77f3dd65d73d221161cf26bb9d5f6c801327fd7c01a41ce4ff13cb4b91e8382a
Opcode Fuzzy Hash: 29d373499c755be3b65082ba74813d4e607f600005cb29564940f7a8252e9948
Instruction Fuzzy Hash: 8D312E30B103128FDB58AB74D5546AE3AA3FF89204F108528E106DB395DE39DE06CBA1

Function 06E221F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06E22333

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 9762d6d7b22e0c83c550b3bf66068c4ad1ded4e901c4cb7c414b576653f5b2b8
Instruction ID: ea3b2aec7c7b22361deb93cea1edb2d348c2a55287c42a834d36b2614fbf3664
Opcode Fuzzy Hash: 9762d6d7b22e0c83c550b3bf66068c4ad1ded4e901c4cb7c414b576653f5b2b8
Instruction Fuzzy Hash: 3B311030B103128FCB58AB74D55466E3AE7FF89204F108538D106DB395EE39DE02C795

Function 06E282C0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E2830B

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 07e841830b3412f08ce79350383ff43ad08abec68954be4c4ce0ef23563a66de
Instruction ID: 2e7c2e5c09cbc948b254c7d82c57388d84526889afd18f6139c9881b64c8fc29
Opcode Fuzzy Hash: 07e841830b3412f08ce79350383ff43ad08abec68954be4c4ce0ef23563a66de
Instruction Fuzzy Hash: DBF0A431B00322CFDFA89F85EA846AE77A6FB40318F145069D906D7250D635ED0AC795

Function 06E261E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22e3160345eadc877da6636935b9b98e2bf248c1de48e29dba95b040277fe7b
Instruction ID: 87308a0d856b6e866ae8a642f6626d52c33189ae4352a4c22c3837b90e66c2a6
Opcode Fuzzy Hash: d22e3160345eadc877da6636935b9b98e2bf248c1de48e29dba95b040277fe7b
Instruction Fuzzy Hash: 1461B0B2F001224FDB54AA6EC88065FBADBAFD4214F154479D80EDB364DEB9DD0287D1

Function 06E242C9 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc27be46351f61b9a521d35bfb6b7386b2dd52a42cf97d9b88b4245ab4a48c20
Instruction ID: cbc251ee39b350f42aa1d76cdc28b5e9c9df200a7324402c0d4e40d58eab1957
Opcode Fuzzy Hash: cc27be46351f61b9a521d35bfb6b7386b2dd52a42cf97d9b88b4245ab4a48c20
Instruction Fuzzy Hash: 17813B34B0021A9BDB54DFA9D59479EB7F7EF89304F208528D40AEB394DB34DC468B92

Function 06E245E8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc0194fc6c80a666ab4dce67f9b326e7bc64134eb74a80c436f8fbacffd518c
Instruction ID: 48fe7b2b5401ad5771f1bbfe877a5aecdfbb0f55241739945015cdf7fcb7b9af
Opcode Fuzzy Hash: 5bc0194fc6c80a666ab4dce67f9b326e7bc64134eb74a80c436f8fbacffd518c
Instruction Fuzzy Hash: EE913E30E1031A8FDF64DF68C890BDDB7B1FF85304F208599D549AB295DB70AA85CB91

Function 06E24600 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af312e439971aa60fa916d0502658990618182f9fc631917b15e7f9304820385
Instruction ID: 49e3e2456c26f6657dc00621414417d6802488ab057c3d454415dd838e2f0a52
Opcode Fuzzy Hash: af312e439971aa60fa916d0502658990618182f9fc631917b15e7f9304820385
Instruction Fuzzy Hash: AB912D30E1021ACBDF64DF68C890B9DB7B2FF85304F208599D549AB295DB70AA85CF91

Function 06E2EF00 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cdff667a3dc7de2e200319e76d92692c1351fb902d96190278a15c60643538
Instruction ID: e0db554fb0e0413a59378587b6fa2a08e306862df7e66b4d362e09378f693904
Opcode Fuzzy Hash: 49cdff667a3dc7de2e200319e76d92692c1351fb902d96190278a15c60643538
Instruction Fuzzy Hash: E5713A70A0022A9FDB54DFA8D990A9EBBF7FF84304F249429D009EB255DB34EC46CB50

Function 06E2EF10 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a00a01be2e52c9da18a6dcdf4167b8a3e7ca1016f0e3e7c37a06fffbc693261
Instruction ID: 3ca4c2023d6f0249c6a8a71f184c9cabf0b3fdc39426b9d1b9b0e48d0e7f5ad0
Opcode Fuzzy Hash: 1a00a01be2e52c9da18a6dcdf4167b8a3e7ca1016f0e3e7c37a06fffbc693261
Instruction Fuzzy Hash: 96711970A0022A9FDB54DFA9D990A9EBBF6FF84304F249429D019AB255DB34EC46CB50

Function 06E2FC70 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62df99d6d445a2fd234b5a740293966fcf04032f0aba3bc3d05749f5fb9f9f7d
Instruction ID: b19e03268bfc23991c1f7c5b0cbe460bbc22abc83b5fb5bb16b9f5fa94f4f3a2
Opcode Fuzzy Hash: 62df99d6d445a2fd234b5a740293966fcf04032f0aba3bc3d05749f5fb9f9f7d
Instruction Fuzzy Hash: DC51C131E40216DFDB64EF78E4946ADBBB3FF84319F20886AD106DB251DB359845CB81

Function 06E2FA1F Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034197cf124b041509b3c9cd9f3f6385178867f084db1685cd854f3dfeeb985e
Instruction ID: 1f68e6ef8da96b0098e5270ad49a028bbcd0e6f0ffba3d36e488d57489e28a76
Opcode Fuzzy Hash: 034197cf124b041509b3c9cd9f3f6385178867f084db1685cd854f3dfeeb985e
Instruction Fuzzy Hash: EE51D4B0B503158FEF605A68E8547AF366FDB89314F204836E90AD7395CA2DCC4583D6

Function 06E2FA30 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2606e5d130603845539f1c2ac6fff4fec2128033c4e94f5a4103252be95d1d85
Instruction ID: d9474b8124a64de4cf5d2bd23748e3cbf4b7df79fb6ff07c078bedff277303c5
Opcode Fuzzy Hash: 2606e5d130603845539f1c2ac6fff4fec2128033c4e94f5a4103252be95d1d85
Instruction Fuzzy Hash: 8E5108B0B503158FEF605A7CE9547AF266FDB89314F204836E90AD7395CA2DCC4583D6

Function 06E25440 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0cb10040188cbd01cdeb4f195383482fd2b1eef2508ef4efb6c5713b9ca8c6
Instruction ID: ae1ba9a3350e7b130e91be1b5c0952f9a88c948597122e025b0031c408b99497
Opcode Fuzzy Hash: fc0cb10040188cbd01cdeb4f195383482fd2b1eef2508ef4efb6c5713b9ca8c6
Instruction Fuzzy Hash: A4416E31E0071A8FCB60CFA9D980AAEF7F2FF85314F10592AD256D7650D731E8598B91

Function 06E255C1 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5951885ccefb30b482c0e3b8244dc4682020b4b89e51c8f4ca84dacd0e00783
Instruction ID: 328c00a1e83c76913a4556dace6db3bf0482c53ddf45d1a913b60c70f199ff54
Opcode Fuzzy Hash: e5951885ccefb30b482c0e3b8244dc4682020b4b89e51c8f4ca84dacd0e00783
Instruction Fuzzy Hash: B231A370E103168BDF748B69CAC077EB7B3FB85328F24992AD459DB281C635D941CB91

Function 06E2D960 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88fcafb0abf2eb0d37d166c6562aae897b5b4a26306ed0afe58cf924c8689125
Instruction ID: 03e06cce28dd7aa5dd9232c588a84cfd36ae92fe0991f2391d895c74343d5d52
Opcode Fuzzy Hash: 88fcafb0abf2eb0d37d166c6562aae897b5b4a26306ed0afe58cf924c8689125
Instruction Fuzzy Hash: 9C31C630A1031A9FCF54DF65D890ADEBBBAFF45304F108929E505E7200EBB4E846CB91

Function 06E220A8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5189590c8f9aec787fcc830d9e2953306d9bf97278d8224095ac44b8055a54d
Instruction ID: b7d6c1b85b28e6d557b79939b8a38bed3632be4f07d3f9236b95194f6db9ff29
Opcode Fuzzy Hash: b5189590c8f9aec787fcc830d9e2953306d9bf97278d8224095ac44b8055a54d
Instruction Fuzzy Hash: 3331A530E102169FDB54DF65C854A9EB7B2FF85304F10C529E916E7350DB71AD46CB50

Function 06E220B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a9dca62829f071cc8a5df287382554d75a12a770555f50729f27956ee57edf
Instruction ID: ef51f64921b167c4c405e0f712e520a4eacc24ec75a027f32206156840e0244b
Opcode Fuzzy Hash: f7a9dca62829f071cc8a5df287382554d75a12a770555f50729f27956ee57edf
Instruction Fuzzy Hash: 73316F30E102169FDB58CFA5C854A9EB7B2EF89304F10C529EA1AE7350DB71AD86CB50

Function 06E23ED1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d892ea6e3135e4ac33f390ee38974b13dc61cbbded5740520cb2c1c94aebc7
Instruction ID: 49b25d8d09ca8c9d1cca29cbb2fe8c6e3255ead96ce22c334b25b1caac0c7fdc
Opcode Fuzzy Hash: 56d892ea6e3135e4ac33f390ee38974b13dc61cbbded5740520cb2c1c94aebc7
Instruction Fuzzy Hash: 9931DF35F003169FDB10CF69E980ADEBBF6EB48214F148029E504E7390E738DD428B91

Function 06E23EE0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8a6adabb1cc42443b94a4cabb022af8618a556101766e531c84c7b29650eeb
Instruction ID: 775f6905d854044ba39d8b3585f47c0d37ac11787a05fa1f53ff868d0be55110
Opcode Fuzzy Hash: cd8a6adabb1cc42443b94a4cabb022af8618a556101766e531c84c7b29650eeb
Instruction Fuzzy Hash: 58216D75F002169FEB50DF69D980AEEB7F6EB48614F208025E905E7350EB38DD428B95

Function 06E23481 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48a73a6b4fe18251ff488472a9c45ae6e909805155e51ca708c22e1d70817b9
Instruction ID: 76d8d026fb053279e7765ec2561a09907674777e6a7187fc268a67dab3927e52
Opcode Fuzzy Hash: f48a73a6b4fe18251ff488472a9c45ae6e909805155e51ca708c22e1d70817b9
Instruction Fuzzy Hash: 5321A170E002299FCBA4DF68D8405EEF7F6EF88314F10996AD14AE7200DA35D941CFA0

