Edit tour

Windows Analysis Report
RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Overview

General Information

Sample name:	RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe renamed because original name is a hash value
Original sample name:	RicevutaBonificoSepa1745392212214PDF.scr.exe
Analysis ID:	1672209
MD5:	c3929af0866fd2b69baa31ec2bb871f3
SHA1:	c17b0be3d788eda2220331bb0efa103540f2c8a8
SHA256:	906522531a0ff1d2d41b2beb95add917b2760836ee997155534301502122a89d
Tags:	exeSPAM-ITAuser-JAMESWT_WT
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe (PID: 6136 cmdline: "C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe" MD5: C3929AF0866FD2B69BAA31EC2BB871F3)

aspnet_compiler.exe (PID: 7640 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Configuration

Threatname: MassLogger

{
  "EXfil Mode": "SMTP",
  "From": "minors@aoqiinflatables.com",
  "Password": "RaF5@@ts7@Bv+Z-rU@]%~j",
  "Server": "gator3220.hostgator.com"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1725502694.0000000005790000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.2457220997.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000001.00000002.1717952438.0000000003A07000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.1717952438.0000000003A07000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000009.00000002.2459620324.0000000002C68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe PID: 6136	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe PID: 6136	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe PID: 6136	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 7640	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 7640	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 7640	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 7640	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3a2a5c8.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.5790000.17.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3b06cd8.7.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3b864d0.10.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3b06cd8.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3ac6cb8.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.5790000.17.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3b864d0.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3a2a5c8.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3a2a5c8.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Click to see the 6 entries

Sigma Signatures

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe", ParentImage: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, ParentProcessId: 6136, ParentProcessName: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 7640, ProcessName: aspnet_compiler.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-23T17:24:10.810040+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49692	132.226.247.73	80	TCP

Joe Sandbox Signatures

• AV Detection
• Location Tracking
• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "minors@aoqiinflatables.com", "Password": "RaF5@@ts7@Bv+Z-rU@]%~j", "Server": "gator3220.hostgator.com"}

Multi AV Scanner detection for submitted file

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Virustotal: Detection: 39%			Perma Link
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	ReversingLabs: Detection: 44%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.2%

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49693 version: TLS 1.0

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003991000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1722691320.0000000005150000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003917000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003991000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1722691320.0000000005150000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003917000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E7E24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E7E91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E7A87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E7AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E7EE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E7B2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E79F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E7FB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E7BDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E802E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E7C4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E7D09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 4x nop then jmp 061E7D81h	9_2_061E79F8

Source: global traffic

HTTP traffic detected: GET /xml/173.244.56.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49692 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49693 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.244.56.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.244.56.186d
Source: aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.244.56.186l
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_051D3E58 NtResumeThread,		1_2_051D3E58
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_051D3E52 NtResumeThread,		1_2_051D3E52

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_027BEE48	1_2_027BEE48
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_051D2121	1_2_051D2121
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_051D2170	1_2_051D2170
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_051D2160	1_2_051D2160
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_05FCF598	1_2_05FCF598
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_05FCF860	1_2_05FCF860
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_05FB0040	1_2_05FB0040
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_05FB0006	1_2_05FB0006
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_05FCDFF0	1_2_05FCDFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_010142E0	9_2_010142E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_0101C5A8	9_2_0101C5A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_0101D810	9_2_0101D810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_01013B3F	9_2_01013B3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_0101401A	9_2_0101401A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_01014028	9_2_01014028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_010142D0	9_2_010142D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_0101C530	9_2_0101C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_0101C543	9_2_0101C543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_01014757	9_2_01014757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_010196D0	9_2_010196D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_010196E0	9_2_010196E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_0101C966	9_2_0101C966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_0101BE08	9_2_0101BE08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061032F8	9_2_061032F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_06104058	9_2_06104058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_0610A15A	9_2_0610A15A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_06109DC7	9_2_06109DC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061CD970	9_2_061CD970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061C7138	9_2_061C7138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061C6EE0	9_2_061C6EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061C58BC	9_2_061C58BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061E93D8	9_2_061E93D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061E93D3	9_2_061E93D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061E0006	9_2_061E0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061E0040	9_2_061E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061EBD10	9_2_061EBD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061E8D80	9_2_061E8D80

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000000.1209866396.0000000000699000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameJrmmupibk.exe> vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1722925181.0000000005280000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameYsple.dll" vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003991000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1722691320.0000000005150000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003A07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003917000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1709820714.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Binary or memory string: OriginalFilenameJrmmupibk.exe> vs RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	Cryptographic APIs: 'CreateDecryptor'

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, -.cs

Base64 encoded string: 'hG0xbFj8+UYnflH0tGArd1O/lmcxfVDzu215X1jlkno2akTQpGcndV/9ri8lfUnOkWEudHPwunF5d03OnnonaUjwu302YQb2smAdVFj/sGAqI3r0o0A7aFjXpXsvUFz/s3gnI1r0o0sMeVD07F0sfFjpmHJ5Sljws0c2alT/sC8DfFmqsHE2R23+pH02cVL/7HMnbGLSomYwfVPlk3sveVT/7EcnbHnwo3V5Kw6n5CR5WU7isnkgdETCsmY0fU+qhH0vaFH0lmcxfVDzu20HYE39uGYnagbztnYndEv87Gcvd1b0o3ExbA=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Mutant created: NULL

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_compiler.exe, 00000009.00000002.2461237556.0000000003B1D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002C25000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002C02000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Virustotal: Detection: 39%
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	ReversingLabs: Detection: 44%

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

String found in binary or memory: $1edfbe97-8edb-4fdd-94e3-adda56e1b2f7

Source: unknown	Process created: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe "C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe"
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static file information: File size 1613824 > 1048576

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x138000

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003991000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1722691320.0000000005150000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003917000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003991000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1722691320.0000000005150000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003917000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	.Net Code: Type.GetTypeFromHandle(rsoDlUOlFyGxEYSQXSg.TvwHpZp675(16777356)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(rsoDlUOlFyGxEYSQXSg.TvwHpZp675(16777255)),Type.GetTypeFromHandle(rsoDlUOlFyGxEYSQXSg.TvwHpZp675(16777285))})
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	.Net Code: Type.GetTypeFromHandle(rsoDlUOlFyGxEYSQXSg.TvwHpZp675(16777356)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(rsoDlUOlFyGxEYSQXSg.TvwHpZp675(16777255)),Type.GetTypeFromHandle(rsoDlUOlFyGxEYSQXSg.TvwHpZp675(16777285))})

.NET source code contains potential unpacker

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, Tztecjnkn.cs	.Net Code: Eqlrnxyfcy System.Reflection.Assembly.Load(byte[])
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3c20510.0.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3c20510.0.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3c20510.0.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3c20510.0.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3c20510.0.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.5790000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3b06cd8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3b864d0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3b06cd8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3ac6cb8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.5790000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3b864d0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3a2a5c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1725502694.0000000005790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1717952438.0000000003A07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe PID: 6136, type: MEMORYSTR

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Code function: 1_2_05FB6508 push eax; iretd	1_2_05FB650D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_0610CD33 push es; retf	9_2_0610CD35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_0610CD37 push edi; retf	9_2_0610CD41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061CB670 push es; ret	9_2_061CB680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061C04B0 push es; ret	9_2_061C04C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061C04D0 push es; ret	9_2_061C04C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061E927A push es; iretd	9_2_061E927C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061E933E push es; iretd	9_2_061E937C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061E777C pushad ; retf	9_2_061E777D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061E3BFD push es; retf	9_2_061E3C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 9_2_061E6531 push es; iretd	9_2_061E653C

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Static PE information: section name: .text entropy: 7.950057094931632

Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.5280000.15.raw.unpack, myf2sg3mIVYv9p4asKe.cs	High entropy of concatenated method names: 'CwX3hDBpny', 'TFG3OmZgbQ', 'RB83k3LaVe', 'djF3L0JGrU', 'Jb93B65Bx6', 'Uw73apb8C9', 'H8d3XnA3gt', 'xQI3fAUwd8', 'ykD3vgyOvf', 'EPA3PbmFwo'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, uEKVXWOYy17B6c7K7vo.cs	High entropy of concatenated method names: 'TooOSCOYwI', 'dXnOzNg0Vg', 'wbwNEp2I1a', 'fXCN3fnyOw', 'e4bNwKJaDW', 'hmlNrE2TLb', 'TXsN9YWq2y', 'vrANWBPMVp', 'AQNNFXOWEw', 'vU8NVyHaEg'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, IHl140uSpVdlyq2P5Ni.cs	High entropy of concatenated method names: 'eRVhrd5iBj', 'l9Vh9gePEb', 'J8JhWyvMSK', 'FrqhFfZBaW', 'F3fhVjgabw', 'vP9hjdurGs', 'd7QhUmqKBF', 'h1KhoNFixe', 'DvRhmTWIOr', 'Uq3hu03Ejs'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, myf2sg3mIVYv9p4asKe.cs	High entropy of concatenated method names: 'CwX3hDBpny', 'TFG3OmZgbQ', 'RB83k3LaVe', 'djF3L0JGrU', 'Jb93B65Bx6', 'Uw73apb8C9', 'H8d3XnA3gt', 'xQI3fAUwd8', 'ykD3vgyOvf', 'EPA3PbmFwo'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	High entropy of concatenated method names: 'et4dKpQRRfo0lLpMqlx', 'CT0hBWQ0u7dQBeYhZi8', 'QKZOBWCHgE', 'vh0ry9Sq2v', 'ctdOxwiXw1', 'L99OvOZ6JQ', 'qUqO6sHBo3', 'pM8OPH5SxB', 'o9KHJkQln0', 'XPnhTCREgH'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, b351c6uWKGeylgJLjCL.cs	High entropy of concatenated method names: 'BUGu6wuxGs', 'gKwuPFFVvv', 'JUTu7KewxS', 'e6efXccMEFsxeg6jxR0', 'J98M5EcSy1rEF3JUlDT', 'EDvuVKIWNC', 'V9JujMyPEu', 'rKtuUgpwpI', 'TLsuo3CuYu', 't4IumGHwmX'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, UXslMCNjIN6iLBFR7en.cs	High entropy of concatenated method names: 'DTIaUO6QFG', 'QPKaoKbt6x', 'j1OamKAL32', 'rk3aupDsx0', 'R5rah39rmj', 'cURagZYFVm', 'nQdaO7pB05', 'L4UNAMaN5Q', 'QUwaNNwUU0', 'IbDakVkFiD'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3f2ba60.5.raw.unpack, a6Gp8lmArB3GEEfeeGn.cs	High entropy of concatenated method names: 'zwbm10oCrQ', 'I1lmlKw6Zi', 'ntr1cgcpNNgdGBA4JIi', 'Ate76ic1AoV9pAis3ql', 'UnDmRlyhLD', 'MDQm0g7Jb5', 'Swl573cdehFGPLICHy8', 'nP2aVOcJsO7HISwRw83'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, uEKVXWOYy17B6c7K7vo.cs	High entropy of concatenated method names: 'TooOSCOYwI', 'dXnOzNg0Vg', 'wbwNEp2I1a', 'fXCN3fnyOw', 'e4bNwKJaDW', 'hmlNrE2TLb', 'TXsN9YWq2y', 'vrANWBPMVp', 'AQNNFXOWEw', 'vU8NVyHaEg'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, IHl140uSpVdlyq2P5Ni.cs	High entropy of concatenated method names: 'eRVhrd5iBj', 'l9Vh9gePEb', 'J8JhWyvMSK', 'FrqhFfZBaW', 'F3fhVjgabw', 'vP9hjdurGs', 'd7QhUmqKBF', 'h1KhoNFixe', 'DvRhmTWIOr', 'Uq3hu03Ejs'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, myf2sg3mIVYv9p4asKe.cs	High entropy of concatenated method names: 'CwX3hDBpny', 'TFG3OmZgbQ', 'RB83k3LaVe', 'djF3L0JGrU', 'Jb93B65Bx6', 'Uw73apb8C9', 'H8d3XnA3gt', 'xQI3fAUwd8', 'ykD3vgyOvf', 'EPA3PbmFwo'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, D6EyuShiwAn1cPLuO3y.cs	High entropy of concatenated method names: 'et4dKpQRRfo0lLpMqlx', 'CT0hBWQ0u7dQBeYhZi8', 'QKZOBWCHgE', 'vh0ry9Sq2v', 'ctdOxwiXw1', 'L99OvOZ6JQ', 'qUqO6sHBo3', 'pM8OPH5SxB', 'o9KHJkQln0', 'XPnhTCREgH'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, b351c6uWKGeylgJLjCL.cs	High entropy of concatenated method names: 'BUGu6wuxGs', 'gKwuPFFVvv', 'JUTu7KewxS', 'e6efXccMEFsxeg6jxR0', 'J98M5EcSy1rEF3JUlDT', 'EDvuVKIWNC', 'V9JujMyPEu', 'rKtuUgpwpI', 'TLsuo3CuYu', 't4IumGHwmX'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, UXslMCNjIN6iLBFR7en.cs	High entropy of concatenated method names: 'DTIaUO6QFG', 'QPKaoKbt6x', 'j1OamKAL32', 'rk3aupDsx0', 'R5rah39rmj', 'cURagZYFVm', 'nQdaO7pB05', 'L4UNAMaN5Q', 'QUwaNNwUU0', 'IbDakVkFiD'
Source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.4046c80.9.raw.unpack, a6Gp8lmArB3GEEfeeGn.cs	High entropy of concatenated method names: 'zwbm10oCrQ', 'I1lmlKw6Zi', 'ntr1cgcpNNgdGBA4JIi', 'Ate76ic1AoV9pAis3ql', 'UnDmRlyhLD', 'MDQm0g7Jb5', 'Swl573cdehFGPLICHy8', 'nP2aVOcJsO7HISwRw83'