Function 014DD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3279102755.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14dd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21d241b3059d49d788b7e5ca0d2743651053ea9970599ecf5b1106eca9c869b
Instruction ID: 52586dcf548819b09710948fa4c98bf998933fbd2972cfcf42297eb3d2f4e7cc
Opcode Fuzzy Hash: a21d241b3059d49d788b7e5ca0d2743651053ea9970599ecf5b1106eca9c869b
Instruction Fuzzy Hash: A6213AB1904204DFCF16CF68C9D4B16BB65FB84318F20C56ED9490B3A2C73AD447CA61

Function 06E26D08 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab8790389809bcc551c14c5f6f0136638846b0e891b431b0e5bb92a73d1ca79
Instruction ID: e18113f00418bcd2e53242e5910e08d49ba65d05037b00b62f0e9cd569cca697
Opcode Fuzzy Hash: 1ab8790389809bcc551c14c5f6f0136638846b0e891b431b0e5bb92a73d1ca79
Instruction Fuzzy Hash: 1D219030B1022A9BDF44EB69E854B9EB7B7EB84314F209139D505E7340EB35EC458B85

Function 06E2A2FB Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a1cc33cbe2fc28326c2479fa165cf472c5f51ca3bb9e61e3d19a2cf0202d0e
Instruction ID: 0116f17f0c9402cece93296e54c8288b6907e5a3f15ea7fa41c666e7f43044fc
Opcode Fuzzy Hash: 08a1cc33cbe2fc28326c2479fa165cf472c5f51ca3bb9e61e3d19a2cf0202d0e
Instruction Fuzzy Hash: 4B112931B003221FCB519A3DEC14B6EB7DAEB87254F048475E50EC7251DA25DD06C791

Function 06E24229 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d110b4ae87e64cee1e8391edf8986f68496d551e12914f6cc5995c413cb7dd24
Instruction ID: f6f3a77a8177155d3560a40260b9b24d9278830ee0f867382c290a2c2ff3750a
Opcode Fuzzy Hash: d110b4ae87e64cee1e8391edf8986f68496d551e12914f6cc5995c413cb7dd24
Instruction Fuzzy Hash: 60114532B002258FCB649AAED840B5AB7DBDFC5314F20843AE14AC7390DE20CC0283D1

Function 06E23FF0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b868811759cffdb8dadcd5fbfb339515219ab49312014af4fcfdd806d4ea815
Instruction ID: 90f8154717e6328ca7d5c75c170dcc51a191ede753a82a8ceaf9e60c77eae758
Opcode Fuzzy Hash: 2b868811759cffdb8dadcd5fbfb339515219ab49312014af4fcfdd806d4ea815
Instruction Fuzzy Hash: 8111A136B101258FDB48D678C914AAE73FBEBC8715B008539C50AE7380EE65DC468BD2

Function 06E2F17F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ae2715cd8dc7d42c59bad491eae3500db44385b261c82ded39f6749e91c7bf
Instruction ID: bbd49024932be0ae63b4855c79b98db1a700eeacb3805678d20b0429538b1282
Opcode Fuzzy Hash: c7ae2715cd8dc7d42c59bad491eae3500db44385b261c82ded39f6749e91c7bf
Instruction Fuzzy Hash: 62012476B002211FCB228A3DE865BAA7BE7DBC6614F11583AE20AC7341DA24CD468791

Function 06E23FDF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e09b93f243b650aae627582724b0d338a758a1ca6c32a37abc00fdfea0c6b1
Instruction ID: 389203dc54e7af671effa8c21ced56f0779ec92ce2c4f0b9c676c472c432cc30
Opcode Fuzzy Hash: a3e09b93f243b650aae627582724b0d338a758a1ca6c32a37abc00fdfea0c6b1
Instruction Fuzzy Hash: 0F019232B102259BDBA49A69CC506EB73EBEFC8714B044439D58AD7280EE659C464792

Function 06E23CA8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec526bfe85947a368ff904ded17c4e28f3805e11fe3c606a8061f8ab83db7227
Instruction ID: 829273f52aa2c67937e99aa4a0f645bdbbb9c3a9273f282a34a9179daba2df2c
Opcode Fuzzy Hash: ec526bfe85947a368ff904ded17c4e28f3805e11fe3c606a8061f8ab83db7227
Instruction Fuzzy Hash: 6021F4B5C00269AFCB00DF9AD884ADEFFB4FF49310F10852AE518A3200C378A944CFA4

Function 014DD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3279102755.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_14dd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 7bc8db20a128330901326ab9b04c2df05db8c76eb4c843418144669b885198c7
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 2211BE75904244CFDB16CF64C5D4B16BFA1FB88318F24C6AAD9494B3A3C33AD44ACB62

Function 06E23CB0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a523de89a1d699bc4e25630f79ec6890d0da0092bae3fb47cc65ee5a12ba78e3
Instruction ID: 1bcac6cc0ecde1887d4f71090fb4d18f2267c6d92f90058a787a444c26278d28
Opcode Fuzzy Hash: a523de89a1d699bc4e25630f79ec6890d0da0092bae3fb47cc65ee5a12ba78e3
Instruction Fuzzy Hash: 5211D3B5D01259AFCB00DF9AD884ADEFFB4FF49310F10852AE518A7200C378A944CFA5

Function 06E24238 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c590fc3ad05769e8963c5d29d8fd1100a66be680a6eadc878b2b59302d0b172d
Instruction ID: a89132aa58dca24ab98de02ef7bec03e2f7da5e5a1ccf44b6b27053d5d02ae6f
Opcode Fuzzy Hash: c590fc3ad05769e8963c5d29d8fd1100a66be680a6eadc878b2b59302d0b172d
Instruction Fuzzy Hash: 5601D172B101228BDBA4D6AED454B2BA3DBDBC9718F10843AE60EC7394DD65DC0243D5

Function 06E2F190 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2fd58555ca1a72536867b62592a1753162045df535ff9f389ec418d6265568
Instruction ID: 169d05b47ce24f11ac043d39de6e9ddb000e8621eac7ff423aca33ba9d39e9cb
Opcode Fuzzy Hash: ab2fd58555ca1a72536867b62592a1753162045df535ff9f389ec418d6265568
Instruction Fuzzy Hash: 4301F476B001220BCB65DA6DD854B2FB3EBEBC9718F108839E60BC7340EE25DD464785

Function 06E2A308 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c9ba76e395ffccbb19eff2e3e920c7a275288ed6e2d06a925de3367f3c5fe4
Instruction ID: 040617446579eef2934e7d09624ba1378af2b6395f418bebd66e56ec6f2c9f34
Opcode Fuzzy Hash: 33c9ba76e395ffccbb19eff2e3e920c7a275288ed6e2d06a925de3367f3c5fe4
Instruction Fuzzy Hash: C1018131B002254FCB50EA2DD858B2E73D6FB8A754F148839E50EC7350EA25DC428785

Function 06E2C7D0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ef8b7eeba50bcbbc09a1df2ab1f3b0ca59c3917bac450126feb60e9a1ca1e6
Instruction ID: de04addb0b9cde5fa1281b84110479c5341684993d8ac34732eff6c27a580d88
Opcode Fuzzy Hash: 98ef8b7eeba50bcbbc09a1df2ab1f3b0ca59c3917bac450126feb60e9a1ca1e6
Instruction Fuzzy Hash: 3A018631E102259BCB589A69E850ADDB766FB85754F108439D505EB340DA75AC048BC4

Function 06E26468 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9448f6503935415d73bca83a4f2820d87455bfecb542bae154ae38eb395e0f07
Instruction ID: 6f6956f652fd28b1da6d4c847675bf4a1d2dda0f402ad43dc96c3589c7c22dde
Opcode Fuzzy Hash: 9448f6503935415d73bca83a4f2820d87455bfecb542bae154ae38eb395e0f07
Instruction Fuzzy Hash: 65E0D870E0A3596FDF60DAF08D5576E376EFB42308F2489A6D444CB142E176CE0687D1

Function 06E2FEC3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f754edd0074c258688e7cdcfbf44ec467a66221184b934562245730bfae83073
Instruction ID: 225a4ad1ba60d357df940faf683c096f12bfb8e3e35eae475c9a695a9b7013ee
Opcode Fuzzy Hash: f754edd0074c258688e7cdcfbf44ec467a66221184b934562245730bfae83073
Instruction Fuzzy Hash: 05E0423500E3C09FD7579B3098646A13FB56F03209B5A15DBD4918E1E3D729890AD762

Non-executed Functions

Function 06E27690 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E2778C
$]q, xrefs: 06E27BFE
$]q, xrefs: 06E27BDC
$]q, xrefs: 06E27B3D
$]q, xrefs: 06E27BE8
$]q, xrefs: 06E27780
$]q, xrefs: 06E277B1
$]q, xrefs: 06E277BD
$]q, xrefs: 06E27B49
$]q, xrefs: 06E27BF2

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 415d1944fea45b7facf883d03b931b8db7a2abde018e0424b90616e00339f8e0
Instruction ID: 13c13769ecfb7065f47cf0dde0082e138d55670bc151e9d856d0d6ba4cd333a8
Opcode Fuzzy Hash: 415d1944fea45b7facf883d03b931b8db7a2abde018e0424b90616e00339f8e0
Instruction Fuzzy Hash: C2121D30A0032A8FDF64DF69C994A9DB7F6FF88704F209569D409AB254DB349D85CF81

Function 06E2A930 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E2AAB8
$]q, xrefs: 06E2AAE2
$]q, xrefs: 06E2AA32
$]q, xrefs: 06E2AAAC
$]q, xrefs: 06E2AAEE
$]q, xrefs: 06E2AA26
$]q, xrefs: 06E2AA81
$]q, xrefs: 06E2AA8D

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 94321e2241c4102f4ba2fd3093fe59a072b407e20e3104c8c7c7c0292c3cd170
Instruction ID: ead3c61eb5a830549bb61e98c8d21df0f312c933b86706c987c2587cbfeeb2e8
Opcode Fuzzy Hash: 94321e2241c4102f4ba2fd3093fe59a072b407e20e3104c8c7c7c0292c3cd170
Instruction Fuzzy Hash: E591AE70A0031A9FDB68EF69DA94BAE77F7EF84704F109839D4419B254DB389C45CB90

Function 06E27090 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E27598
$]q, xrefs: 06E2752C
$]q, xrefs: 06E273D8
$]q, xrefs: 06E275A4
.5uq, xrefs: 06E270EB
$]q, xrefs: 06E27372
$]q, xrefs: 06E273CC

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 780516fcb1da9af14775616ebfcf1b9728d10f576d06f499eba3249e88daaff0
Instruction ID: 38ccf85c35636689cd4fa7c54268a09d57e9b96410891e2333b4bbd124a2ace8
Opcode Fuzzy Hash: 780516fcb1da9af14775616ebfcf1b9728d10f576d06f499eba3249e88daaff0
Instruction Fuzzy Hash: 0FF14A34A01319DFDB58EF69D594A9EB7B7FF84304F248428D4069B364DB389C86CB84

Function 06E283C8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E2862E
$]q, xrefs: 06E28687
$]q, xrefs: 06E28622
$]q, xrefs: 06E28693

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 7be5b9fac68cbe84cdede38d387348fe42d3eb8276eafb5285e133a41a592214
Instruction ID: dce94004e8027d15f2671a9fa1c418ac2424dc88679b53283caa835e64efee56
Opcode Fuzzy Hash: 7be5b9fac68cbe84cdede38d387348fe42d3eb8276eafb5285e133a41a592214
Instruction Fuzzy Hash: 1AB12A30B1121A8FDB58EF69D59069EB7A7FF84304F249829D406DB394DB74DC86CB81

Function 06E287E0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E2886B
LR]q, xrefs: 06E288D3
$]q, xrefs: 06E2885F
LR]q, xrefs: 06E28922

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 4b5668d8d5a3dbef3dea92afc393eee008b81ae9561b041abf486a6808b31966
Instruction ID: 733dc1b476d86aa5663b38904e9b0a09d0b6a6662f4f1b45fb5977ef956d03ce
Opcode Fuzzy Hash: 4b5668d8d5a3dbef3dea92afc393eee008b81ae9561b041abf486a6808b31966
Instruction Fuzzy Hash: DB51D130B003169FDB58EF68D980AAA77F6FF88304F109568E4069B365DA34EC45CB91

Function 06E2ACBB Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E2AE3C
$]q, xrefs: 06E2AE94
$]q, xrefs: 06E2ADE9
$]q, xrefs: 06E2AE6B

Memory Dump Source

Source File: 00000008.00000002.3302247920.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e20000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 66b378fdad05b0562d92ac9a10e5d5e15765d9bb3dbe025e990d7c0f258004aa
Instruction ID: 1f0f7d54b36ea87a8bd0f301c930264da2fc87e298b45fbd0bb81c5f7385cc86
Opcode Fuzzy Hash: 66b378fdad05b0562d92ac9a10e5d5e15765d9bb3dbe025e990d7c0f258004aa
Instruction Fuzzy Hash: 5A518D34A113269FDF64EF6CD5806ADB3B7EF84218F209939D8459B254DB34DC86CB90

Analysis Process: mpTrle.exePID: 5036, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	135
Total number of Limit Nodes:	9

Executed Functions

Function 00C9D031 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C9D0BE
GetCurrentThread.KERNEL32 ref: 00C9D0FB
GetCurrentProcess.KERNEL32 ref: 00C9D138
GetCurrentThreadId.KERNEL32 ref: 00C9D191

Memory Dump Source

Source File: 0000000A.00000002.2273983401.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c90000_mpTrle.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6471a571f4f94572387c44fbf2341b712c41169aae474b86810fa06b7a6fc2d5
Instruction ID: af8c3f608c4a7f5263cf5dad4390b32fd537cc1f50077bf46d90fef971cfb8d6
Opcode Fuzzy Hash: 6471a571f4f94572387c44fbf2341b712c41169aae474b86810fa06b7a6fc2d5
Instruction Fuzzy Hash: 395188B0901349CFDB14DFA9D948BAEBBF1EF88314F208459E419B7390D779A984CB61

Function 00C9D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C9D0BE
GetCurrentThread.KERNEL32 ref: 00C9D0FB
GetCurrentProcess.KERNEL32 ref: 00C9D138
GetCurrentThreadId.KERNEL32 ref: 00C9D191

Memory Dump Source

Source File: 0000000A.00000002.2273983401.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c90000_mpTrle.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d0271a88b3892449996b3a09e1cf8b39e28488db7d06f736628dcf2a59f00f4e
Instruction ID: 0ba29ce202ab02f281703430413f6b0731e30ad2a682d8f2811d85031e564f46
Opcode Fuzzy Hash: d0271a88b3892449996b3a09e1cf8b39e28488db7d06f736628dcf2a59f00f4e
Instruction Fuzzy Hash: FB5167B09013498FDB14DFA9D948BAEBBF1EF88314F208459E419B7350D778A984CB65

Function 081AE468 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 081AE69E

Memory Dump Source

Source File: 0000000A.00000002.2284729235.00000000081A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_81a0000_mpTrle.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a995b961ad63564667967055d0fa41b7d61aaaf424695f42c8783de6a35862fd
Instruction ID: 94e7ae00f7098495d8eac732132d29c3c40b66675c3206fd606c028185b504f9
Opcode Fuzzy Hash: a995b961ad63564667967055d0fa41b7d61aaaf424695f42c8783de6a35862fd
Instruction Fuzzy Hash: FB917BB5D00219CFDF20CFA8C851BEDBBB2BF48315F148569E819A7240EB759985CFA1

Function 00C9ADA8 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C9AFFE

Memory Dump Source

Source File: 0000000A.00000002.2273983401.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c90000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a36389631b593c0bd23eef5c96c994ce7d891972fbc9900321596928ab25ac2c
Instruction ID: d897372946a18caad62efa56f08f7b1050bef6607193d7f24b1f1502990bff5f
Opcode Fuzzy Hash: a36389631b593c0bd23eef5c96c994ce7d891972fbc9900321596928ab25ac2c
Instruction Fuzzy Hash: DF716670A00B058FDB24DF2AD44979ABBF1FF88300F108A2DE45AD7A50DB75E959CB91

Function 00C944C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C959D1

Memory Dump Source

Source File: 0000000A.00000002.2273983401.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c90000_mpTrle.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ea69ba7c35be29c839aced832157d41ac30d9e567a3848f864b00f47752ef6fa
Instruction ID: 88c3f39f70fd148db3d6c4ac131e4f2f52874999a9b9a786474f2bfde8a4ac44
Opcode Fuzzy Hash: ea69ba7c35be29c839aced832157d41ac30d9e567a3848f864b00f47752ef6fa
Instruction Fuzzy Hash: AE4101B0C0061DCBDB25DFAAC848B9EBBF5FF49304F20816AD408AB255DB756946CF90

Function 00C95914 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C959D1

Memory Dump Source

Source File: 0000000A.00000002.2273983401.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c90000_mpTrle.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 457f9d8464c14a5aee8f866998b8af0514a3c65ec4131cd4118fe73dbd069ddd
Instruction ID: 8d0898b591bc54ee923e355ec83a7134c4374829b255d73cfaebbd73e3749894
Opcode Fuzzy Hash: 457f9d8464c14a5aee8f866998b8af0514a3c65ec4131cd4118fe73dbd069ddd
Instruction Fuzzy Hash: 154123B0C00619CBDB25DFA9C888BDEBBF6FF48304F20816AD409AB250DB756946CF50

Function 081AE1E0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 081AE270

Memory Dump Source

Source File: 0000000A.00000002.2284729235.00000000081A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_81a0000_mpTrle.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8d919fc3a49f886c8ac4c2c9b5d205f02f8942662d45912851da290f6617ed38
Instruction ID: e3324483ef82535f3099f2f2ec73fb4710e48884c0d05a5245f1152e4ad2f60c
Opcode Fuzzy Hash: 8d919fc3a49f886c8ac4c2c9b5d205f02f8942662d45912851da290f6617ed38
Instruction Fuzzy Hash: 912119B59003499FDB10DFA9C885BEEBBF5FF48310F10842AE919A7250C7789954CBA0

Function 00C9D689 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C9D717

Memory Dump Source

Source File: 0000000A.00000002.2273983401.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c90000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 36d4e581277138db563d05b0ca3ae4bdec7f61d5851c95846cb1146acafda67e
Instruction ID: c66139f613dd18852032ab52f848fec4ccbec1061c4e63986f5714ba07c44c59
Opcode Fuzzy Hash: 36d4e581277138db563d05b0ca3ae4bdec7f61d5851c95846cb1146acafda67e
Instruction Fuzzy Hash: 6221E3B59012499FDB10CFAAD585ADEBBF5EB48314F14801AE918B3250C378A951CFA1

Function 081AE048 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 081AE0C6

Memory Dump Source

Source File: 0000000A.00000002.2284729235.00000000081A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_81a0000_mpTrle.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 24da39ce5e3ab9741c15508ea253eb4f4a1e1fdc9c97fc20ea3c757bd8025bae
Instruction ID: ba5e219085144b565e47b2f9f34aad4fb6bbcaa79ffb8de32fac10290e16c2eb
Opcode Fuzzy Hash: 24da39ce5e3ab9741c15508ea253eb4f4a1e1fdc9c97fc20ea3c757bd8025bae
Instruction Fuzzy Hash: 562134B59002098FDB10DFAAC5857AEBBF4EF88310F14842AD419A7240CB78A984CBA0

Function 081AE2D0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 081AE350

Memory Dump Source

Source File: 0000000A.00000002.2284729235.00000000081A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_81a0000_mpTrle.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f02f35f1e84ff487232747fa11c8f8472275e896a06d01aeaf7ea6d350256384
Instruction ID: 44c5698e81414b04c69f5dd11620f23fc638b6cc928d1946c02564885eba6d96
Opcode Fuzzy Hash: f02f35f1e84ff487232747fa11c8f8472275e896a06d01aeaf7ea6d350256384
Instruction Fuzzy Hash: 572109B5C003499FCB10DFAAC885AEEFBF5FF48310F548429E519A7250C7799554CBA1

Function 00C9D690 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C9D717

Memory Dump Source

Source File: 0000000A.00000002.2273983401.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c90000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 480e5740ebc7ce0a2bd9c05f9bd31d888f849ada1180ac49f668e6667f4b45f2
Instruction ID: 1067915750fc85759654ab34083f5c705ffce0d69f6ba11550b796069093d1dc
Opcode Fuzzy Hash: 480e5740ebc7ce0a2bd9c05f9bd31d888f849ada1180ac49f668e6667f4b45f2
Instruction Fuzzy Hash: 4721E4B59002489FDB10CF9AD584ADEBBF9FB48310F14801AE918B3350C378A950CFA0

Function 00C9A130 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C9B079,00000800,00000000,00000000), ref: 00C9B28A

Memory Dump Source

Source File: 0000000A.00000002.2273983401.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c90000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 28c5678f92654b64487d4e85ccb900668d3708d70bbd6bd7ac2bb6db080b4704
Instruction ID: c5b84f7f5f84ab20937a5a163e7ea30903652e2340c87d5481ed7512ee06b7b6
Opcode Fuzzy Hash: 28c5678f92654b64487d4e85ccb900668d3708d70bbd6bd7ac2bb6db080b4704
Instruction Fuzzy Hash: 281126B68007099FCB10DF9AD548BDEFBF5EB48710F10842ED919A7250C379A945CFA5