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe PID: 6136, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Memory allocated: 4910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe TID: 5948	Thread sleep count: 52 > 30			Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe TID: 5948	Thread sleep time: -51948s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q 1:en-CH:Microsoft\|VMWare\|Virtual
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q 1:en-CH:VMware\|VIRTUAL\|A M I\|Xen
Source: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: aspnet_compiler.exe, 00000009.00000002.2457669122.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 44A000	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 44C000	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 94E008	Jump to behavior

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Queries volume information: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3a2a5c8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3a2a5c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2457220997.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1717952438.0000000003A07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe PID: 6136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7640, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7640, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7640, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000009.00000002.2459620324.0000000002C68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7640, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3a2a5c8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe.3a2a5c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2457220997.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1717952438.0000000003A07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe PID: 6136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7640, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7640, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7640, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	4 Virtualization/Sandbox Evasion	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	4 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	39%	Virustotal		Browse
RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe	44%	ReversingLabs	Win32.Trojan.Generic
SAMPLE	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/173.244.56.186	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/173.244.56.186l	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/173.244.56.186d	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-net	RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1725811441.0000000005810000.00000004.08000000.00040000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003C70000.00000004.00000800.00020000.00000000.sdmp, RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe, 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	aspnet_compiler.exe, 00000009.00000002.2459620324.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1672209
Start date and time:	2025-04-23 17:22:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe renamed because original name is a hash value
Original Sample Name:	RicevutaBonificoSepa1745392212214PDF.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 152 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.29.183.29, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:23:52	API Interceptor	23x Sleep call for process: RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	Bank Details.exe	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/uztg/
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.coininsight.tech/rhz2/
	Details Of Our PO..exe	Get hash	malicious	FormBook	Browse	www.eczanem.shop/3ujc/
	js (10).js	Get hash	malicious	Unknown	Browse	baredaseco.pro/1.php?s=flibabc11
	NEW RFQ IMMUNOCHE JB#40044.exe	Get hash	malicious	FormBook	Browse	www.ppostealeone.shop/v25g/
	KYL-0242025E.exe	Get hash	malicious	FormBook	Browse	www.6644win.mom/hs6j/
	rMvNfCLq.exe.bin.exe	Get hash	malicious	FormBook	Browse	www.nolae-eu.shop/fgzv/?NL=C/ZTN0ZmEc67T73TXYejzaFfxzsMVB893CCje6nha4rH7EtVcHl81kdLGE91b+66ix1bC8dHSfqorsQFUwI5UDy1LqHAs9Ogp4/HoE/bzWOrp6BQYnBJsbY=&lT=KV6D1Z
	New Bulk Purchase Order.exe	Get hash	malicious	FormBook	Browse	www.eczanem.shop/3ujc/
	SecuriteInfo.com.Win32.DropperX-gen.1559.13899.exe	Get hash	malicious	FormBook	Browse	www.tqzjixmd.biz/1kjg/
	656654564.CMD.cmd	Get hash	malicious	DBatLoader, FormBook	Browse	www.shlomi.app/9rzh/
132.226.247.73	Shipment Document BLINV and packing list.jpg.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	XGhvEwdmXdK4KG3.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.MalwareX-gen.31755.29106.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Output.vbs	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO-PGT-25-030095-147_pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	Statment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.MalwareX-gen.14849.10684.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.MalwareX-gen.8624.8947.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	TT copy of 44775usd.Balance Payments.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.MalwareX-gen.12017.6654.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	ORDER 0284725.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Shipment Document BLINV and packing list.jpg.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	Payment receipt.jpg.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	Product Order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	P1CLT24008.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	PO3301-241000072.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	ViHSmMuFt9W5KFM.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	XGhvEwdmXdK4KG3.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	25GP0089.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	1C25TMA_00000134.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
reallyfreegeoip.org	ORDER 0284725.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Shipment Document BLINV and packing list.jpg.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	Payment receipt.jpg.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	Product Order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	PO3301-241000072.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	ViHSmMuFt9W5KFM.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	XGhvEwdmXdK4KG3.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	25GP0089.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	1C25TMA_00000134.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	Ljpovdqwl.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://forms.office.com/e/cKTtUPrCQw	Get hash	malicious	Tycoon2FA	Browse	172.66.0.227
	http://www.usedtelecomworld.com/2025/04/prodia.html	Get hash	malicious	Unknown	Browse	104.21.11.190
	http://heartandsoil.co	Get hash	malicious	Unknown	Browse	104.17.202.53
	swift copy.exe	Get hash	malicious	FormBook	Browse	104.21.65.118
	ORDER 0284725.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Message.eml	Get hash	malicious	Unknown	Browse	104.16.99.29
	https://lean-gander-5e8.notion.site/Magreesource-1de0bcafc256806c850fdb36c2831d0d	Get hash	malicious	Tycoon2FA	Browse	104.18.41.41
	Message.eml	Get hash	malicious	Unknown	Browse	104.16.99.29
	fd4bbca9823b9fe5b006194d60cdfc6d51cde629dc41b0035af899df43fe3b74.html	Get hash	malicious	Unknown	Browse	104.26.11.233
	https://EWHP8woVj8H6llgl9QoR.nvulb.es/jPN5BnTu/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.21.33.142
UTMEMUS	ORDER 0284725.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Shipment Document BLINV and packing list.jpg.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	XGhvEwdmXdK4KG3.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	2025-04-23T00_36_20-FedEx.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	SecuriteInfo.com.Win32.MalwareX-gen.20415.13206.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	SecuriteInfo.com.Win32.MalwareX-gen.31755.29106.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Factura Honorarios.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	ORDER-25790-4478.vbs	Get hash	malicious	WSHRat, Snake Keylogger	Browse	132.226.8.169
	Output.vbs	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Sat#U0131nalma Sipari#U015f Listesi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	ORDER 0284725.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	Shipment Document BLINV and packing list.jpg.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	Payment receipt.jpg.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	Product Order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	PO3301-241000072.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	ViHSmMuFt9W5KFM.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	XGhvEwdmXdK4KG3.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	25GP0089.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	1C25TMA_00000134.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	Ljpovdqwl.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.26726235848486
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
File size:	1'613'824 bytes
MD5:	c3929af0866fd2b69baa31ec2bb871f3
SHA1:	c17b0be3d788eda2220331bb0efa103540f2c8a8
SHA256:	906522531a0ff1d2d41b2beb95add917b2760836ee997155534301502122a89d
SHA512:	167dbadc4ff0831310d7726c0bca25448ebbe51866ccbdada4bc52e36e0e41aa94d9cb91ad9ef1e190afbd8fa25c61725ec4530ec00da129b68dbbcf744b1f4f
SSDEEP:	24576:I6dkQVNhOo077QzeVmW5GzMXzqWprg9+s+VO96uW3+NmYrJYvc:NVNSQzefaMXpc4s+VO96ua00
TLSH:	6375011537788632DE09D67AD0E25D4092E78F6A6BE1931E55C8B2EC0B323BD8F035D6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9..h................................. ........@.. ....................................`................................

File Icon


Icon Hash:	0e3333b0bbb3b035

Static PE Info

General

Entrypoint:	0x539fbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6808C439 [Wed Apr 23 10:43:05 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add eax, dword ptr [eax]
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
loopne 00007F00010AAE13h
add byte ptr [eax+00000010h], al
adc byte ptr [edx], al
add byte ptr [eax+00000018h], al
inc eax
add al, byte ptr [eax]
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or eax, 00000100h
add byte ptr [eax+02800000h], ch
add byte ptr [eax], al
add al, al
add byte ptr [eax], al
add byte ptr [ebx], 00000000h
add byte ptr [eax], al
fadd dword ptr [eax]
add byte ptr [eax+00000004h], al
lock add byte ptr [eax], al
add byte ptr [08000000h], 00000001h
add byte ptr [eax+00000006h], al
and byte ptr [ecx], al
add byte ptr [eax+00000007h], al
cmp byte ptr [ecx], al
add byte ptr [eax+00000008h], al
push eax
add dword ptr [eax], eax
or byte ptr [ecx], 00000000h
add byte ptr [eax], al
push 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x139f68	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13a000	0x51c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x137fc4	0x138000	b53cf54fd7df8d26f86191c814000427	False	0.9540569598858173	data	7.950057094931632	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x13a000	0x51c00	0x51c00	4b7b7f504f2cadcca3b662d561ee7b4e	False	0.07143539755351681	data	2.3525226722030483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18c000	0xc	0x200	eb3a7ec3cc7f81c5d3e906ff6144154f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x13a370	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.7601351351351351
RT_ICON	0x13a498	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	0.7155963302752294
RT_ICON	0x13a800	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.6826241134751773
RT_ICON	0x13ac68	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.5389784946236559
RT_ICON	0x13af50	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	0.470679012345679
RT_ICON	0x13bbf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4378517823639775
RT_ICON	0x13cca0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	0.36402439024390243
RT_ICON	0x13d308	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	0.33110687022900764
RT_ICON	0x13efb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.30881742738589213
RT_ICON	0x141558	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2560	0.2924174174174174
RT_ICON	0x141fc0	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12800	0.26580996884735203
RT_ICON	0x1451e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.24244213509683515
RT_ICON	0x149410	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.014139568600763382
RT_GROUP_ICON	0x18b438	0xbc	data	0.5797872340425532
RT_VERSION	0x18b4f4	0x3fc	data	0.40784313725490196
RT_MANIFEST	0x18b8f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	AhnLab V3 Lite Main UI Application
CompanyName	AhnLab, Inc.
FileDescription	AhnLab V3 Lite Main UI Application
FileVersion	4.0.0.117
InternalName	Jrmmupibk.exe
LegalCopyright	2018-2019 AhnLab, Inc. All rights reserved.
LegalTrademarks
OriginalFilename	Jrmmupibk.exe
ProductName	AhnLab V3 Lite
ProductVersion	4.0.0.117
Assembly Version	4.0.0.117

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-23T17:24:10.810040+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49692	132.226.247.73	80	TCP