Function 00C9B219 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C9B079,00000800,00000000,00000000), ref: 00C9B28A

Memory Dump Source

Source File: 0000000A.00000002.2273983401.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c90000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dd1affe5030cc5ed8592327bdae17c66740c3161de95967d91e58f552fd4799c
Instruction ID: f8e954185eda4697b1e99d2276227b4e42c434eba011a5b46b6c9d3f59b36f58
Opcode Fuzzy Hash: dd1affe5030cc5ed8592327bdae17c66740c3161de95967d91e58f552fd4799c
Instruction Fuzzy Hash: 131126B68006499FCB10CFAAD544BDEFBF4EF88710F14842AD519A7240C779A945CFA4

Function 081AE120 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 081AE18E

Memory Dump Source

Source File: 0000000A.00000002.2284729235.00000000081A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_81a0000_mpTrle.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2ae75d2ce4c5281496ed9f0dcdd8f4921fb6a32724be0e17bc0ba745d6025174
Instruction ID: 484739d3f9e724ffe2d950e853ab73665b83ab383cb5a725251a18378975674a
Opcode Fuzzy Hash: 2ae75d2ce4c5281496ed9f0dcdd8f4921fb6a32724be0e17bc0ba745d6025174
Instruction Fuzzy Hash: D81137B59002499FCB10DFAAC845BEEBFF5EF88310F248819E519A7250CB79A550CFA1

Function 06C82AA6 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06C833E9,?,?), ref: 06C83590

Memory Dump Source

Source File: 0000000A.00000002.2284339737.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c80000_mpTrle.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c041c786a2fcefe6e83c096278211a6aeba7956c570fddd371254e901fd48944
Instruction ID: 6b037d441daec896f067bc4103e9ac899c83353b505a63e845859cc2e1ca4926
Opcode Fuzzy Hash: c041c786a2fcefe6e83c096278211a6aeba7956c570fddd371254e901fd48944
Instruction Fuzzy Hash: 431136B1C00349CFCB20EF9AC445BEEBBF4EB58320F208429D958A7240D738A644CFA5

Function 06C82A8C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06C833E9,?,?), ref: 06C83590

Memory Dump Source

Source File: 0000000A.00000002.2284339737.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c80000_mpTrle.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b0fc3a21da9f3fd6064dc233bda6bd025a6b8ed30b8306b82e1c1fcabe0c554a
Instruction ID: 8b42a2c2dcb7fcb45b07bfd50cf95b75703a53981dbf95162d033f8c7f256618
Opcode Fuzzy Hash: b0fc3a21da9f3fd6064dc233bda6bd025a6b8ed30b8306b82e1c1fcabe0c554a
Instruction Fuzzy Hash: 431136B58007498FDB20DF9AC445BEEFBF4EB48324F148469D958A7340D778AA44CFA5

Function 06C82AA4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06C833E9,?,?), ref: 06C83590

Memory Dump Source

Source File: 0000000A.00000002.2284339737.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c80000_mpTrle.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f17e3d53bf7e76038ed0bfbd7614b2c1710a8c4e511e8495e8468978fb62d68d
Instruction ID: 8965aa3dc92b9b1a4da87e617240d4317b1e5a2afceabd0d083e9dbbc3b275df
Opcode Fuzzy Hash: f17e3d53bf7e76038ed0bfbd7614b2c1710a8c4e511e8495e8468978fb62d68d
Instruction Fuzzy Hash: 8C1125B58007498FDB60DF9AC445BEEBBF4EB48324F148469D958A7240D738AA44CFA5

Function 06C81220 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06C81285

Memory Dump Source

Source File: 0000000A.00000002.2284339737.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c80000_mpTrle.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2bfa75687e009e966ee24efa66d59bfd8e7907d071c7a4924b793cfb5e00b18a
Instruction ID: 6b9cfc71b7b0d4ebbb7c5247728aa1d89a85efa2f3dfc6e2c6c77d592b71a774
Opcode Fuzzy Hash: 2bfa75687e009e966ee24efa66d59bfd8e7907d071c7a4924b793cfb5e00b18a
Instruction Fuzzy Hash: 691106B58003499FDB10DF99C849BEEFBF8FB49314F148419E918A7640C379A944CFA1

Function 081ADF98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 081ADFFA

Memory Dump Source

Source File: 0000000A.00000002.2284729235.00000000081A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_81a0000_mpTrle.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 02030618d39b1de1bdf90285fbd32e909b8f3fc2a8d69deddedddd1697b19107
Instruction ID: 774bbe7b8d2a22a5e6d527272a5d864c7e550ccef6cd3345bc79d2dcbaf6df3f
Opcode Fuzzy Hash: 02030618d39b1de1bdf90285fbd32e909b8f3fc2a8d69deddedddd1697b19107
Instruction Fuzzy Hash: 1B1136B5D003488FCB20DFAAC4457EEFBF5EF88324F248819D519A7240CB79A944CBA4

Function 00C9AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C9AFFE

Memory Dump Source

Source File: 0000000A.00000002.2273983401.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c90000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a37d6e99358a071ee899aa0f47f441732a8645b43deccbe1f36b2e9043706dd8
Instruction ID: 28e009c933c8fdf3271ea243c084c338155ef4ee53a17657bdfe8133b6f84a99
Opcode Fuzzy Hash: a37d6e99358a071ee899aa0f47f441732a8645b43deccbe1f36b2e9043706dd8
Instruction Fuzzy Hash: 8D1113B5C002498FCB10CF9AD444BDEFBF4EF88314F10841AD429A7210C379A545CFA1

Function 06C8353A Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06C833E9,?,?), ref: 06C83590

Memory Dump Source

Source File: 0000000A.00000002.2284339737.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c80000_mpTrle.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: da21375bab72fb2087066e4e2cba770146cf50cac9ff7ac9459f3ee886f64a0f
Instruction ID: 6c8f8b05f6478e56dfce37e8aeb993dc5c3149885beafbd3c1aeefcef327776b
Opcode Fuzzy Hash: da21375bab72fb2087066e4e2cba770146cf50cac9ff7ac9459f3ee886f64a0f
Instruction Fuzzy Hash: 4A1115B58007498FCB20DF99D545BEEBBF4EF48320F24842AD958A7240D739A684CFA5

Function 06C81228 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06C81285

Memory Dump Source

Source File: 0000000A.00000002.2284339737.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6c80000_mpTrle.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 260b535e0aaf26b408a5329d3b64d4fe905fe8c6d59febead8c555a6bf9ff32b
Instruction ID: d67c4faf9c4b28ade77cbe74ca9c02031d154769f9678bb9d1c0a2632acfbf88
Opcode Fuzzy Hash: 260b535e0aaf26b408a5329d3b64d4fe905fe8c6d59febead8c555a6bf9ff32b
Instruction Fuzzy Hash: 8111E5B58003499FDB10DF9AC849BDEFBF8FB49314F148419E518A7640C379A544CFA1

Function 00BBD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2273535960.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bbd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c55e59466f6a46398f89f57d054a78dc5f4b587d9125e255a49a9fff2f900b
Instruction ID: d56afb9dfdcf783028cc3e9cfc3796592aa9b8f642e4a16539feede98c7ceaef
Opcode Fuzzy Hash: 37c55e59466f6a46398f89f57d054a78dc5f4b587d9125e255a49a9fff2f900b
Instruction Fuzzy Hash: A021F171504284DFCB05DF54D9C0B6ABFA5FB88310F20C6A9E9090A256D3BAD816DBA1

Function 00BBD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2273535960.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bbd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac39c960527bbb7a52ce8c5b7b6571bf62618d35e4338d17ad9b7763663cc51f
Instruction ID: 9c86093e3ad06bf4b8798a604a8191bdfd81c188e6f755a4cc0eaca39d82b984
Opcode Fuzzy Hash: ac39c960527bbb7a52ce8c5b7b6571bf62618d35e4338d17ad9b7763663cc51f
Instruction Fuzzy Hash: 40213071500200DFCB25DF14C9C0F76BFA5FBA8318F20C5A9E8090B256D37AD806CAA2

Function 00BCD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2273616806.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bcd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b05a219e3de1c52bc5e850b9fcae1fb851a34fea5ff22ec95ada4f172aa9c5
Instruction ID: 8b2df586ad4d014727df865710394651fcef89dacf82f87b616b85a3a017fe70
Opcode Fuzzy Hash: 65b05a219e3de1c52bc5e850b9fcae1fb851a34fea5ff22ec95ada4f172aa9c5
Instruction Fuzzy Hash: 6A21D079604204DFCB14DF28D9D4F26BBA5FB88314F20C5BDD94A4B296C33AD807CA62

Function 00BCD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2273616806.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bcd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c587855a8f7fb05ea2e38b44b89137cd0a698a5e7da7caf1c03c2c0cd110e0
Instruction ID: 43582a7543320527a79828a9a870b7bd284892e413d302d49aafdda9aedf006b
Opcode Fuzzy Hash: d2c587855a8f7fb05ea2e38b44b89137cd0a698a5e7da7caf1c03c2c0cd110e0
Instruction Fuzzy Hash: 15210479604204EFDB05DF24D9C0F26BBA5FB88314F24C5BDE9494F296C33AD806CA61

Function 00BCD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2273616806.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bcd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d04e2f578b0a83c40d45c6dd09f6d4b5810907dc0c7e1cbd5e0c975d376ed0f
Instruction ID: f0346c4ed1679d506d7ed937d20db3168cde1d1023057d47f6a4b5be45cb8875
Opcode Fuzzy Hash: 5d04e2f578b0a83c40d45c6dd09f6d4b5810907dc0c7e1cbd5e0c975d376ed0f
Instruction Fuzzy Hash: 3F21A4795093808FCB12CF24D594B15BFB1EB46314F28C5EED8498B697C33A980ACB62

Function 00BBD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2273535960.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bbd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: ad34bbac5e4cdeb48f085d40ae832ce12f64a52b2c01471040026bc021607531
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: 1221B476504280DFDB06CF50D9C4B66BFB1FB84314F24C6A9DD490B656C37AD41ACBA1

Function 00BBD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2273535960.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bbd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 5761d4e3ce2f07aeefc9c8d889903d84fb4a1b2890b18bad38c97cea66330807
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 7D11E676504280CFCB16CF14D5C4B66BFB1FBA8314F24C6E9D9490B656C33AD85ACBA2

Function 00BCD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2273616806.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bcd000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 32ba1e480b97ea44227a5a6274889de3d816e0ced5d218833cfaa098f8efb2a0
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: DC118B7A604280DFDB16CF14D9C4B15BBA1FB84314F24C6AED8494F696C33AD84ACB62