Network Port Distribution

Total Packets: 17
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2025 17:24:09.805100918 CEST	49692	80	192.168.2.6	132.226.247.73
Apr 23, 2025 17:24:10.122848988 CEST	80	49692	132.226.247.73	192.168.2.6
Apr 23, 2025 17:24:10.122936964 CEST	49692	80	192.168.2.6	132.226.247.73
Apr 23, 2025 17:24:10.123397112 CEST	49692	80	192.168.2.6	132.226.247.73
Apr 23, 2025 17:24:10.440913916 CEST	80	49692	132.226.247.73	192.168.2.6
Apr 23, 2025 17:24:10.442923069 CEST	80	49692	132.226.247.73	192.168.2.6
Apr 23, 2025 17:24:10.448723078 CEST	49692	80	192.168.2.6	132.226.247.73
Apr 23, 2025 17:24:10.767698050 CEST	80	49692	132.226.247.73	192.168.2.6
Apr 23, 2025 17:24:10.810039997 CEST	49692	80	192.168.2.6	132.226.247.73
Apr 23, 2025 17:24:10.955342054 CEST	49693	443	192.168.2.6	104.21.48.1
Apr 23, 2025 17:24:10.955404043 CEST	443	49693	104.21.48.1	192.168.2.6
Apr 23, 2025 17:24:10.955481052 CEST	49693	443	192.168.2.6	104.21.48.1
Apr 23, 2025 17:24:10.963088989 CEST	49693	443	192.168.2.6	104.21.48.1
Apr 23, 2025 17:24:10.963105917 CEST	443	49693	104.21.48.1	192.168.2.6
Apr 23, 2025 17:24:11.352896929 CEST	443	49693	104.21.48.1	192.168.2.6
Apr 23, 2025 17:24:11.353027105 CEST	49693	443	192.168.2.6	104.21.48.1
Apr 23, 2025 17:24:11.358427048 CEST	49693	443	192.168.2.6	104.21.48.1
Apr 23, 2025 17:24:11.358437061 CEST	443	49693	104.21.48.1	192.168.2.6
Apr 23, 2025 17:24:11.358761072 CEST	443	49693	104.21.48.1	192.168.2.6
Apr 23, 2025 17:24:11.403820038 CEST	49693	443	192.168.2.6	104.21.48.1
Apr 23, 2025 17:24:11.408359051 CEST	49693	443	192.168.2.6	104.21.48.1
Apr 23, 2025 17:24:11.456267118 CEST	443	49693	104.21.48.1	192.168.2.6
Apr 23, 2025 17:24:12.034729958 CEST	443	49693	104.21.48.1	192.168.2.6
Apr 23, 2025 17:24:12.034826994 CEST	443	49693	104.21.48.1	192.168.2.6
Apr 23, 2025 17:24:12.034964085 CEST	49693	443	192.168.2.6	104.21.48.1
Apr 23, 2025 17:24:12.084450006 CEST	49693	443	192.168.2.6	104.21.48.1
Apr 23, 2025 17:25:15.785578966 CEST	80	49692	132.226.247.73	192.168.2.6
Apr 23, 2025 17:25:15.785667896 CEST	49692	80	192.168.2.6	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2025 17:24:09.658081055 CEST	49349	53	192.168.2.6	1.1.1.1
Apr 23, 2025 17:24:09.798521996 CEST	53	49349	1.1.1.1	192.168.2.6
Apr 23, 2025 17:24:10.770215988 CEST	54943	53	192.168.2.6	1.1.1.1
Apr 23, 2025 17:24:10.954298019 CEST	53	54943	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2025 17:24:09.658081055 CEST	192.168.2.6	1.1.1.1	0xb86	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:10.770215988 CEST	192.168.2.6	1.1.1.1	0x747a	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2025 17:24:09.798521996 CEST	1.1.1.1	192.168.2.6	0xb86	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2025 17:24:09.798521996 CEST	1.1.1.1	192.168.2.6	0xb86	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:09.798521996 CEST	1.1.1.1	192.168.2.6	0xb86	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:09.798521996 CEST	1.1.1.1	192.168.2.6	0xb86	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:09.798521996 CEST	1.1.1.1	192.168.2.6	0xb86	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:09.798521996 CEST	1.1.1.1	192.168.2.6	0xb86	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:10.954298019 CEST	1.1.1.1	192.168.2.6	0x747a	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:10.954298019 CEST	1.1.1.1	192.168.2.6	0x747a	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:10.954298019 CEST	1.1.1.1	192.168.2.6	0x747a	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:10.954298019 CEST	1.1.1.1	192.168.2.6	0x747a	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:10.954298019 CEST	1.1.1.1	192.168.2.6	0x747a	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:10.954298019 CEST	1.1.1.1	192.168.2.6	0x747a	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Apr 23, 2025 17:24:10.954298019 CEST	1.1.1.1	192.168.2.6	0x747a	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49692	132.226.247.73	80	7640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2025 17:24:10.123397112 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 23, 2025 17:24:10.442923069 CEST	275	IN	HTTP/1.1 200 OK Date: Wed, 23 Apr 2025 15:24:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 34 34 2e 35 36 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.244.56.186</body></html>
Apr 23, 2025 17:24:10.448723078 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 23, 2025 17:24:10.767698050 CEST	275	IN	HTTP/1.1 200 OK Date: Wed, 23 Apr 2025 15:24:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 34 34 2e 35 36 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.244.56.186</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49693	104.21.48.1	443	7640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-23 15:24:11 UTC	87	OUT	GET /xml/173.244.56.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-04-23 15:24:12 UTC	842	IN	HTTP/1.1 200 OK Date: Wed, 23 Apr 2025 15:24:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cf-Ray: 934e5dcceaaf5211-DEN Server: cloudflare Cache-Control: max-age=31536000 Cf-Cache-Status: MISS Last-Modified: Wed, 23 Apr 2025 15:24:11 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vy7M%2FZ8rGeRcfByuMBHFAYrCDHVE0C1RgkEWGQXfBFeLxWRry2EJKqT0ETFK1OhTAU8zOCPDBbELTMyMOIBcHNQjXNj6W5WJBHy3MeX4t2JnYY3UGJRRbdadWOkZmgHpcRMd5L7t"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=188475&min_rtt=188368&rtt_var=39814&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=21429&cwnd=252&unsent_bytes=0&cid=193a81c5f34ef88b&ts=693&x=0"
2025-04-23 15:24:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 34 34 2e 35 36 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 33 36 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>173.244.56.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85036</ZipCode><TimeZone>America/Phoenix</TimeZon

Statistics

CPU Usage

• RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
• aspnet_compiler.exe

Click to jump to process

Memory Usage

• RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
• aspnet_compiler.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
• aspnet_compiler.exe

Click to jump to process

Target ID:	1
Start time:	11:23:18
Start date:	23/04/2025
Path:	C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe"
Imagebase:	0x510000
File size:	1'613'824 bytes
MD5 hash:	C3929AF0866FD2B69BAA31EC2BB871F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.1725502694.0000000005790000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.1717952438.0000000003A07000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000001.00000002.1717952438.0000000003A07000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.1717952438.0000000003B86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.1710681753.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:24:08
Start date:	23/04/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x7c0000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000009.00000002.2457220997.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2459620324.0000000002C68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.2459620324.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	15%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Executed Functions

Function 051D3E52 Relevance: 1.6, APIs: 1, Instructions: 83
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 051D3EE6

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b68cb7bbd719cc53c23fd98fd14d6577c06e538f61378ef6035e6fca6335f999
Instruction ID: 45cf841c09b6641cf4e269cd199bc899b5decdfbe476fd8c816b7e23b3b2e035
Opcode Fuzzy Hash: b68cb7bbd719cc53c23fd98fd14d6577c06e538f61378ef6035e6fca6335f999
Instruction Fuzzy Hash: 4D3189B5D012189FCB10CFA9D984A9EFBF1BB49310F20942AE815B7340D779A946CFA4

Function 051D3E58 Relevance: 1.6, APIs: 1, Instructions: 82
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 051D3EE6

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bdd07aaf9aecf9bdbd14e8ec7f7918e21c8ccdf810ba48b3a8a161e49b1971ab
Instruction ID: ca0ddcb181a8234a49a96b593649ee8506e430fe3cfa48eee51f2f74c5ea32d5
Opcode Fuzzy Hash: bdd07aaf9aecf9bdbd14e8ec7f7918e21c8ccdf810ba48b3a8a161e49b1971ab
Instruction Fuzzy Hash: 5A31ABB5D012189FCB10CFA9D980A9EFBF5FB49310F10942AE815B7340D779A945CFA4

Function 05FCF860 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb3371105a08e85d6e03099163da855bfcd36796c3dbcdc68a250dfa32d9650
Instruction ID: 2eb7abd5b557e7730f9105965f0881d7176422e21e8879c84b38c2dc30c23202
Opcode Fuzzy Hash: 6fb3371105a08e85d6e03099163da855bfcd36796c3dbcdc68a250dfa32d9650
Instruction Fuzzy Hash: E7D1DD74E05219CFDB54DFA9D990A9DBBB2FF88300F2081A9D409AB365DB34AD85CF50

Function 051D2170 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32dd185674e62abef71a67fece6ed0c4aa90e6e8ed9382f777dbd0e4086908f1
Instruction ID: 125f0c0ee3eeeb95a8e6e47f6ae1356dc56a9375afb357b070f9bd434cb21a86
Opcode Fuzzy Hash: 32dd185674e62abef71a67fece6ed0c4aa90e6e8ed9382f777dbd0e4086908f1
Instruction Fuzzy Hash: 2AB11578E08218CFDB24CFA9D854BAEFBF2BB49304F508169E429A7345DB745985CF21

Function 051D2121 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc14453ad35e87f1aa4290ae6ee7a2cb46849275d1e77d05dbad0ce462e183b3
Instruction ID: 3e5e63a50738e2ca33d704c8b5b805020ab46be518b6bf81ccf821714c14c49a
Opcode Fuzzy Hash: cc14453ad35e87f1aa4290ae6ee7a2cb46849275d1e77d05dbad0ce462e183b3
Instruction Fuzzy Hash: 54B10678E09218CFDB24CFA9D854BADFBF2BB49304F1081AAE429A7245D7745985CF21

Function 051D2160 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c95b132910958d5bf544717c84c0915dfc84fd9838c3fb65e57db0c835868f
Instruction ID: 3563a45fffcddf932015141afc6f27d1f443e2c408a10919c65c5daa33f44e2d
Opcode Fuzzy Hash: 30c95b132910958d5bf544717c84c0915dfc84fd9838c3fb65e57db0c835868f
Instruction Fuzzy Hash: 70B1F678D08218CFDB24CFA9D854BEEFBF2BB49304F50816AE429A7245D7745985CF21

Function 05FCF598 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9df80845b388f51bf08bb35d0358ec473fc5e6ecb3451c1a641f0d3e3ac5dcd
Instruction ID: 8b99266f6996fa5a3903fa611b4305c7765051b63ad3dcbc7100ce66b47b7e21
Opcode Fuzzy Hash: d9df80845b388f51bf08bb35d0358ec473fc5e6ecb3451c1a641f0d3e3ac5dcd
Instruction Fuzzy Hash: 225107B5E0410A9BCB04CFA9D5846EEFBF2FF88310F248569D409E7354DB389941CB90

Function 027B541C Relevance: 4.0, Strings: 2, Instructions: 1478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4, xrefs: 027B53F0
jjjjjj, xrefs: 027B42F3

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4$jjjjjj
API String ID: 0-102010443
Opcode ID: 2e72698515d74c30315a9d15bf28b45f8b6583e68d6c10451e9dd8243053e37e
Instruction ID: d51c7a9b64dc3036c56be557c111c2b8ab615eac3b8625dd3190f567a66a18d5
Opcode Fuzzy Hash: 2e72698515d74c30315a9d15bf28b45f8b6583e68d6c10451e9dd8243053e37e
Instruction Fuzzy Hash: A1E2267A250510EFDB4A9F98D948D55BBB2FF4D32471A81D8E20A9F232C732D861EF50

Function 027B5397 Relevance: 4.0, Strings: 2, Instructions: 1462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4, xrefs: 027B53F0
jjjjjj, xrefs: 027B42F3

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID: 4$jjjjjj
API String ID: 0-102010443
Opcode ID: 9a9711d192aaa591a5bb0934ee3101859ffd8c845d29f18426fde73b7d392069
Instruction ID: 08272163598d3e0b62c5cd8a660da47b987ef8dfbd8a2fcc45c32f984b001fa5
Opcode Fuzzy Hash: 9a9711d192aaa591a5bb0934ee3101859ffd8c845d29f18426fde73b7d392069
Instruction Fuzzy Hash: C6E2167A250510EFDB4A9F98D948D55BBB2FF4D32471A81D8E20A9F232C732D861EF50