Analysis Process: mpTrle.exePID: 4120, Parent PID: 5036COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	112
Total number of Limit Nodes:	14

Executed Functions

Function 06E63490 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E63BDC
$]q, xrefs: 06E63BC4
$]q, xrefs: 06E63B9B
$]q, xrefs: 06E63BB8
$]q, xrefs: 06E63B8F
$]q, xrefs: 06E63BE8

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 96f35e9e13c049669159c42b2eb1d1f0d2bc5723977da790060e99dbced5df4a
Instruction ID: eef0e35f157e2c0379fee43889db55fea3f9ddb366677c2852df4457ef9b3663
Opcode Fuzzy Hash: 96f35e9e13c049669159c42b2eb1d1f0d2bc5723977da790060e99dbced5df4a
Instruction Fuzzy Hash: 7E324F30E1071A8FCB54EF75D89459DB7B6FF89304F50D66AE409AB224EB30AD85CB90

Function 06E67D70 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E68317
$]q, xrefs: 06E6830B

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 0993e151f0a7155e21e79c8c40859220e9077f428565ac17519179eae898cda1
Instruction ID: 93c770b7a74559b7bef9dfca4fda9d243951a7af8c32b81769c6882eacd20415
Opcode Fuzzy Hash: 0993e151f0a7155e21e79c8c40859220e9077f428565ac17519179eae898cda1
Instruction Fuzzy Hash: EA02B030B403058FDBA8DF65D494AAEB7E6FF84358F149928E4059B380DB75EC46CB91

Function 06E665E8 Relevance: .8, Instructions: 818COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0db8b364ca5edcaec185c7be8dc4dfc9edbb038511a37351601993f35c8373e
Instruction ID: 1a200144b14ad73f3050308086f028f8cc3fb6dbf6636eea4dedd9d1435962c0
Opcode Fuzzy Hash: a0db8b364ca5edcaec185c7be8dc4dfc9edbb038511a37351601993f35c8373e
Instruction Fuzzy Hash: BE62BD34B103048FDB64DB69D550AADB7F6EF88398F109428E806EB394DB35EC46CB91

Function 06E6C178 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22db883b532bca562b03430f12031d0917e32f00600f1542c500accd49208d5
Instruction ID: 9327d6bf18c17ccf0eaaf6dbcab858a417e6bc8ecef54a942fcee5fcdc404fca
Opcode Fuzzy Hash: d22db883b532bca562b03430f12031d0917e32f00600f1542c500accd49208d5
Instruction Fuzzy Hash: B332BD30B403098FDB64DB69D880AADB7B6FF88754F209529E445EB350DB38EC46CB91

Function 06E655D0 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214ff1636f05744e49005465b0585a2b4b4ddca4f19774a3533d2df1f4b65b92
Instruction ID: 0f6015a11844983f648eb996d612a3fefa41e024dc8698e8df294cecc03c0c79
Opcode Fuzzy Hash: 214ff1636f05744e49005465b0585a2b4b4ddca4f19774a3533d2df1f4b65b92
Instruction Fuzzy Hash: 1E12D331F403058BDB64DF65C8906AEB7B2EB85358F24D939E95A9B380DB34DC42CB91

Function 06E6B220 Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8b2045809ce41e02caeb63dcdaa3b2ff81489dd44aa751ecedcc05e135f8be
Instruction ID: e24d9919de1eb24115dfa786dd5437ce2db0fb554395e80d59e8b8b754bd0327
Opcode Fuzzy Hash: eb8b2045809ce41e02caeb63dcdaa3b2ff81489dd44aa751ecedcc05e135f8be
Instruction Fuzzy Hash: C1228030E503098FEFA4CB6AD4947ADB7B6EB49358F209829E409DB391DB34DC91CB51

Function 06E6ACC8 Relevance: 10.4, Strings: 8, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E6ADE9
$]q, xrefs: 06E6AE48
$]q, xrefs: 06E6AE77
$]q, xrefs: 06E6AE94
$]q, xrefs: 06E6ADF5
$]q, xrefs: 06E6AEA0
$]q, xrefs: 06E6AE3C
$]q, xrefs: 06E6AE6B

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 8f0d7703b80e54887be3a08df8d39e843c0e31b9483c36df7a0a9b66a5cbe7d3
Instruction ID: 35dbc684c2d5b7bc35794a25962d1fb65f7dce1ae1fcf126f85bca3aba91f1b3
Opcode Fuzzy Hash: 8f0d7703b80e54887be3a08df8d39e843c0e31b9483c36df7a0a9b66a5cbe7d3
Instruction Fuzzy Hash: 93E16B30E503098FDB68DF69D8806AEB7B6FF89344F209529E805AB354DB35DC46CB91

Function 06E6B648 Relevance: 8.0, Strings: 6, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E6BC05
$]q, xrefs: 06E6BB9D
$]q, xrefs: 06E6BBC5
$]q, xrefs: 06E6BBF9
$]q, xrefs: 06E6BB91
$]q, xrefs: 06E6BBD1

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 16aa250e959a9d927d18c32866f6177cf4ac363a26fdf962e1e0503ab4105bc9
Instruction ID: 11977a9c03a17dd7366f8a398bdb123f3fca9f04f99b8e7d253db04dac74af1b
Opcode Fuzzy Hash: 16aa250e959a9d927d18c32866f6177cf4ac363a26fdf962e1e0503ab4105bc9
Instruction Fuzzy Hash: 0202CC30E5030A8FDBA4CF6AD4806ADB7B6EF85348F10992AE406DB255DB34EC55CB91

Function 06E4308B Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06E4310E
GetCurrentThread.KERNEL32 ref: 06E4314B
GetCurrentProcess.KERNEL32 ref: 06E43188
GetCurrentThreadId.KERNEL32 ref: 06E431E1

Memory Dump Source

Source File: 0000000C.00000002.3303201299.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e40000_mpTrle.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b4b9dfbadefddd9a677ecdbcdab2990b7c30fedbdf5c2a1ac8e990b2c0fad6f7
Instruction ID: 7d61e87d7251805a38c982e431c8b8182eea5a6ea248d757c0b20d1c38b25ff3
Opcode Fuzzy Hash: b4b9dfbadefddd9a677ecdbcdab2990b7c30fedbdf5c2a1ac8e990b2c0fad6f7
Instruction Fuzzy Hash: B25189B0D003098FDB58DFAAD948BAEBBF1EF48304F208459E409A7350D7345848CFA5

Function 06E43090 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06E4310E
GetCurrentThread.KERNEL32 ref: 06E4314B
GetCurrentProcess.KERNEL32 ref: 06E43188
GetCurrentThreadId.KERNEL32 ref: 06E431E1

Memory Dump Source

Source File: 0000000C.00000002.3303201299.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e40000_mpTrle.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 51476705a54a542c74138b282ea6d70d6bddb209c69f4158cf851d18a4ac6263
Instruction ID: 387bc3e02925392fcab83e07fcee211aa6a6e3280d846f83dd4738c43baf7af4
Opcode Fuzzy Hash: 51476705a54a542c74138b282ea6d70d6bddb209c69f4158cf851d18a4ac6263
Instruction Fuzzy Hash: D65167B0D003098FDB58DFAAD949BAEBBF2EF48314F208059E419A7350D7385948CF65

Function 06E69148 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E6919B
$]q, xrefs: 06E691CA
$]q, xrefs: 06E6918F
$]q, xrefs: 06E691D6

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 2a3e7eb6be5a6c91dfd10568a4610c997aed009b550aa718b9bd2c2115938782
Instruction ID: 75963aa6d7bf98a4d8ed73dc3697360068a8e01d34269a4897114853c465db94
Opcode Fuzzy Hash: 2a3e7eb6be5a6c91dfd10568a4610c997aed009b550aa718b9bd2c2115938782
Instruction Fuzzy Hash: 86916031B4021A8FDB58DF65D850BAEB3FAFF88344F108569D409EB345EE349D468B92

Function 06E6CF38 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E6D337
$]q, xrefs: 06E6D343
$]q, xrefs: 06E6D32F

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: d758ce86182d6a290a45e8d0796a2ce0a6e4f8d26296546193a746362247f8e5
Instruction ID: c4dd21f81ddd153711cefb446341062b0bfffccc23d57fd7052b0d5190c37b7f
Opcode Fuzzy Hash: d758ce86182d6a290a45e8d0796a2ce0a6e4f8d26296546193a746362247f8e5
Instruction Fuzzy Hash: 16624F3074020A8FCB69DF69DA90A5DB7B6FF84344F609A28D0099F359DB75EC46CB81

Function 06E64B98 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPbq, xrefs: 06E64CC5
fbq, xrefs: 06E652A5
\Obq, xrefs: 06E64D4F

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 229f8876870cdeba67175436a4d9e535b9bafc790f7eccd6728f9f7e61a0eb82
Instruction ID: 48d89af4ed1549fd0d5ac3f10488599351d0b9f9faffc86ced1ebb05f157bcc2
Opcode Fuzzy Hash: 229f8876870cdeba67175436a4d9e535b9bafc790f7eccd6728f9f7e61a0eb82
Instruction Fuzzy Hash: 48618F30F002199FEB649FA5C8547AEBAF6FB88744F20852AE106AB394DB754C41CF95

Function 06E69139 Relevance: 2.7, Strings: 2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06E691CA
$]q, xrefs: 06E6918F

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 076364ea188baf4669d0bcd76cbe12c6862d00304a62fa339b00770640d287dc
Instruction ID: 36044c8463e4f95c7f7d6e6808c1502115afd4b67f549057279d2ebcb48cb581
Opcode Fuzzy Hash: 076364ea188baf4669d0bcd76cbe12c6862d00304a62fa339b00770640d287dc
Instruction Fuzzy Hash: 1B516131B402069FDB58DB75D850BAEB3FAFB88744F509429D809DB385EE349D06CB92

Function 06E4B710 Relevance: 1.7, APIs: 1, Instructions: 207COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06E4B976

Memory Dump Source

Source File: 0000000C.00000002.3303201299.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e40000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6858a2da03cb2c73cc9958b68466d1c27b7aafdcafe99cbb2a87a8c757f5ce22
Instruction ID: d2900cdb7bb3641e8ea7bc2bd299c400fb3e5d4bc6deb93001886f354382be6f
Opcode Fuzzy Hash: 6858a2da03cb2c73cc9958b68466d1c27b7aafdcafe99cbb2a87a8c757f5ce22
Instruction Fuzzy Hash: 3D813570A00B058FD7A4EF3AE44476ABBF5FF88204F008A2DD49AD7A50DB75E845CB91