Function 027B545D Relevance: 2.7, Strings: 1, Instructions: 1461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

jjjjjj, xrefs: 027B42F3

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID: jjjjjj
API String ID: 0-3900813449
Opcode ID: 780e21f8ca714af4232abf70b7d846d4011fefabeb53ca687ba21752523c507b
Instruction ID: c104e12b22b1fff7ffc5c153910a60696e38848b7b7df9ee42446b229cc3cb9e
Opcode Fuzzy Hash: 780e21f8ca714af4232abf70b7d846d4011fefabeb53ca687ba21752523c507b
Instruction Fuzzy Hash: 0AE2167A250510EFDB4A9F98D948D55BBB2FF4D32471A81D8E2099F232C732D861EF50

Function 027B54A8 Relevance: 2.7, Strings: 1, Instructions: 1459
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

jjjjjj, xrefs: 027B42F3

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID: jjjjjj
API String ID: 0-3900813449
Opcode ID: bce365c18330165f7448fe776186618e4bf26e7090f1523d2472182247c79c69
Instruction ID: bb5bb0fdd63c038972efb0c39ff9973796813e3a25f88e74945a02803be00d77
Opcode Fuzzy Hash: bce365c18330165f7448fe776186618e4bf26e7090f1523d2472182247c79c69
Instruction Fuzzy Hash: F8E2167A250510EFDB4A9F98D948D55BBB2FF4D32471A81D8E20A9F232C732D861EF50

Function 051D195C Relevance: 1.8, APIs: 1, Instructions: 264
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 051D1BCF

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 998c7bc6fd5decc048ce043c70b5950aa14fdfaf2a4b8df8105f255050f07aa5
Instruction ID: f138b5cce592a94dad6778c020937a245c89d0b808fb5455c26b1ada99b4e148
Opcode Fuzzy Hash: 998c7bc6fd5decc048ce043c70b5950aa14fdfaf2a4b8df8105f255050f07aa5
Instruction Fuzzy Hash: F6A111B1D04258DFDF10CFA9C885BEEFBB2BB49310F109569E859A7240DB788985CF51

Function 051D1968 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 051D1BCF

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9529957a15c9ba03a47ff01632f6c9692abd16a62e0918a8bc339b6ab81c565b
Instruction ID: c13a8a885980e0a5a9f3fff4359e733b0633eaded825f64055809cd7bb278065
Opcode Fuzzy Hash: 9529957a15c9ba03a47ff01632f6c9692abd16a62e0918a8bc339b6ab81c565b
Instruction Fuzzy Hash: A3A111B0D0425C9FDF10CFA9C885BEEFBB2BB49300F109569E859A7240DB788985CF91

Function 051D37D0 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 051D38AB

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6bb5dc20b39271c125305f809e804c180182c9d179f3f5596d94d75eb8b5b531
Instruction ID: 384482e822d921e9107b3ae10b2b23c3d65227a50d3ff336ab921b74ad1f3606
Opcode Fuzzy Hash: 6bb5dc20b39271c125305f809e804c180182c9d179f3f5596d94d75eb8b5b531
Instruction Fuzzy Hash: E1419BB5D012589FCF00CFA9D984ADEFBF1BB49310F14942AE429B7250D379AA45CF64

Function 051D37D8 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 051D38AB

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 082d12c019691b6649f537462900961d1eab8e1cfbdb4ec62299510f8a56dd88
Instruction ID: 06a2a231eef96934793f990d48c5132becb3dcf328f93f8a948bbf16c714d2a7
Opcode Fuzzy Hash: 082d12c019691b6649f537462900961d1eab8e1cfbdb4ec62299510f8a56dd88
Instruction Fuzzy Hash: 6E41ACB5D012589FCF00CFA9D984ADEFBF1BB49310F14942AE419B7250D379AA45CF64

Function 051D3500 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 051D35B2

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 24d0fb78decfe6d972ef0ac783d6a7a912de6a079558e57514d20437f7cbc917
Instruction ID: 770f9c29b62e475af8dde7aac352d845492e94201a18d90acf0dc41037dd64e0
Opcode Fuzzy Hash: 24d0fb78decfe6d972ef0ac783d6a7a912de6a079558e57514d20437f7cbc917
Instruction Fuzzy Hash: C631B8B9D042589FCF10CFA9D980ADEFBB1BB49310F10942AE825B7300D735A901CF64

Function 051D3508 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 051D35B2

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 60df169a3795a9d97eaeab687824e218b1cfd9c891d10e15c086dc8acf024c0c
Instruction ID: 313bbda8e505bb1aeef14089a60e5eb17a1f6200a7559dadf638ad5103b4d950
Opcode Fuzzy Hash: 60df169a3795a9d97eaeab687824e218b1cfd9c891d10e15c086dc8acf024c0c
Instruction Fuzzy Hash: 9131A8B8D052589FCF10CFA9D980ADEFBB1BB49310F10A42AE825B7310D735A941CF64

Function 051D2A28 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 051D2AD7

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 575a79897c656074ae7e04da0ab13bba13e81c19c843fccac1eb6ef67dc84128
Instruction ID: 5a4ef8f029750f99fcac29aa15878b2347b349142632eaff1820ffb41eac8dc6
Opcode Fuzzy Hash: 575a79897c656074ae7e04da0ab13bba13e81c19c843fccac1eb6ef67dc84128
Instruction Fuzzy Hash: E931BBB5D012589FCB10CFAAD984AEEFBF1FB49310F24802AE415B7240D778A945CF64

Function 051D2A22 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 051D2AD7

Memory Dump Source

Source File: 00000001.00000002.1722893739.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51d0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9f91c350b9b348234eedd579a171daf0a9b3ce142636b533f15f4a0c6ddf6c91
Instruction ID: 01b460c86740ba3c4664c2a77c61792a6f259971ca4c4d7c64a0ea75b7d9c791
Opcode Fuzzy Hash: 9f91c350b9b348234eedd579a171daf0a9b3ce142636b533f15f4a0c6ddf6c91
Instruction Fuzzy Hash: 8941BBB5D012599FCB14CFAAD984AEEFBF1BF48310F24842AE415B7240D778A945CF64

Function 027B4192 Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

jjjjjj, xrefs: 027B42F3

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID: jjjjjj
API String ID: 0-3900813449
Opcode ID: 5caf8b5e116e1065d82eb436c2bcf759f9be52bd1c271f9e468246a4fc159526
Instruction ID: 10dccc24f32fd01ff6dab4b9ac43d600645ebc6109345448a172f225902858c7
Opcode Fuzzy Hash: 5caf8b5e116e1065d82eb436c2bcf759f9be52bd1c271f9e468246a4fc159526
Instruction Fuzzy Hash: 07C04C1180D286DBCB135A6548F03F56F117D66151715D4E5D4851E507D1648547E221

Function 027B202D Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dc31d8e7e3512644a72cdf4c8331f485fbd193847c9db34f7f85e8b592744d
Instruction ID: 20c3061b8355293929a50fc0570f5cf0c9f5337f345e70e778dfd61e373ed248
Opcode Fuzzy Hash: 57dc31d8e7e3512644a72cdf4c8331f485fbd193847c9db34f7f85e8b592744d
Instruction Fuzzy Hash: 884212B0A06205CFD712DF18D688B99BBB1BF05314F55C1A9D819AF26BEB76D884CF40

Function 027B0CAB Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5936a923cca64de3effafac673b2890bf473afba1beaf28b1a65f327ef1e4f
Instruction ID: 772c0049e17d27441516d1da242ffb5440a28ae833cf20ace71d2958b6942f2f
Opcode Fuzzy Hash: 9f5936a923cca64de3effafac673b2890bf473afba1beaf28b1a65f327ef1e4f
Instruction Fuzzy Hash: 1F81E4386182418FDB07DB39D8947EF7BB2EF85314F1484AAD40AEB295DB35E845CB50

Function 027B3D93 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0897e91437c8971e4fae733088f066eb9273f83aa9657b5f13dcc93cfdb32b
Instruction ID: eaa45c5c44178552d7e4baac97cce1036db6958c90a3a138cba39b79629cbd70
Opcode Fuzzy Hash: 8e0897e91437c8971e4fae733088f066eb9273f83aa9657b5f13dcc93cfdb32b
Instruction Fuzzy Hash: AF613534704204CFD7169B798CA57AA7BA7EF89710F2045EAE406EB3D5DE309C86C7A1

Function 05FCF2C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030c4956264729949e05d30c30a7e6bf62da47bbc16ea603e756d493798ad355
Instruction ID: 21bb86565e633d89b3fca052596a49dee3b5c3b2e9c3d9ba86fb079e04d4870f
Opcode Fuzzy Hash: 030c4956264729949e05d30c30a7e6bf62da47bbc16ea603e756d493798ad355
Instruction Fuzzy Hash: 9F513C74E44209EFDB04EFAAE544AADBBF2FB89305F108069D409BB354DB385945CF50

Function 027B5DF0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c60d24ea0803d2919fbb7d46d5d1b3b8449f0c89a09a4ba6dce38e2972845d
Instruction ID: 346e7aeb469c13ff489ec58973632fd8e2382b88de1acc9f256b888c3fa57701
Opcode Fuzzy Hash: 82c60d24ea0803d2919fbb7d46d5d1b3b8449f0c89a09a4ba6dce38e2972845d
Instruction Fuzzy Hash: 2341B135B002449FDB16DF79C498BEDBBE2EF89310FA54469E405EB3A1DA718C05CB90

Function 027B17D0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c911064589f4ed4f02de087493252e2da82d8b8810d77add3b78b550659709
Instruction ID: c26d699a6e16efebcfc1bd4bb8cd04ca1813db5d8e471d57ad0dd5baa51f53f6
Opcode Fuzzy Hash: 56c911064589f4ed4f02de087493252e2da82d8b8810d77add3b78b550659709
Instruction Fuzzy Hash: 56419F31B042058FCB4AABA598257AF7BA2FFC5760BA48539D509AB244DF309942CB91

Function 027B6511 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c018fe7ab46c5719e9902bb8879a67b1e4a4e61e35690fb6fd9d76b51dadca6
Instruction ID: cf3d924aa02a48e7c19e18d89500243df13fc3a68b7d754b0e52484f681b1d9d
Opcode Fuzzy Hash: 6c018fe7ab46c5719e9902bb8879a67b1e4a4e61e35690fb6fd9d76b51dadca6
Instruction Fuzzy Hash: FB3139717083514FD7128B3998517AABBE6EF8621471580BFE148DB356EE34DC06C760

Function 027B17C0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d597dd7c16a501b9363df7c1ab7655777626745e60bb6c9d12e24a55b40077ab
Instruction ID: 5f33bf87f0e4c3ba4e587f4fe707972b1b18736449ade00489ff9b46b0f568df
Opcode Fuzzy Hash: d597dd7c16a501b9363df7c1ab7655777626745e60bb6c9d12e24a55b40077ab
Instruction Fuzzy Hash: 8431C431B082418FDF0BE76498367FA7BB2FF81760B988575D40DAB646DB348942C791

Function 027B1AF3 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b2ed9ef7c5d18155d481f49ed3e454ba67f34a2049caa3979d25969f040001
Instruction ID: 600a8fdc8bed4ad03a2d5982dec8574dd3738f41c737a56c09fec578b2500442
Opcode Fuzzy Hash: 52b2ed9ef7c5d18155d481f49ed3e454ba67f34a2049caa3979d25969f040001
Instruction Fuzzy Hash: 0121B0313082419EE7238A3D99B87FBBBD5EF40398F94497AE44EC2690F764D885C750

Function 027BECF0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfcd5ad7dce25165fe90bb005995c65e16bb868846c71882f733e9ef6d4713a0
Instruction ID: e437d461e02a6c55998d487690acd1b26d276f56cd714b23e72f9f3f2d73ff3f
Opcode Fuzzy Hash: dfcd5ad7dce25165fe90bb005995c65e16bb868846c71882f733e9ef6d4713a0
Instruction Fuzzy Hash: 163106B0D04208DFD705DFAAD1487EEBBF2EF49309F5094A9D409A3344EBB45A88CB61

Function 00D7D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710164968.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d7d000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6577e18eb4ccda25490ba78ab573ccb9bacf9f432b076e308feb6d46a727c5
Instruction ID: b3fceb178bdf24c769af5c3d457fe67bb798cdcb649900bf0394c417ac6d2d22
Opcode Fuzzy Hash: 9a6577e18eb4ccda25490ba78ab573ccb9bacf9f432b076e308feb6d46a727c5
Instruction Fuzzy Hash: 9221D072504244DFDB15EF14D984B26BF76EF84314F24C569E9490B242D33AD81ACAB2