Function 06E4D890 Relevance: 1.7, APIs: 1, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303201299.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e40000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d083760d707e442a55d99ce246c83c5bc78afa2e49af4389e610e344db5ef6
Instruction ID: 902850f49fb81c39f3148755e4d37c0620636b57243377109828b2b46245f55a
Opcode Fuzzy Hash: c5d083760d707e442a55d99ce246c83c5bc78afa2e49af4389e610e344db5ef6
Instruction Fuzzy Hash: 9D5101B1C04349AFCF11DFA9D884ADDBFB6BF49304F14816AE808AB221D7759885CF91

Function 06E4D8E4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E4DA02

Memory Dump Source

Source File: 0000000C.00000002.3303201299.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e40000_mpTrle.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 573a68c983f1001f286e0009c6a639084e81005a7292d23bbb79f7aa745b7be2
Instruction ID: 56d4c2ad8835348c51adc71e567bd8e444d31211798f68f9a9585ebdb92a0cb6
Opcode Fuzzy Hash: 573a68c983f1001f286e0009c6a639084e81005a7292d23bbb79f7aa745b7be2
Instruction Fuzzy Hash: 3B51E2B1D00349DFDB14DFAAD884ADEBBB5BF48314F24812AE419AB210D775A985CF90

Function 06E4AC8C Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E4DA02

Memory Dump Source

Source File: 0000000C.00000002.3303201299.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e40000_mpTrle.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1ad49de933250411d4098f461cb6f1acbdeed2ca6e55e3479ce5dc1f64ef210a
Instruction ID: e318f824530d2d8b804fcd2339bc0a7a865c1bc73810e11761ae411f162f67f8
Opcode Fuzzy Hash: 1ad49de933250411d4098f461cb6f1acbdeed2ca6e55e3479ce5dc1f64ef210a
Instruction Fuzzy Hash: B551C2B1D00309DFDB14DFA9D884ADEBBB5FF48314F24912AE419AB210D775A885CF90

Function 0313F018 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0313F0BF

Memory Dump Source

Source File: 0000000C.00000002.3281818489.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3130000_mpTrle.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c2594cbc512fff84ecb73a6896dde342204683ae2763ce64e0c062cff4ce97b0
Instruction ID: 95704ed0180e653276e91693da5bf84d359fdff0c1e20e354b68fb5fcfb87f6a
Opcode Fuzzy Hash: c2594cbc512fff84ecb73a6896dde342204683ae2763ce64e0c062cff4ce97b0
Instruction Fuzzy Hash: F22186B1C002499FCB24DFAAC8047EEFFF4EF48310F15855AD848A7251E738A941CBA1

Function 06E42E54 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06E4329E,?,?,?,?,?), ref: 06E4335F

Memory Dump Source

Source File: 0000000C.00000002.3303201299.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e40000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: acf5bc4a31bee3d40e7dde4dedfd1cc3136945fca3fa71b4d969b2c37420b4a9
Instruction ID: dc8ba00305d2b34460b6a8e3d7010036f6aacc2fc68f20e462146e0b06b4e851
Opcode Fuzzy Hash: acf5bc4a31bee3d40e7dde4dedfd1cc3136945fca3fa71b4d969b2c37420b4a9
Instruction Fuzzy Hash: 2F21E6B5D00348AFDB10DFAAD584AEEBBF8FB48310F14801AE914A3310D378A944CFA5

Function 06E432D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06E4329E,?,?,?,?,?), ref: 06E4335F

Memory Dump Source

Source File: 0000000C.00000002.3303201299.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e40000_mpTrle.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 38b303d69f765fa371d1733c9d49c508539f5f7dd3f6386e0578d4c4d027eb37
Instruction ID: 714370f30369b01c6bbaccf3bd4f51bba0bd0b0f177a2b5bb9ff9228748c1620
Opcode Fuzzy Hash: 38b303d69f765fa371d1733c9d49c508539f5f7dd3f6386e0578d4c4d027eb37
Instruction Fuzzy Hash: 7721E2B5D002089FDB10DFAAD984AEEBBF5FB48310F14805AE919A3350D378A944CFA1

Function 06E4BB72 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06E4B9F1,00000800,00000000,00000000), ref: 06E4BBE2

Memory Dump Source

Source File: 0000000C.00000002.3303201299.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e40000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 85c1169229cd98c32facc9a4d7614709b4a9721084cd85443980ca593afe408d
Instruction ID: 5b343926cb0326bdd2e9db4cfcefd88874f443ab340aa41f79b8b8abcef8b8da
Opcode Fuzzy Hash: 85c1169229cd98c32facc9a4d7614709b4a9721084cd85443980ca593afe408d
Instruction Fuzzy Hash: BE1126B6C003499FCB10DFAAD884ADEFBF4FB48310F10841AE519A7204C779A545CFA1

Function 06E4AB18 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06E4B9F1,00000800,00000000,00000000), ref: 06E4BBE2

Memory Dump Source

Source File: 0000000C.00000002.3303201299.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e40000_mpTrle.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7643b954a5bc25568cb1dc5ce091b6c97540c45517d1d7409a382fb0068f6c27
Instruction ID: d2588823a2b064732595f9ad77650b817756579b499b7d309c0d1bd8f5c49b33
Opcode Fuzzy Hash: 7643b954a5bc25568cb1dc5ce091b6c97540c45517d1d7409a382fb0068f6c27
Instruction Fuzzy Hash: 481114B6D003498FDB10DFAAD884AEEFBF4EB48310F10842AE519A7204C379A545CFA1

Function 0313F058 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0313F0BF

Memory Dump Source

Source File: 0000000C.00000002.3281818489.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3130000_mpTrle.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 49a69dc49eefd4b8ba32e9413cb1c4bb44b13ce3f176d5462da6b123eeeb3397
Instruction ID: 4cc1c1ea69d2e4e71d13cc9cf5181d1d1329a26ba753d2eeeb094cf738a466a0
Opcode Fuzzy Hash: 49a69dc49eefd4b8ba32e9413cb1c4bb44b13ce3f176d5462da6b123eeeb3397
Instruction Fuzzy Hash: 661112B1C006599BCB10DF9AC544BEEFBF4EF49320F14816AD818A7240D378A944CFA1

Function 06E4B910 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06E4B976

Memory Dump Source

Source File: 0000000C.00000002.3303201299.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e40000_mpTrle.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bebe722bc57fa4c93d0f54eb0c95498c9717aafa96aafd4fba153a5a98874fec
Instruction ID: 83e3b94544268024a62a8d0325904a096f98f6b0a2d075f7561fbaf78eac6ccb
Opcode Fuzzy Hash: bebe722bc57fa4c93d0f54eb0c95498c9717aafa96aafd4fba153a5a98874fec
Instruction Fuzzy Hash: 09110FB6C003498FCB10EFAAD444A9EFBF4AB89214F10841AD569A7210C379A545CFA1

Function 06E64B88 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

XPbq, xrefs: 06E64CC5

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: XPbq
API String ID: 0-864591470
Opcode ID: b1d4896c8d5a45a6991c7495299c1602d07e1f2b0d7fcfba37957c84949a833f
Instruction ID: 4c1a9187814bf91435a5aeef3c89e0ba3467fc09dc77a36fac39a2f31ac5283f
Opcode Fuzzy Hash: b1d4896c8d5a45a6991c7495299c1602d07e1f2b0d7fcfba37957c84949a833f
Instruction Fuzzy Hash: 40415E70B002199FEB649FA5C854BAEBAF7FF88740F208529E105AB394DA754C01CB94

Function 06E6DAAD Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06E6DC09

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 486372b23f2538a84805a060d6204f72781d32151373be3df28aeb2e52900dd9
Instruction ID: 712b84c56541af548354a5485272b7a30958a5ae119fe063f226cc3d8ec99441
Opcode Fuzzy Hash: 486372b23f2538a84805a060d6204f72781d32151373be3df28aeb2e52900dd9
Instruction Fuzzy Hash: EF41A130F4030A9FDB64DF65C9506AEBBB6FF85344F205929E405D7248DB74D946CB81

Function 06E621E5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06E62333

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: f46e3e24e989760697ca107bfede52c7fcf9012b805053aad6af40dd884f66e0
Instruction ID: 578f4a6c0d558153baf0e358e796a8044b8221b3cc54d762a9f1d25c72685835
Opcode Fuzzy Hash: f46e3e24e989760697ca107bfede52c7fcf9012b805053aad6af40dd884f66e0
Instruction Fuzzy Hash: FF312230B403028FDB999B75D81466E3BA7AF89684F10A538E006DB390DF35CE06CBA1

Function 06E621F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06E62333

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: bac6d49f233e1392471e494cb8e91267eb56e2ec7fcd1aabed065559cf09dc47
Instruction ID: bccf1dbdd6e333f97d384271decc77dbfc2108701ca68fc87d457cbb60657ab9
Opcode Fuzzy Hash: bac6d49f233e1392471e494cb8e91267eb56e2ec7fcd1aabed065559cf09dc47
Instruction Fuzzy Hash: 9A310F30B403028FDB589B75D91466E7AA7AF89684F10953CE006DB394DF34DE06C7A5

Function 06E682C0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E6830B

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: ae091678f41f2c1d100a237406dd39735618dd5404521e03d4e00bad44449b02
Instruction ID: 682b6a8d337bd842371c31abe3bba30f5b7b1d19f58b8d19cfa83e02ad104d30
Opcode Fuzzy Hash: ae091678f41f2c1d100a237406dd39735618dd5404521e03d4e00bad44449b02
Instruction Fuzzy Hash: 17F0AF35BC0301CFDF788A86EA986BEB3A9EB54398F147069E905CB241D636DD06C771

Function 06E661E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026b304eacb16739946b9e6b5b11d4073954ef5a4851f521af3e3b19dfb8efe5
Instruction ID: 68d40f284336653c6c0c4fd2b37857b6ee79372af41d56a5857e543ead492f87
Opcode Fuzzy Hash: 026b304eacb16739946b9e6b5b11d4073954ef5a4851f521af3e3b19dfb8efe5
Instruction Fuzzy Hash: EB61D171F501114FDB649A6EC88066FBADBAFD4214F154479E80EDB320DEB9DD0287D2

Function 06E642C9 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377a62e7fb742e3a8471624efdd53af1d205843fa2f82ea69b05d273c6fc3334
Instruction ID: be6f4665555b30a3a0b06124453883e92fad1d611f2e00276d712455548f6df8
Opcode Fuzzy Hash: 377a62e7fb742e3a8471624efdd53af1d205843fa2f82ea69b05d273c6fc3334
Instruction Fuzzy Hash: 4E815F30B4060A8FDB54DFA5D4547AEB7F6EF88344F109529E40ADB394DB34DC468B52