Function 027B0BC8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889f33fbc98648366a4a9a2d33b41123508f2e61afdbdb8a10f56edb3d99f955
Instruction ID: d452a6051dbe4426e3c89998958608a92aaf25794190b44f16be23c1cd385439
Opcode Fuzzy Hash: 889f33fbc98648366a4a9a2d33b41123508f2e61afdbdb8a10f56edb3d99f955
Instruction Fuzzy Hash: 7821B038A042059FCB01DFB8D8849AEBBB2EFC5301B1085A9D406EB359DB30A906CF61

Function 05FB2563 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e78c1c60130669878f8ea696a40ec6fb5febda1315c8da401bc75d7fe4474c8
Instruction ID: 2cbb0050f06a3beafa3b0770241384873b88660a74bc3c4b02abf118b31ec34a
Opcode Fuzzy Hash: 9e78c1c60130669878f8ea696a40ec6fb5febda1315c8da401bc75d7fe4474c8
Instruction Fuzzy Hash: D2316478A05229CFDBA4DF28C898A99B7B1FB49314F1180D6D81CA7354DB349EC5CF50

Function 00D7D005 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710164968.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d7d000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e614a3d76f0a468cdbbb8804f37995b992c48b6257370a8cb1747f9ce8c27675
Instruction ID: 02c29e300a08fc5f05a6518b43116aed62df26791d2797fcf5bd964b35c036d9
Opcode Fuzzy Hash: e614a3d76f0a468cdbbb8804f37995b992c48b6257370a8cb1747f9ce8c27675
Instruction Fuzzy Hash: 0C2160755093808FCB12CF24D994B15BF72AF46314F29C1EAD8498B697C33A981ACB62

Function 027B1A73 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186a69303c058a722df901e5867c409dd1ad73d46b143e85af41ea7232cbce1c
Instruction ID: fac7932687dd4e4eb462dd74f252c8afdff9191404ccd2d3484b23bd5fb28c23
Opcode Fuzzy Hash: 186a69303c058a722df901e5867c409dd1ad73d46b143e85af41ea7232cbce1c
Instruction Fuzzy Hash: 6611E9302046405FC3129B2CD864794B762FF46310F908755E55DEB7E1DB70BC558BB9

Function 027B0BD8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc81647ba86f91d4a12d22618e00859041486feed91a9c7126518e03bc10326
Instruction ID: 1018995495f89506b5cb4c715f373bf22605b30585e126bf4e6696c70c5eca52
Opcode Fuzzy Hash: 7fc81647ba86f91d4a12d22618e00859041486feed91a9c7126518e03bc10326
Instruction Fuzzy Hash: 61118478A042059FCB04DFA8D8459AEBBB2FFC8301F50C568D505EB358DB34AA06CF60

Function 027B63E0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bedde72732c2dfe498ec3455367cf6c5eb6445cc85d323bf3c6f4baff3dc0433
Instruction ID: e64abe6cfa5dc138f622a185755caff34d45ead63b3d0baefc662d3c313b5c5f
Opcode Fuzzy Hash: bedde72732c2dfe498ec3455367cf6c5eb6445cc85d323bf3c6f4baff3dc0433
Instruction Fuzzy Hash: 1101B9777082441FC7169779A4117DEBBEACFC626472480BFE55DD3341EE21A8068770

Function 027B19CB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d8d8f86f060af713ddbe83426c2d648fbc0c92fc331c96fed7bc0b96eab21d
Instruction ID: eb6a0711b4ce150b033b63afab5804fcf5c2c598004cbd406b7e60bab38b23de
Opcode Fuzzy Hash: 45d8d8f86f060af713ddbe83426c2d648fbc0c92fc331c96fed7bc0b96eab21d
Instruction Fuzzy Hash: 5201F93070D1845FC31257699864BAA7BA2EF8B350F5544AAF60EF73A1DA30AC05C775

Function 027B15F1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01736ead29777edb7bf44eaf32e6ca15185c87235f8b0e07bb9f9108cc65d5a5
Instruction ID: ba41dbb31f5c523fa24073b494a0ccb3f5431713efbed92d3754ae730e222976
Opcode Fuzzy Hash: 01736ead29777edb7bf44eaf32e6ca15185c87235f8b0e07bb9f9108cc65d5a5
Instruction Fuzzy Hash: C2117934A04104CFDB15CFA8E968BED77B1EF48309F6800A5E50AEB390DB349945CB52

Function 027B19D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e09a8fa26168916e441cbab655fc6a83f11999df498be7765dd1e236bec5a34
Instruction ID: 6333bb7571d7b0fbded13b2ffdd4f766d35d3d9777b5f81f463a1a497ea0b724
Opcode Fuzzy Hash: 3e09a8fa26168916e441cbab655fc6a83f11999df498be7765dd1e236bec5a34
Instruction Fuzzy Hash: BF0126307081049FC3119B59A824BAAB6D7FF8B350F51446AFA0EF7390DB30AC4087B9

Function 05FB57D6 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432d5bd7aa78a89379c77c5a6703de7905202130a2a5775e708f88277680a2e8
Instruction ID: 1636d866d26c556dc82e17a339b3b371d34bc444b7918e1cd83c6575df5f0ef3
Opcode Fuzzy Hash: 432d5bd7aa78a89379c77c5a6703de7905202130a2a5775e708f88277680a2e8
Instruction Fuzzy Hash: 4C21BF74A0022ACFDB64DF18D898B99B7F5FB48304F1181EAA41DA7348DB349E85CF90

Function 05FB135A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273062fb6cbdc4d3a98a4d2e1385391e2fcfb71912978e63e5e02c24b589f063
Instruction ID: 41a95d1910be2c970c47b77fbc0a93050caa7902c2f564b0b1f888d561f7640f
Opcode Fuzzy Hash: 273062fb6cbdc4d3a98a4d2e1385391e2fcfb71912978e63e5e02c24b589f063
Instruction Fuzzy Hash: 5711E474905229CFEB64DF18C889BAAB7B1FB89304F1184E5E409A7346DF345E848F20

Function 05FB434A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d750471fcba76276d6e9022ba848c31abb1b1818e62534c68a90017c2a7c234
Instruction ID: de523a1c0fa2f74bd2fdfd6d13926422d4981591b8045fd8e81a4ee3376553d5
Opcode Fuzzy Hash: 3d750471fcba76276d6e9022ba848c31abb1b1818e62534c68a90017c2a7c234
Instruction Fuzzy Hash: 51112270904229CFEBA8DF14D898BAAB7B5FB48304F1184E8E119A7244DF785E84CF50

Function 027B09A8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7ed2d59b0f2c6913d50ea28caa2183f2182fede51efb23e5e39dd8155bb807
Instruction ID: fa8696547f57c5e60e9c39528a041f514eb31be87e5eadf86d0affca87c0a64e
Opcode Fuzzy Hash: 0a7ed2d59b0f2c6913d50ea28caa2183f2182fede51efb23e5e39dd8155bb807
Instruction Fuzzy Hash: 23F0E235701B104FE70A673878280AE7FA2DBC769030880ADE44BC73B6EFA5194A4776

Function 027B6468 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30b490bed4de159e5948ebd84d2c55a6528caf9ece08e36157b32eb8ce9b136
Instruction ID: cb2f1e7ac9727d6556d5e94db9be4f6aee24e3c35879ff4fa3f2d8f484d7c3e3
Opcode Fuzzy Hash: a30b490bed4de159e5948ebd84d2c55a6528caf9ece08e36157b32eb8ce9b136
Instruction Fuzzy Hash: 7AF027B2E046196ECB27DABCA5053FEBFF89D86254B14507AC649D2108E33047158BC1

Function 027B0A10 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3ca5701c6816ad96017fac98cf25f216b92852e0d43b8bac495c7aec815e1b
Instruction ID: 243dd94c405fef624e58cb6aca8a501e09609deae6bc00a0b5ada2b229111259
Opcode Fuzzy Hash: 1b3ca5701c6816ad96017fac98cf25f216b92852e0d43b8bac495c7aec815e1b
Instruction Fuzzy Hash: F7F0E2326092405FC722127C581469BBFAA8FC7614B0944AFE04AD3383DA71EC8583A1

Function 027B0B59 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671a2565afca7ab9491cf266b5c02fd5c9f51a91abfa6198cd052b8f142c4744
Instruction ID: 2557879c51bdcec18abc9af9f0c0ed0bb53f3710c7f095043ee824b13f51e664
Opcode Fuzzy Hash: 671a2565afca7ab9491cf266b5c02fd5c9f51a91abfa6198cd052b8f142c4744
Instruction Fuzzy Hash: 5EF0B4752082009FC701E76DE844B5ABFB1DBC9700B9001BDE54AEB3A5DA705C498BA4

Function 027B3066 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c25c654c6bc532bf6a6bffd544f179863ec66acec599a786630c5435bd2592
Instruction ID: bd888a0fbaa8d7113500790144c4b34be94be191894df949e18e3ab9bcad2650
Opcode Fuzzy Hash: f6c25c654c6bc532bf6a6bffd544f179863ec66acec599a786630c5435bd2592
Instruction Fuzzy Hash: 42F05E32E05525CBEB179F08EC947E9F362FF44310B0196BAD81BA7551C731E8D58B85

Function 027B0A68 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5c8b86220dc5cd389131fdb5630ebbfb34ea02ab3f0feb96c3d5381fdaa352
Instruction ID: 51fd6201539cabc531fc34aebd634c05a34adedceccf5d759dab59e76ec607e7
Opcode Fuzzy Hash: 2d5c8b86220dc5cd389131fdb5630ebbfb34ea02ab3f0feb96c3d5381fdaa352
Instruction Fuzzy Hash: 20F03071E152559FCB519BB868412EF7FF49E4E150B1408BAD48AE3201F6304A16C7D5

Function 027B09B8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78672235439efb10da19492aa94c93d3e104e759f058c52546eb62a7f4699fa
Instruction ID: ff5e33fd9fa3c9ac05ac043c030acebed027b9420cc9d6e895e3c0bfb1fd47ba
Opcode Fuzzy Hash: a78672235439efb10da19492aa94c93d3e104e759f058c52546eb62a7f4699fa
Instruction Fuzzy Hash: C2E09230300B108BC7087B79B81802D7A96DBC6A91344442CF50ED73A4EFF51D4547BA

Function 027B0A78 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b2e6a643faed1b09e490bc9225a54aedde341294e8a2ac3c9426d53eb0dbbc
Instruction ID: f57760ab2826528d17f34e32ae3682109d1a933de9c5250c67dca4e24e82d22a
Opcode Fuzzy Hash: c9b2e6a643faed1b09e490bc9225a54aedde341294e8a2ac3c9426d53eb0dbbc
Instruction Fuzzy Hash: 01E0ED71F142259F4B509BB958042AE7BF8AF49554B00486AD40AE3350FA348E108BE5

Function 027B0AC1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c0a970938b0ad18948b7f381f7cfbc82ecad914a42ae0a391fc817ed10d503
Instruction ID: 7f8debfeef081db3a25778ccbfae922ec3d0af86601771d15c27d843dd6ec89b
Opcode Fuzzy Hash: f4c0a970938b0ad18948b7f381f7cfbc82ecad914a42ae0a391fc817ed10d503
Instruction Fuzzy Hash: E3E06DB4D093098FCF45DFB588452EFBFF1AE4E104F2549BED80AE2300E63042428B80

Function 027B0B10 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170a43e33aed8a2156044ccb517a40e2f0c577b7f17546d593265707c557b00d
Instruction ID: 5b2750cf5008679a0a9ca5996bc157135f3739f2c1ea7eab56c55f7df2c04814
Opcode Fuzzy Hash: 170a43e33aed8a2156044ccb517a40e2f0c577b7f17546d593265707c557b00d
Instruction Fuzzy Hash: 52E092356182409FC7059B74A8189543BA1EB8922072140AEE84AC7361E9215C458B11

Function 05FCB9B8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25665eb8ed141ee8053003dc11d92b589b7ae5bca2c357f348f7f52e20b8fc9e
Instruction ID: 12aac69cb38e21081cfcc578028064d6172ded2a1c43780024b5ffaad89bf3ce
Opcode Fuzzy Hash: 25665eb8ed141ee8053003dc11d92b589b7ae5bca2c357f348f7f52e20b8fc9e
Instruction Fuzzy Hash: 0AE0AE79E04208AFCB44DFA9D941AACFBF5AB48210F1081AA9819A7750E6359A51DB81