Function 06E645E8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc07e02897446f724d0c946a5c6756df93e6fd8cb5106f4daa71affed23020a
Instruction ID: 3d7348dee662d90dcc4712c3f7a2eca7fef93144a25e1900fed9f872911d80f3
Opcode Fuzzy Hash: fcc07e02897446f724d0c946a5c6756df93e6fd8cb5106f4daa71affed23020a
Instruction Fuzzy Hash: AD912D30E103198FDF60DF69C890B9DB7B1FF89304F20C599E549AB295DB70AA85CB91

Function 06E64600 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe10348840f5c70a7814a94b4774620f1b2f085fd3881150be48d1c32c7dd2b
Instruction ID: 8ebd55c8f28da9b02773670a645647abbc8aee5eb44168c30ed0c56969b11f7c
Opcode Fuzzy Hash: dbe10348840f5c70a7814a94b4774620f1b2f085fd3881150be48d1c32c7dd2b
Instruction Fuzzy Hash: 70912D30E10219CBDF64DF69C890B9DB7B1FF89304F20C599E509AB295DB70AA85CF91

Function 06E6EF00 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a5777d804320ee3f058b86a27c4e55f2bd7d8c61fb37f5d443cbe40187075b
Instruction ID: 023cab563099e1932d67a9834caee296d4288f60a0ff90ec7b3c4ae18f84fd88
Opcode Fuzzy Hash: a0a5777d804320ee3f058b86a27c4e55f2bd7d8c61fb37f5d443cbe40187075b
Instruction Fuzzy Hash: EA715E70A002098FDB54DFA9D990AADBBF6FF88344F249429E009EB355DB30EC46CB50

Function 06E6EF10 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74024863ea0bfbe2981373ca9525ce940cf8b4ea57245277a5715dc660ca3fba
Instruction ID: 83e18c436217f165c22de884999ae143dd7d0bc0b69987b5f445310ac4d5b540
Opcode Fuzzy Hash: 74024863ea0bfbe2981373ca9525ce940cf8b4ea57245277a5715dc660ca3fba
Instruction Fuzzy Hash: FA713C74A002099FDB54DFA9D990A9EBBF6FF88344F249429E009EB355DB30EC46CB50

Function 06E6FC70 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db948790a640bcb3de07650b48edb8b28fa22cfcbedfeeebd8c8c2d8fe7668d
Instruction ID: 849c1799f3f20805e1c9bde035f825f947581d5dba32dd2687d8bd46b1b6bb7b
Opcode Fuzzy Hash: 6db948790a640bcb3de07650b48edb8b28fa22cfcbedfeeebd8c8c2d8fe7668d
Instruction Fuzzy Hash: B951D231E00205DFDB24AB79F8546ADBBB3EF84359F10887AE106D7250DB359805CB81

Function 06E6FA1F Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9146251bdc90179e81c505020cae37c698e526c69e250ce9037c7e1ad36e4d
Instruction ID: de3b1bf54ac084bcd1788ac5fab3cd3cda8045f5f953f029f794dc0619b3feb1
Opcode Fuzzy Hash: de9146251bdc90179e81c505020cae37c698e526c69e250ce9037c7e1ad36e4d
Instruction Fuzzy Hash: 4451D270B503049FEF60566AF95477E3A9FEB89354F20182AE40AC7396CA2DCC4583A2

Function 06E6FA30 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d580fd676581382be7c0b7c335d5845965cbb1c931fdc0819ea19af4e517cd
Instruction ID: 7e7c644634c7dbec0dded7e7caf46d973df0904c0f3f95451524eabccd8fcf32
Opcode Fuzzy Hash: e3d580fd676581382be7c0b7c335d5845965cbb1c931fdc0819ea19af4e517cd
Instruction Fuzzy Hash: 5451D370B503048FEF70566EF95477E369FDB89394F20582AE40AC7395CA2DCC458392

Function 06E65440 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c49f327540cfdb7d07a5fc8588f4057872b80b091566c99c9732a9b880851e3
Instruction ID: 7131f9904950ae17d57c9747766cd066e8861467129e41a7a7e5508915b8fc24
Opcode Fuzzy Hash: 0c49f327540cfdb7d07a5fc8588f4057872b80b091566c99c9732a9b880851e3
Instruction Fuzzy Hash: 36417B71E407098FCB60CFAAD880AAEBBF2EB85314F10592AE15AD7650D731E8558B91

Function 06E655C1 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae98a63bdda7cab8038396bf67e4f037ec4634f4166ad95d698d8099ce81d651
Instruction ID: 4359ad8c94b5e8d75681194a0ca8a462108c7b6644af11dd6973be47aeae10cd
Opcode Fuzzy Hash: ae98a63bdda7cab8038396bf67e4f037ec4634f4166ad95d698d8099ce81d651
Instruction Fuzzy Hash: 1C31C670F503068BDF708E6AC88077EBBB1FB45368F20992AE459D7281C635D951CB91

Function 06E6D960 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232335fc491eb0412849fa686edb6cfb839a7551f33e6afcf712e9c9008add78
Instruction ID: 36228e8d6ad98291844e20fdf8d16c12109897979b911a4517488f59345a342f
Opcode Fuzzy Hash: 232335fc491eb0412849fa686edb6cfb839a7551f33e6afcf712e9c9008add78
Instruction Fuzzy Hash: 7331C330B1430A8FCB64DF66D890A9EBBB6FF85308F105929E405AB300D770E806CB91

Function 06E620A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a4a8db1a8e84922c445bccf8a98916f9c0fb9a6b936cca182cb64c8a1cabfd
Instruction ID: 8648d252fab8cd09dc6616fb12b2031aad3b50c7e61d562b7423ecffead9d66f
Opcode Fuzzy Hash: 04a4a8db1a8e84922c445bccf8a98916f9c0fb9a6b936cca182cb64c8a1cabfd
Instruction Fuzzy Hash: F131C130E102099FCB68CFA5C85469EB7B2FF89304F10D529E91AE7340DB31AD46CB90

Function 06E620B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43824673efab160c09139e69217accdf80c9f0b9d33b70c690dcc67406993f3f
Instruction ID: 79f09bb7ce5f4c0774758e23327215a0d5ffa3a0b6a0ce567d868939d8351cbb
Opcode Fuzzy Hash: 43824673efab160c09139e69217accdf80c9f0b9d33b70c690dcc67406993f3f
Instruction Fuzzy Hash: C2318030E142099FCB58CFA5C85469EB7B2FF89304F10D519E91AE7350DB75AD46CB90

Function 06E63ED1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4305a947f817792419f99ff59c0bb93a00c5fc192aac207d488621fd7c8da830
Instruction ID: 84c8dfa1f06e0fa1c8e4c8ff8f3300462f18089abd806ea5ca0f55d8a2d53d78
Opcode Fuzzy Hash: 4305a947f817792419f99ff59c0bb93a00c5fc192aac207d488621fd7c8da830
Instruction Fuzzy Hash: CA319831F407059FCB50CF69D841AEEBBBAEB48320F149129F904E7290E735DC028BA1

Function 06E63EE0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8959a9bdc7cbe5b6e1d8371a8d2976d3b5105165db6454385142b2438d46886
Instruction ID: dcc0ee177858033368695bb2dc78ccc4d89f2792d6a410eab90cd495c9b913b3
Opcode Fuzzy Hash: d8959a9bdc7cbe5b6e1d8371a8d2976d3b5105165db6454385142b2438d46886
Instruction Fuzzy Hash: B2217775F403059FDB50DF6AD880AEEBBF6EB48314F20A029E909E7290E735DC018B91

Function 0165D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3279209462.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_165d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b6d5837bcfe3120a5e24d565096d513a0aabe32f9b6f2f1556bc54e1af62c5
Instruction ID: 19abe8f7e05a7bcc8214807701d334ddfc275ec23c7611e9a0b90589190c6ac8
Opcode Fuzzy Hash: 92b6d5837bcfe3120a5e24d565096d513a0aabe32f9b6f2f1556bc54e1af62c5
Instruction Fuzzy Hash: 9A210071504204AFCB55DFA8C980B26BB65FB84314F20C569ED490B392C73AD447CA62

Function 06E63481 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8863900ec00607a75223af2f4b382021e16ceb782124486594ed117d8de441a3
Instruction ID: 0fbcdcec6df0c8f0b18aab88bc189a360f8341f981168123756c09ac2dce46a6
Opcode Fuzzy Hash: 8863900ec00607a75223af2f4b382021e16ceb782124486594ed117d8de441a3
Instruction Fuzzy Hash: 3821A570E002299FCB68DB69D8405EDF7F6EF89354F10A969E44AE7340DA319A41CBA0

Function 06E66D08 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93a9e762f44dc0465e5d51f54bd13aafbb5ed567340211c31d4272bb4a2ce23
Instruction ID: 9dd40b9b3bd1a96f299c822cce106131dde974ee6e771452af5768f6cd8074ec
Opcode Fuzzy Hash: c93a9e762f44dc0465e5d51f54bd13aafbb5ed567340211c31d4272bb4a2ce23
Instruction Fuzzy Hash: 7B21D530B102199FDF94EB6AE9507AEB7B6EB84358F20A038E405D7340D735DC458B91

Function 06E6A2FB Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916b723921be6204595b5b87eb3e837efa341dfe538516984c0ab408220e8aa8
Instruction ID: fea717288a646e5a818f9170983c12a50d7e2bca46d5b87d3eb3dc2bab152382
Opcode Fuzzy Hash: 916b723921be6204595b5b87eb3e837efa341dfe538516984c0ab408220e8aa8
Instruction Fuzzy Hash: FF114831F803111FCB61A63EEC1476EB7D9EB867A4F104439F109D7240DA25DD06C3A1

Function 06E64229 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5357c9c83123f04373d89010f10a2228199471792c1e81ceedd72135242b2a93
Instruction ID: 1674ea0b59f8097d76882e16b7998c3502cbaed9329a09bc7169dd9dec3425ab
Opcode Fuzzy Hash: 5357c9c83123f04373d89010f10a2228199471792c1e81ceedd72135242b2a93
Instruction Fuzzy Hash: 6E01D231B002148FDB659AAED850B6ABBDBDBC5758F20843AE449C7395DA21CC068391

Function 06E63FF0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ff1819b0d749a173e7cfd71c9c4c8c20529e3c5ee7a99b43a4ed7290a54eac
Instruction ID: 0a5a9246992772cc876eb509fe21f5de4d7e67acfd918747b9e74b6972e4344e
Opcode Fuzzy Hash: a8ff1819b0d749a173e7cfd71c9c4c8c20529e3c5ee7a99b43a4ed7290a54eac
Instruction Fuzzy Hash: AE11A531B102298FDB98D679DC146AF73EAEBC8754F008539D50AE7380EE25DC028BD2