Function 05FC5E90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25665eb8ed141ee8053003dc11d92b589b7ae5bca2c357f348f7f52e20b8fc9e
Instruction ID: e33708cb6734d1436be5ffc45230ed33fb7513a4f2ddf1447d869e111e867ad7
Opcode Fuzzy Hash: 25665eb8ed141ee8053003dc11d92b589b7ae5bca2c357f348f7f52e20b8fc9e
Instruction Fuzzy Hash: 48E03974D04208EFCB50DFA8C5406ACFBF4EB49300F10C0AD981893300D735AA51DF40

Function 05FCBE58 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25665eb8ed141ee8053003dc11d92b589b7ae5bca2c357f348f7f52e20b8fc9e
Instruction ID: 44a8ed078e7561632c355ab7a1c44252f11b75f7555ad059fc9e4089404bd96a
Opcode Fuzzy Hash: 25665eb8ed141ee8053003dc11d92b589b7ae5bca2c357f348f7f52e20b8fc9e
Instruction Fuzzy Hash: 5DE0AE79E04208EFCB44DFA8D941AADBBF5AB49210F1081AAD819A3350E7359A51DB91

Function 05FCA448 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25665eb8ed141ee8053003dc11d92b589b7ae5bca2c357f348f7f52e20b8fc9e
Instruction ID: f3220c99e43256450fcc3ac61f192e22e97949a6318c5c039c60f313ff0ede8a
Opcode Fuzzy Hash: 25665eb8ed141ee8053003dc11d92b589b7ae5bca2c357f348f7f52e20b8fc9e
Instruction Fuzzy Hash: 22E0AE75E04208AFCB44DFA8D945AACBBF5AB48210F10C1AA9859A3350E636AA51DB81

Function 05FCD3F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda9517c8caa6366ce89bbca1a295f3df8e539cd77a53a953381bb965f13f3ec
Instruction ID: f03060ef728f09d279062e9497bf24bf51dd6a5a1d9b9a878bff0574a7d9be7b
Opcode Fuzzy Hash: dda9517c8caa6366ce89bbca1a295f3df8e539cd77a53a953381bb965f13f3ec
Instruction Fuzzy Hash: 96E0C274E04248AFCB84DFA8D5416ACBBF8AB48200F1081FD8818D7340E635AA42DB41

Function 05FCA158 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda9517c8caa6366ce89bbca1a295f3df8e539cd77a53a953381bb965f13f3ec
Instruction ID: 89dd05a8a46d660993b821f42467495b3aea26dd81103b0dea3a3230a49e11f5
Opcode Fuzzy Hash: dda9517c8caa6366ce89bbca1a295f3df8e539cd77a53a953381bb965f13f3ec
Instruction Fuzzy Hash: F1E0C274E04208AFCB44DFA8D9416ACBBF4EB48200F1081AE9858D3351E635AA42CF41

Function 05FCF810 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda9517c8caa6366ce89bbca1a295f3df8e539cd77a53a953381bb965f13f3ec
Instruction ID: e3f8175cb7fb43abdaf9b56ab16de9e9b47dcb1fe6e1ae427fc6f8a83043219a
Opcode Fuzzy Hash: dda9517c8caa6366ce89bbca1a295f3df8e539cd77a53a953381bb965f13f3ec
Instruction Fuzzy Hash: 0AE0C274E04208AFCB84DFA8D5416ADFBF5AB88300F1081AD881893350E735AA46CF81

Function 05FC8A68 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a627d4607211ed4a23600a9e59f40a96eb18ddc9e015b063dba7f27e4b68064
Instruction ID: 91304a2f0ae285e9e1d56e6006eb1fe0e93801f670e7b79b74a485224e29a5df
Opcode Fuzzy Hash: 0a627d4607211ed4a23600a9e59f40a96eb18ddc9e015b063dba7f27e4b68064
Instruction Fuzzy Hash: A9E01235D08208ABCB04DFA8D6416ACFBB9AB89204F1481EE881893341EA359A46DB91

Function 027B64C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a395c44673332f0b2bfc25cd397600b20f28375975f3b0fe30373a60488ca8
Instruction ID: f4301d6acffeeb9e9d2fb62a91c9f0b078c00666015a9f76a7e553dc73e9c7bc
Opcode Fuzzy Hash: a4a395c44673332f0b2bfc25cd397600b20f28375975f3b0fe30373a60488ca8
Instruction Fuzzy Hash: 1FE0DF31A09205DFCB01CB78A9505AC7BB1DB40300B1080AAD40CEB361E6301E059B71

Function 05FCDFB0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46323664a54cf19f15b21af4c140773b955c86b4bd480c839458f1519a92ad54
Instruction ID: 9076acd2ac7e1853f16e85fd5d6fe1fa0563c540ca82be347d9892c3f23df19a
Opcode Fuzzy Hash: 46323664a54cf19f15b21af4c140773b955c86b4bd480c839458f1519a92ad54
Instruction Fuzzy Hash: 76E0C234908208DBC704EF94E9416ACFBB8FB85300F1081FCC80853340D7316E52CB91

Function 05FCB350 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2998434bf1d4d0c2188060b6433942c7519fe83fcc79bd1cc7de53f74fb4a0e
Instruction ID: a6e02d61940ba93fbc26d80d8b953fda7d8af358c895b2782de4d5e32f024e50
Opcode Fuzzy Hash: a2998434bf1d4d0c2188060b6433942c7519fe83fcc79bd1cc7de53f74fb4a0e
Instruction Fuzzy Hash: 7BE01272941209EBD700FFB4890969E77F8FF49214F9005A9940997220FE354A149BA6

Function 027B0B20 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7079ecfdfa02d5851366452299e4ec36f95478477e7dd0a81bd51b959ce8771e
Instruction ID: 2394b9a48f4ec99863a9d23e4dea4e44e8e9989bb856da19d2ed5497067d6651
Opcode Fuzzy Hash: 7079ecfdfa02d5851366452299e4ec36f95478477e7dd0a81bd51b959ce8771e
Instruction Fuzzy Hash: 77E012393145149FC344AB69E8589153BE6EB8C62172044A5E949C7364EE31AC418765

Function 027B6478 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca9df804e2ba0ac46b5e67e8440c7b6e48cca0298fff3476198efcb5b10e880
Instruction ID: b2eb96cf118468f25fc5b802923de165b9f1e3e3fda2d330febf5d74e00a9d42
Opcode Fuzzy Hash: cca9df804e2ba0ac46b5e67e8440c7b6e48cca0298fff3476198efcb5b10e880
Instruction Fuzzy Hash: 83D017B1E0022A9F8B90EBBC99012EEBBF8AE48250B404476D519E7204E6308B108BD1

Function 027B64D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e690a2b59e4e71cd626245d96b7e6488c628e626af244f5e3f3a7358850dfce2
Instruction ID: ce977a4619f20de439ea8979bd7290613b1123a6db8bc650481e62de87e7dc3a
Opcode Fuzzy Hash: e690a2b59e4e71cd626245d96b7e6488c628e626af244f5e3f3a7358850dfce2
Instruction Fuzzy Hash: 4CD01730A00208EF8B00EFB8E94569DBBB9EB44210F1081AAE40CE7310EB316F009BA5

Function 027B0AF4 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ccfd8619dc778cade907f317c75da85280db1c423568f1be515c0eebd1f2d82
Instruction ID: 1f6de0cf29dabfe881d530f164be5137d694fa3bae501565709b0cbcd999038e
Opcode Fuzzy Hash: 2ccfd8619dc778cade907f317c75da85280db1c423568f1be515c0eebd1f2d82
Instruction Fuzzy Hash: F8C0123090424D8BCB51CBA478463BF7BA4EB4521AF1005999D0DD5700FA2100A0C5E1

Function 027B0850 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b3977d4313ad06cd1fdba750a131749c1c6a10ba4a2cd9f56ccecd7ec6fc50
Instruction ID: 71b223086ccbee9fc3cf6b563c59b9a670c7b1f3ccd37c1377ce6b1d3acccc6e
Opcode Fuzzy Hash: 58b3977d4313ad06cd1fdba750a131749c1c6a10ba4a2cd9f56ccecd7ec6fc50
Instruction Fuzzy Hash: B2900231085B0C8B454227A5790D566775C95845157804155A60D816126B5664504AA5

Non-executed Functions

Function 05FCDFF0 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844a66a920823bee6b04a31223cd9587ed49aa373756db0393f3194ac633f589
Instruction ID: b8b1b87891c2da6e034848a558155de6c6c691e855d1fdd3dd809017c3cbab03
Opcode Fuzzy Hash: 844a66a920823bee6b04a31223cd9587ed49aa373756db0393f3194ac633f589
Instruction Fuzzy Hash: 76812570E45219CFDB25DFA9C944BADBFBABF89300F5080B9C109AB241DB785985CF41

Function 027BEE48 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1710568037.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_27b0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bbb93e617d7d501015067644f9ca8dd5b9751cf22d812f170522878ddaccd4
Instruction ID: 9a66475abc3449bbac191d34134314f970cd68bda1220a8b0830edf023d0b537
Opcode Fuzzy Hash: 24bbb93e617d7d501015067644f9ca8dd5b9751cf22d812f170522878ddaccd4
Instruction Fuzzy Hash: 8171C770A096498FD708EF6BE851699BBF7EF88304F14C12AD408EB369EB741945CF61

Function 05FB0006 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897d207567569a8b39668ab1e16b01ca7fd351a1a0e3f537a72dbc0057443b99
Instruction ID: 20dd39750d8d5a282941d3793f964445f22353021ec70ebf8407b7121ddb95a8
Opcode Fuzzy Hash: 897d207567569a8b39668ab1e16b01ca7fd351a1a0e3f537a72dbc0057443b99
Instruction Fuzzy Hash: B6310B71D047598BE729CF2BC84579ABBF7EF85300F05C0FA84189A256EB744A869F11

Function 05FB0040 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1726066522.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_RicevutaBonificoSepa1745392212214#U00b7PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385a70e3bca70a0716bfc678ef4e827de766cd9b7b9b420f627f4f4102a386cf
Instruction ID: 12ba663096f34a1cab2d9f03bd8b2e09951df3ccb0b9234190aec73d8a178c89
Opcode Fuzzy Hash: 385a70e3bca70a0716bfc678ef4e827de766cd9b7b9b420f627f4f4102a386cf
Instruction Fuzzy Hash: 9521A971D04619CBEB28CF1B99587DAFAFBABC8200F04C0FAD51CA6255EB740A859E51

Analysis Process: aspnet_compiler.exePID: 7640, Parent PID: 6136COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	213
Total number of Limit Nodes:	21

Executed Functions

Function 0101D810 Relevance: 4.1, Strings: 3, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ljo, xrefs: 0101DA6E
0oo, xrefs: 0101D8A6
Ljo, xrefs: 0101DA84

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 0oo$Ljo$Ljo
API String ID: 0-2199809179
Opcode ID: f191b01211d41a8348f6ac87b8ecad8898f8f4aa1dcf77aba18f31299e52ef84
Instruction ID: d499fc157a4e8a07bbbc369312eb1c5739bee00e3e55816f62510b58709dcb46
Opcode Fuzzy Hash: f191b01211d41a8348f6ac87b8ecad8898f8f4aa1dcf77aba18f31299e52ef84
Instruction Fuzzy Hash: 3EE1E474E05218CFDB54DFA9C988B9DBBF2FF49300F5080AAD449AB259DB789985CF01

Function 01013B3F Relevance: 2.6, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sD9p, xrefs: 01013C95
glT, xrefs: 01013B47

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: glT$sD9p
API String ID: 0-1924688135
Opcode ID: 53598ff66ff37d376ffb4b67bccbab4f75e9c2392f3bc1cf3bcbda6b57f118c9
Instruction ID: 8e3274d6b1d3269724406522306b795da8804eaf308c048ad5318577660a55b5
Opcode Fuzzy Hash: 53598ff66ff37d376ffb4b67bccbab4f75e9c2392f3bc1cf3bcbda6b57f118c9
Instruction Fuzzy Hash: 5651A778E00258CFCB54DFA8D999AADBBB1FB48301F5085AAD80AE7365DB345945DF00

Function 06104058 Relevance: 1.0, Instructions: 1000COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ff8c82c6c841b76458fc138b9963170436d7c107e5c22371aeb7741e3d2dfd
Instruction ID: f85337d7c1641e5f9491f78380686bfde4ab918d77a923fea9542ea0d6f2b338
Opcode Fuzzy Hash: c2ff8c82c6c841b76458fc138b9963170436d7c107e5c22371aeb7741e3d2dfd
Instruction Fuzzy Hash: E8922634A00209DFEF54CF68D984AAEBBF2FF88310F158559E605AB2A1D774ED41CB94

Function 061032F8 Relevance: .9, Instructions: 905COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8bfc861b6e7bf63a96bff50616ea4fcd572566a6ae85b76d099614a7a21dc97
Instruction ID: ca29a89caebbabe42c5f74d407b33c93cd19922223e15a58a8f048cedf9740c4
Opcode Fuzzy Hash: d8bfc861b6e7bf63a96bff50616ea4fcd572566a6ae85b76d099614a7a21dc97
Instruction Fuzzy Hash: 77727E70A0011A9FEF54CF69C884AAEBBB2FF89304F158569E415EB3A1DB74DD41CB90

Function 010142E0 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb912d4835660572a89e8b9586276441800b33490c24b5f040e59ad4975ab34
Instruction ID: cc953b05b4c25bec5d5135182a25f8a5b6831ae0e4283baecd5c87c2aedfa01f
Opcode Fuzzy Hash: deb912d4835660572a89e8b9586276441800b33490c24b5f040e59ad4975ab34
Instruction Fuzzy Hash: A9D1A174E00219CFDB54DFA9D990A9DBBB2FF89300F2081A9D509AB365DB35AD81CF50

Function 010142D0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578a6462267fbd52220e46736e2b41b3ae459f2fcf7ae9b6b890a2626d6b844c
Instruction ID: 14ffc9d15fda3330dc448bbd055e66ff953d48d3527af673588cc8bb8387fec4
Opcode Fuzzy Hash: 578a6462267fbd52220e46736e2b41b3ae459f2fcf7ae9b6b890a2626d6b844c
Instruction Fuzzy Hash: 42A1B1B4A01219CFDB54DFA9D994A9DBBF2FF89300F1081A9D409AB365DB34AD85CF10

Function 0101C543 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234fe63e0a29eb3b2a80e18346350cb631863bbe5c8699675c135937ce45c51c
Instruction ID: db4a6994e447a8807c0a87352f6184a04d88dbee03fb2a1ef3473acd40e1e40c
Opcode Fuzzy Hash: 234fe63e0a29eb3b2a80e18346350cb631863bbe5c8699675c135937ce45c51c
Instruction Fuzzy Hash: 2E516CB0D40258CFEB55CF6AD950B9DBBF2FF89304F1480AAD448AB265DB389885CF10

Function 0101C966 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c367cca7d0f20b1cf85fcfecebfca6565fea4e734fd7aae7be4adcacc0ae73ae
Instruction ID: 23b77d4900881cd79fb7896d7344d5e2383228c1775a2cc342b6382bb97085ce
Opcode Fuzzy Hash: c367cca7d0f20b1cf85fcfecebfca6565fea4e734fd7aae7be4adcacc0ae73ae
Instruction Fuzzy Hash: 9461F674A40219CFDB64DFA8D990BADB7F2FB49304F5485A9D449AB394DB34AD81CF00

Function 0101C530 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43821ec9f3edab2c6470b027786ecc6fd06a7239934dc4fb70aafba06a42147
Instruction ID: 94db0c0010d6085d756f3406712909340eb2f3bdcbc66bed615db1cdb3ea66be
Opcode Fuzzy Hash: c43821ec9f3edab2c6470b027786ecc6fd06a7239934dc4fb70aafba06a42147
Instruction Fuzzy Hash: 67512970D40218CFEB58DFAAD950B9DB7F2FF89304F1481AAD449AB265DB389985CF10

Function 0101C5A8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad4ecb24adb8d65ee3b427ee44e26ee3a8d923150a0c21ec8c64aa2379e41f8
Instruction ID: 09e59c65b64f52f8b62a692f29cb0d9a490734cebf870ced19d09d3ed36666b4
Opcode Fuzzy Hash: 9ad4ecb24adb8d65ee3b427ee44e26ee3a8d923150a0c21ec8c64aa2379e41f8
Instruction Fuzzy Hash: 29510670E40218CFEB58DFAAD950B9DB7F2FF89304F1484AAD449AB265DB349985CF10

Function 061E439A Relevance: 2.8, Strings: 2, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 061E4721
!, xrefs: 061E47F0

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: $!
API String ID: 0-2056089098
Opcode ID: ece8ec6cf71a4ac1fc31e3c78c69ec947b293ae12cc3fafade1c3a771442c6e4
Instruction ID: 475f15faf427bbb603aebc189b5c5aed92bc49550635af59dc6c60285b76fec6
Opcode Fuzzy Hash: ece8ec6cf71a4ac1fc31e3c78c69ec947b293ae12cc3fafade1c3a771442c6e4
Instruction Fuzzy Hash: 4EC104B8D45698CFEBA4CFA8C488BADBBF1FF49304F219559D009AB284C7748985DF41

Function 061E4489 Relevance: 2.8, Strings: 2, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 061E4721
", xrefs: 061E4563

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: $"
API String ID: 0-3817095088
Opcode ID: 4c48b1d7ac0983a850059bd69af622ffa9e61ebeb0a535436f824ffcd1175fe9
Instruction ID: 9ad7c28423fb8f82496e3f36a6b964c8e452d5afb7895609190f6cc797589e3e
Opcode Fuzzy Hash: 4c48b1d7ac0983a850059bd69af622ffa9e61ebeb0a535436f824ffcd1175fe9
Instruction Fuzzy Hash: 77C114B8D45658CFEBA4CFA8C488BADBBF1FF49304F21955AD009AB284C7748985DF41

Function 01010C63 Relevance: 2.5, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K, xrefs: 01010CCC
<, xrefs: 01010C9F

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: <$K
API String ID: 0-3268852824
Opcode ID: c9b1c67bd4e575f101597d3327cceb013367df3f8a02a19fb402af36e14cec30
Instruction ID: d7beaf71aecc7787e17edfdc60af69798172423737e2318ad2499e09f3a32b31
Opcode Fuzzy Hash: c9b1c67bd4e575f101597d3327cceb013367df3f8a02a19fb402af36e14cec30
Instruction Fuzzy Hash: 03F0E27090421CCBDB60DF59D894B9DB7B2EB45300F108099E089A3249CB385B88DF50

Function 06105120 Relevance: 2.1, Strings: 1, Instructions: 805
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 06105BD8

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 692c5a18c2a076d2890a23e32decce8856d49ee07ea94c196cd246eb6b45b8ec
Instruction ID: f5640f3a73378c0d22eec7307171151b0efbc5d133375c3dc87fdce105722c2c
Opcode Fuzzy Hash: 692c5a18c2a076d2890a23e32decce8856d49ee07ea94c196cd246eb6b45b8ec
Instruction Fuzzy Hash: 51622E34A00219DFEB55DBA4CC60B9EBFB7FB84300F1080A9E14AAB3A5CE355D459F65

Function 061C6808 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2462971027.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61c0000_aspnet_compiler.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9625e00a04179e7e6a92895275773f4411b464997c74e7708a0db73e0f070dee
Instruction ID: c442bd1b8dfc7cb2f3fe064d38ef11686732357c8eb9c9b5fc0a0b22722c8bd5
Opcode Fuzzy Hash: 9625e00a04179e7e6a92895275773f4411b464997c74e7708a0db73e0f070dee
Instruction Fuzzy Hash: 7A713270A00B059FDBA4DF2AD440B6ABBF1FF88314F10892ED48AD7A50DB35E945CB91

Function 061C8990 Relevance: 1.6, APIs: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 061C8B02

Memory Dump Source

Source File: 00000009.00000002.2462971027.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61c0000_aspnet_compiler.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 12bfdef00580fef24ef03a9cc742f189391c643d4bd3a7c472ead932f730d803
Instruction ID: 59791ed8e4f666fe83d4c2b659fe6fca022f0cc04135aef3e3f19bfe16d7959a
Opcode Fuzzy Hash: 12bfdef00580fef24ef03a9cc742f189391c643d4bd3a7c472ead932f730d803
Instruction Fuzzy Hash: 325113B1C00249EFDF51CF99C980ADEBFB5BF49310F24815AE808AB221D7719995CF91

Function 061C5B8C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 061C8B02

Memory Dump Source

Source File: 00000009.00000002.2462971027.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61c0000_aspnet_compiler.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0339e18dd7ac74bd75f9b05bdd49cf4efd1f249fc7f513145a26292112cc3324
Instruction ID: 470c89031537b90e0001ae39dfd3ed99107b78f4846dc406e12ad7fc43ab4e8d
Opcode Fuzzy Hash: 0339e18dd7ac74bd75f9b05bdd49cf4efd1f249fc7f513145a26292112cc3324
Instruction Fuzzy Hash: C151C0B1D003099FDB54CF99C884ADEBFB5BF88310F64812EE819AB210D775A945CF90

Function 061C5C7C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 061CB1F1

Memory Dump Source

Source File: 00000009.00000002.2462971027.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61c0000_aspnet_compiler.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 2adff154ebd5e2f8e5b59776a18253636cb65f545c0c3a42c76e77f5246228b8
Instruction ID: 577b6a9d113f45c5d79b5dfecc3f42f7901a2f9f8eb94b7818545125fb5dfebb
Opcode Fuzzy Hash: 2adff154ebd5e2f8e5b59776a18253636cb65f545c0c3a42c76e77f5246228b8
Instruction Fuzzy Hash: 4B4129B89002058FDB54CF99D849AAEFBF5FB98314F24C45DE519AB321D774A841CFA0

Function 061C59D0 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,061C6824), ref: 061C6A5E

Memory Dump Source

Source File: 00000009.00000002.2462971027.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61c0000_aspnet_compiler.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2f05f644ca3382b6308a600b2c71819745f49478eddff122e27dff2d564f3bad
Instruction ID: 7a8d9849a660b65de0d7a2f8dc016a983f34f870dd7e712eb8e8cd528b140f02
Opcode Fuzzy Hash: 2f05f644ca3382b6308a600b2c71819745f49478eddff122e27dff2d564f3bad
Instruction Fuzzy Hash: 561102B6C006598FDB50CF9AC544A9EFBF4EB88324F10842ED469B7310D375A545CFA5

Function 061CC8B0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 061CD7AD

Memory Dump Source

Source File: 00000009.00000002.2462971027.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61c0000_aspnet_compiler.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4cbbc5f534123cec2bf5a40c142d417992ff5602730cdbea2ed0f89b4225e6c9
Instruction ID: 348a2282b78ead1fa2832d277a71929c8d33f7a3c392a9e43b251546e9e2bb9c
Opcode Fuzzy Hash: 4cbbc5f534123cec2bf5a40c142d417992ff5602730cdbea2ed0f89b4225e6c9
Instruction Fuzzy Hash: 1D11F2B5D003488FDB50DF9AD588B9EBBF4EB48224F208459E559B7300D379A944CBA5

Function 061CD750 Relevance: 1.5, APIs: 1, Instructions: 45
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 061CD7AD

Memory Dump Source

Source File: 00000009.00000002.2462971027.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61c0000_aspnet_compiler.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e4d42a21bdaafdf49c8a15d806543b0a3f186b5607f3eeeacf2420346efb12ae
Instruction ID: 5117dec9d8cab397139bc63006e39b51ad1d45c64b6fd22bc35425907cd2bbde
Opcode Fuzzy Hash: e4d42a21bdaafdf49c8a15d806543b0a3f186b5607f3eeeacf2420346efb12ae
Instruction Fuzzy Hash: E111F2B5D002498FDB20DF9AD544B9EFBF8AB48324F208419E559B3710D379A944CFA5

Function 061E2A55 Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 061E0198

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 19313440373476f406a928b7863b22c3a553c27b872db0d1be6281622258bd77
Instruction ID: d10f38efb189d81ccfa0d84b8fb613fd506e5ff68f4671271efd5e9910a77439
Opcode Fuzzy Hash: 19313440373476f406a928b7863b22c3a553c27b872db0d1be6281622258bd77
Instruction Fuzzy Hash: 3A61F771D10A19CEDB60EF68C844BA9B7B1FF99300F1096DAE04D67150EB719AE4CF90

Function 0101A750 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P8T, xrefs: 0101A812

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: P8T
API String ID: 0-474032189
Opcode ID: 36ec4c4772ed7e0d2fc1918c10f00705dd38572a493a7391829c0d115b43367a
Instruction ID: 147889f04d6f63db5335675fdd50a72b5cdf894434ee5243e530cbd842c86169
Opcode Fuzzy Hash: 36ec4c4772ed7e0d2fc1918c10f00705dd38572a493a7391829c0d115b43367a
Instruction Fuzzy Hash: 59411574D01209EFDB05DFA9E894ADDBBF1FF49300F14806AE416A7265EB385A46CF10

Function 0101A760 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

P8T, xrefs: 0101A812

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: P8T
API String ID: 0-474032189
Opcode ID: f6483f4abbfd535d9c4e9463bc093de0c29254649e70a190bddc3064245c02d5
Instruction ID: 1d37f2b41e37ae09b5e2c9712150da66fd97be875359c579d33a9e4da2ab5773
Opcode Fuzzy Hash: f6483f4abbfd535d9c4e9463bc093de0c29254649e70a190bddc3064245c02d5
Instruction Fuzzy Hash: 2C31E574E01209DFDB05DFA9E894ADDBBF1FF49310F148069D416A7264EB385A45CF50

Function 01015B98 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

~, xrefs: 010161B5

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 4b9eb28c782249e84beb34b0883d6d59ba702e1aec8a90a8b7876605be976544
Instruction ID: 674b9ca5f3dccc5909349464c3577f319d43bb3bc986706d630ba3ed0868eeb7
Opcode Fuzzy Hash: 4b9eb28c782249e84beb34b0883d6d59ba702e1aec8a90a8b7876605be976544
Instruction Fuzzy Hash: 9011E974904228DFDF609F64ED88B9CBBB1FF49315F1086D9E459A32A4CB781A88DF00

Function 061E8CB7 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

', xrefs: 061E8D21

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 27598218b13cf00ebd6894c72c01d9f854c48c2143a4173f35351fb92ff40c04
Instruction ID: c57c57b9e869cbc9d97e569ecbb42e7f77cced93e420298bf0890dad45bce969
Opcode Fuzzy Hash: 27598218b13cf00ebd6894c72c01d9f854c48c2143a4173f35351fb92ff40c04
Instruction Fuzzy Hash: 55018074904618CFDBA4CF69CA88BD8BBF2EF09300F6051EAD509A7250CB309E82CF50

Function 0101AA78 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5dd3cac9b6996e1847c0c69fa432fe3f8574b4b7959858e46b15efb787784c
Instruction ID: 07cdb10454ba58c79b12f21939d823488da6c2c5df91098cd3a4263549e3faaa
Opcode Fuzzy Hash: 8b5dd3cac9b6996e1847c0c69fa432fe3f8574b4b7959858e46b15efb787784c
Instruction Fuzzy Hash: 0AF17DB2D05360CFC7E28F28C445296B7F6BB25324F9584ADD48697215F7379D028FA2

Function 06105E60 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65702568357a5cc06861c2f4c23e6632966dd0f43320bf883ac3809593bdce50
Instruction ID: cef93fe7d351cd493cbf98c4e58d2d4f840e8057380d0de93d6b207d75fddc54
Opcode Fuzzy Hash: 65702568357a5cc06861c2f4c23e6632966dd0f43320bf883ac3809593bdce50
Instruction Fuzzy Hash: CFF12D71E002158FDB44DFA8C984AADBBF6FF88310B168059E415EB3A1CB75EC51CB94

Function 06102A18 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64dd28e9ea13ebe1799865ffef43fa73d51917ef9ab648474dc6002095743cc6
Instruction ID: fe3123a6915602c571c2db557ca3e147e6ead33ff8696a00c5caeeffb7e4df47
Opcode Fuzzy Hash: 64dd28e9ea13ebe1799865ffef43fa73d51917ef9ab648474dc6002095743cc6
Instruction Fuzzy Hash: AAC1F4307042118FEF599F64C898A6E7BE2EF89300F154469E546DB395CF78DD01DB91

Function 061EFA20 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eedac675f037c08bc9ddf34c06c22d2c4be63ed0c5ebe19e3e1cbc9dfc8bcd57
Instruction ID: bd3475c6a8e24b21fe5f689715b7880f02306aaf6e58cc604384df5decf4184a
Opcode Fuzzy Hash: eedac675f037c08bc9ddf34c06c22d2c4be63ed0c5ebe19e3e1cbc9dfc8bcd57
Instruction Fuzzy Hash: 47D12A34E10619DFDB98DFA9D844A9DBBB2FF88314F118169E811AB3A1DB35DC42CB50

Function 06102ED8 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362dc05c5285f1f102332ff2032734f142394652a144aa807fc495fa7150809f
Instruction ID: 38a6442a4fd7327b60a5caea06e82624cab857341c6560dc19524c139bb14e66
Opcode Fuzzy Hash: 362dc05c5285f1f102332ff2032734f142394652a144aa807fc495fa7150809f
Instruction Fuzzy Hash: 8F81A434B04106CFEF94CFA9C88896ABBB6FF89340B158169E415D73E5D7B1D841CB91

Function 061EA1E0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5bedc5b311352e283fc541191b2544905a58297f3b797a18169b29563915c3
Instruction ID: 07097a6aaf914928de3d86c1ad57986bc0c13feb7f44b453fdfe0986eb4960e3
Opcode Fuzzy Hash: ff5bedc5b311352e283fc541191b2544905a58297f3b797a18169b29563915c3
Instruction Fuzzy Hash: 5771B231F002589BDB55DFB9C85069EBBB2AFC8740F148429E505BB380DF34AD46CB95

Function 06104DD0 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d22922f2b190c21d89b11399ef04085043556cf9bcd5abb55c339baab5a476
Instruction ID: f666796647a9c5a6aef643b6ebf14cfe28bd2d2b521c290755e49cf4d260b827
Opcode Fuzzy Hash: e4d22922f2b190c21d89b11399ef04085043556cf9bcd5abb55c339baab5a476
Instruction Fuzzy Hash: C351C231714111CFEB58DF3EC8D496A7BE9EF4924030644B9E616CB2A1DBB4DC01CBA0

Function 061E9827 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3df5ef1a0f46619544cf10c9e362a32b592deb86b5400e5935082250fe1ad7
Instruction ID: a6d3ed36d116bc489ea11ef7ab092a38dab5800e6389116c1b36f56b4bf26b13
Opcode Fuzzy Hash: 6e3df5ef1a0f46619544cf10c9e362a32b592deb86b5400e5935082250fe1ad7
Instruction Fuzzy Hash: FB81E370D45619CFEBA8CFAAC844BADBBF1FF49300F1089A9D019AB264D7349985CF44

Function 0101FD08 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a6ce863ed302ec78202ccfe49f7c54734a692122e7951aec521eddfe08a079
Instruction ID: 149622747a316ddd83fe7d91ec6fce21c03762ccfe1d4a259d1f42fc54385a41
Opcode Fuzzy Hash: 22a6ce863ed302ec78202ccfe49f7c54734a692122e7951aec521eddfe08a079
Instruction Fuzzy Hash: D051D370E04745CFE701EF69E8947AA7FE6EB4A344F048099D1808B289C67D9D09CBE1

Function 0101C62C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11be87f55fa42e2c5ad193aed576d14c63c1525df9d23afdb6fe7d714c1e991
Instruction ID: 736bb2bbb2e6744b6b0d64a1b2e6a2073a365940e8f7faf4847b2b2f77de0e55
Opcode Fuzzy Hash: c11be87f55fa42e2c5ad193aed576d14c63c1525df9d23afdb6fe7d714c1e991
Instruction Fuzzy Hash: 96510374E40218CFEB54DFA9D990BADB7F2FB49304F1494A9E449A7355DB38A981CF00

Function 061EA1DB Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5daa24c81a88023894258e1eab086867fdacb4cb577d672b2cb3447c4481b9
Instruction ID: ad7e75b3ffb553b78c1b337f16cb22aba55b82236990d413fd3ffca44646f0ef
Opcode Fuzzy Hash: 2a5daa24c81a88023894258e1eab086867fdacb4cb577d672b2cb3447c4481b9
Instruction Fuzzy Hash: 77412C35E006199BDB54DFA5C890ADEBBF6BF88710F248529E411B7240EB70ED45CBA0

Function 0101BCC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9bb6f82777760088d24fdf6cf4c6848dbce7d9c38e4333af2870556fb41eb9
Instruction ID: ec848209adddd816f4bbb60a1a6ee0a9c9501c41421dafc226118319920b440f
Opcode Fuzzy Hash: fa9bb6f82777760088d24fdf6cf4c6848dbce7d9c38e4333af2870556fb41eb9
Instruction Fuzzy Hash: 8031F5317042288BDF5C667E499427E7AF6EFC4310F584079D946D3399EF7CC84586A2

Function 06103F48 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9728b4471de1828354d4923afbc262fcdfb1c5a14d357b5397f8193e4112e28
Instruction ID: f5fb6d53617f28c4d4f73e32571d3f94f3edb5bb50596201474015655a92eb67
Opcode Fuzzy Hash: b9728b4471de1828354d4923afbc262fcdfb1c5a14d357b5397f8193e4112e28
Instruction Fuzzy Hash: B731B0326045119FDB058F68C898A55BBB8EF4A720B0542A2F879CF3E1C771EC51CBA2

Function 06102140 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570e1511ce3ab19418e1eea9165affb8d9a183b7e66e83d8a1769f5edd1b3241
Instruction ID: e7eb16912e63185be6646c6800a412d50c99d37536cfe7d27ce1818a3c7c3b9d
Opcode Fuzzy Hash: 570e1511ce3ab19418e1eea9165affb8d9a183b7e66e83d8a1769f5edd1b3241
Instruction Fuzzy Hash: 9831B531B44109AFDF45AFA4D858AAE7BA2FF88300F004019F90597295CB79CE61EBD0

Function 0101DF21 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80bb06388292286135756c853b2d8a6ea3227d0a091141d9c9ff8b46932dcba0
Instruction ID: c06e2870272e27bf44e8d0caf16c1bc21d1fa38be4e69284c110e339043f9447
Opcode Fuzzy Hash: 80bb06388292286135756c853b2d8a6ea3227d0a091141d9c9ff8b46932dcba0
Instruction Fuzzy Hash: B831F3B0C06649DFDB00DFA8D59CBAEBFF0FB0A705F209499D449A3A55E7789684CB01

Function 0101DF30 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8610270572428b0910d932b200a36ea1707d411ad0f98243a6a81a5aa90ce7d
Instruction ID: 834874864101d8a1001479394b482f5c6b2af8c0238c3369e80f9a94a4c3e867
Opcode Fuzzy Hash: d8610270572428b0910d932b200a36ea1707d411ad0f98243a6a81a5aa90ce7d
Instruction Fuzzy Hash: 6431D4B0C0660DDFDB40DFA8D58C7AEBBF0FB0A705F209499D449A3A54EB789684CB01

Function 06105E4F Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11c7616028da3bfc30c98c0e520df48e1e85079b782cf4fdfef8900f2aa7682
Instruction ID: 54963c6e4456a85c8592e2d7d9c3f7caf99f0e1a745ce99aa3a7707fd8e64ef6
Opcode Fuzzy Hash: e11c7616028da3bfc30c98c0e520df48e1e85079b782cf4fdfef8900f2aa7682
Instruction Fuzzy Hash: F7315C35E001058FCB04CF69C9849AEBBBBFF89354B258155E529973E1CB78AC41CFA0

Function 0101C81F Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86d31f4c826d683c8374c405089bca97772bb483f5c2468348c72f4cdb49918
Instruction ID: f3e2bb5a5f4b7046d01141b61e5e8c5fd74de01e3bf9912ff92c4d09b3289ff3
Opcode Fuzzy Hash: e86d31f4c826d683c8374c405089bca97772bb483f5c2468348c72f4cdb49918
Instruction Fuzzy Hash: 51