Function 06E6F17F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3311b7e38db1ce9488018721285f69b46ff5a83ba982411212438df8d09c745
Instruction ID: d3d82d766bf59cfac5543f4aac61123ed8d3dac0a0a15c9079cf8718b09e8998
Opcode Fuzzy Hash: f3311b7e38db1ce9488018721285f69b46ff5a83ba982411212438df8d09c745
Instruction Fuzzy Hash: 4301F176B002100FCB728B2AE85476A7BDBDBC6654F10483AF50AC7341DA24CD0687A1

Function 06E63FDF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a728c1793e56ff6e280235fae2c8a0749ecd9e6a03515fdab7f90acde51007b
Instruction ID: 01bfbb083b7da349d515ce8b9d3b0370d03cdca726d293416c0f3a38830e93f2
Opcode Fuzzy Hash: 6a728c1793e56ff6e280235fae2c8a0749ecd9e6a03515fdab7f90acde51007b
Instruction Fuzzy Hash: 2A01B532B502258BDBA99A69DC146EB77EAEFC8754F004539D44AE7380EF258C034792

Function 06E63CA8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23e722832d9a5c1b9d44ca9d2ac776a8e9e223e0252d1be2a3b8d8098a98aa5
Instruction ID: c8ac45d1c7d3f6ebb2ba520029cf6264a2beac511e83e4fd9d882258b6570ad4
Opcode Fuzzy Hash: d23e722832d9a5c1b9d44ca9d2ac776a8e9e223e0252d1be2a3b8d8098a98aa5
Instruction Fuzzy Hash: 7421CEB5D01259AFCB10DF9AD984ADEFFB4FF59310F10922AE518A7200C378A954CFA5

Function 0165D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3279209462.000000000165D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0165D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_165d000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 8556d7bceff6d7aac9f8dae5cd83b374f8e3969a5ad1fd5380c86a419194e2cb
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: AE11A9755042848FDB12CF54C9C4B15BBA2FB84214F24C6A9DC494B392C33AD44ACB62

Function 06E63CB0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfca097b0358ea032ecc842750f0d0b6d8b8c1153e583003660c8f5f209cb01e
Instruction ID: 95fdba09943a0f815158f3c7ccb14044d7954f9271fec8f0cffe564fa95008d3
Opcode Fuzzy Hash: bfca097b0358ea032ecc842750f0d0b6d8b8c1153e583003660c8f5f209cb01e
Instruction Fuzzy Hash: EB11D3B5D01259AFCB00DF9AD884ADEFFB4FF49310F10812AE518A7200C374A944CFA5

Function 06E64238 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cff760842ef477e6fafc2433369688614c4aa089921d3390f10732c1d1e374
Instruction ID: 7921deef5238ba4e6f8ce80f5641deb6583050fadff5e4db108ebc683f95cffb
Opcode Fuzzy Hash: 15cff760842ef477e6fafc2433369688614c4aa089921d3390f10732c1d1e374
Instruction Fuzzy Hash: 6801AD31B005148FDBA496AED454B2BA2DAEBC9718F20C43AE50EC7394DE65DC0643A5

Function 06E6F190 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105d8d3724fe4a4d5569370018cfe6844304e7a4b870c3c95e67cac1216d0715
Instruction ID: ce4e416c21d6b2644e2baf9baca23b60dd442e5d0dad01c0cf8bce7f32dfd993
Opcode Fuzzy Hash: 105d8d3724fe4a4d5569370018cfe6844304e7a4b870c3c95e67cac1216d0715
Instruction Fuzzy Hash: 0A01DC72B002140FCB759A6EE854B2EB3CBEBC9798F108839F50AC7340DE29DD068795

Function 06E6A308 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc49162098de0f3d1542b28f0e282de84b5367c348dd7f13680685e72dbfbea9
Instruction ID: df71bdb31c3c16883b5ecb6fd5fa575ec9fa8dd4ad6feaa84269ef07233c340d
Opcode Fuzzy Hash: fc49162098de0f3d1542b28f0e282de84b5367c348dd7f13680685e72dbfbea9
Instruction Fuzzy Hash: 0501D131F402154FCB64AA2ED858B2EB3DAEB89798F108838E10AD7340DA25DC028395

Function 06E6C7D0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3255801bc13530ef879442de4044e3358d62b505cb3c6a5308cbf83d64b38710
Instruction ID: 65a367ae62ead56531bd4a9aa408e9f8d488a98a1d899784f946d2ea244c31bb
Opcode Fuzzy Hash: 3255801bc13530ef879442de4044e3358d62b505cb3c6a5308cbf83d64b38710
Instruction Fuzzy Hash: E201A931F103249BCF649A6AE940A9D7779FB49758F10553DE505E7340DB36AC04C7D4

Function 06E66468 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e910eca150be3cdd0fcc8a37d9c6f41f360fe9c7b7e0edee0c1acb4d98da00
Instruction ID: 9c7816090b7aa9d5ab245769ad5e31604c6d064f592fddc43708c1f1f64360be
Opcode Fuzzy Hash: 26e910eca150be3cdd0fcc8a37d9c6f41f360fe9c7b7e0edee0c1acb4d98da00
Instruction Fuzzy Hash: 88E09B30E553546FDB60DAB1895575B3F68E701294F204995E408C7101E1B6CD0287D1

Function 06E6FEC3 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9652ccd2324cc4f5f3ba64f4eb56a4462d46cfb5984fb21e8dfdacbeb8aaba2
Instruction ID: efa20084f598df66cf55cb22dc2fb65893d67a2c71cbd0d56a53d55781711b12
Opcode Fuzzy Hash: b9652ccd2324cc4f5f3ba64f4eb56a4462d46cfb5984fb21e8dfdacbeb8aaba2
Instruction Fuzzy Hash: E2E0676500E3C08FC767973498686907FB16F03209B5A15DBC491CF1E7D729991AD722

Non-executed Functions

Function 06E67690 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E67780
$]q, xrefs: 06E67B49
$]q, xrefs: 06E677B1
$]q, xrefs: 06E67BFE
$]q, xrefs: 06E67B3D
$]q, xrefs: 06E6778C
$]q, xrefs: 06E67BF2
$]q, xrefs: 06E677BD
$]q, xrefs: 06E67BE8
$]q, xrefs: 06E67BDC

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 42eeffb0d1f95fe62d69329f8662e27fa9233724f64d313e16a46671aaf1d590
Instruction ID: 95e3b8c95df260bf16d799fd8d7840ed6210a08262ab857fcf93023c2672bbad
Opcode Fuzzy Hash: 42eeffb0d1f95fe62d69329f8662e27fa9233724f64d313e16a46671aaf1d590
Instruction Fuzzy Hash: 5A124B30A403198FDB68DF69C890A9DB7F6FF89748F209969D40AAB354DB349D45CF80

Function 06E6A930 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E6AAB8
$]q, xrefs: 06E6AAAC
$]q, xrefs: 06E6AAEE
$]q, xrefs: 06E6AA8D
$]q, xrefs: 06E6AA81
$]q, xrefs: 06E6AA32
$]q, xrefs: 06E6AAE2
$]q, xrefs: 06E6AA26

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 058b2b3dc823650c9c0726252d740d71591f54ddc34409ea842884ddfb80cb77
Instruction ID: 647a0da16c97786c8eeb1781bd2b633c3566cef994c249fafbfccee57123f76e
Opcode Fuzzy Hash: 058b2b3dc823650c9c0726252d740d71591f54ddc34409ea842884ddfb80cb77
Instruction Fuzzy Hash: 11917130E403099FDB68DF6ADA94BAE77F6EF48344F209539E402AB254DB349C45CB90

Function 06E67090 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E675A4
$]q, xrefs: 06E673D8
$]q, xrefs: 06E67372
$]q, xrefs: 06E67598
.5uq, xrefs: 06E670EB
$]q, xrefs: 06E6752C
$]q, xrefs: 06E673CC

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 0c50ce3bfd70503272c97bc624b4ad16e25eddc6a06c1a301da2a23532ddb4cd
Instruction ID: 7c759b2d1c137fbf4dd959adde23ff073a29cf09ae0e0d3c7c0c2a53502effa9
Opcode Fuzzy Hash: 0c50ce3bfd70503272c97bc624b4ad16e25eddc6a06c1a301da2a23532ddb4cd
Instruction Fuzzy Hash: 1BF14C34A40308CFDB58EF69D594A6EB7B6FF88344F249568E8069B354DB35DC42CB81

Function 06E683C8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E68687
$]q, xrefs: 06E68622
$]q, xrefs: 06E68693
$]q, xrefs: 06E6862E

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 1b4328878b1dea5e580d40a4212f94c4591e26fc89b4e47a470834aed58fb748
Instruction ID: 008616a20fbc854c4bb403b0bd98311f271e578897510c8d7607ec9372d8f204
Opcode Fuzzy Hash: 1b4328878b1dea5e580d40a4212f94c4591e26fc89b4e47a470834aed58fb748
Instruction Fuzzy Hash: 03B15D34A503098FDB68EF65C59066EB7B6FF88344F249829E406DB394DB74DC82CB91

Function 06E687E0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR]q, xrefs: 06E688D3
$]q, xrefs: 06E6885F
LR]q, xrefs: 06E68922
$]q, xrefs: 06E6886B

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: c053e8d8953a1edebbcdf402d4df13ae2b60275300526bab9d62fa40706de187
Instruction ID: de109837104d230754c9415adc770956a7b65b337b6f3e48f4a712a5dda1729f
Opcode Fuzzy Hash: c053e8d8953a1edebbcdf402d4df13ae2b60275300526bab9d62fa40706de187
Instruction Fuzzy Hash: 3051B130B403018FDB68DB29D950A6BB7EAFF88344F10A56CE4069B365DA34EC41C7A5

Function 06E6ACBB Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

$]q, xrefs: 06E6ADE9
$]q, xrefs: 06E6AE94
$]q, xrefs: 06E6AE3C
$]q, xrefs: 06E6AE6B

Memory Dump Source

Source File: 0000000C.00000002.3303647061.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6e60000_mpTrle.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: d30f1f536dff3af0cebf8dcb1873bc2941f7ca27889fc3155cfa51468197728b
Instruction ID: fc07070eed68ba0a5a1117d522fb693f8cebaf3880f1634ca3b31ce811f5643b
Opcode Fuzzy Hash: d30f1f536dff3af0cebf8dcb1873bc2941f7ca27889fc3155cfa51468197728b
Instruction Fuzzy Hash: C7518F30E503048FDF68DE69D580AAEB7B6FF89358F10A539E806A7244DB35DC82CB50

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z17invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mpTrle.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z17invoice.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dx4w0m4z.x0n.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jwxsp41i.ffi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdwpu5sl.hle.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ydtmjqxy.g4j.psm1

C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe

C:\Users\user\AppData\Roaming\mpTrle\mpTrle.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
z17invoice.exe

Function 0263ADA8 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Function 02635914 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 026344C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 04B94040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 0263D27C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0263D689 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre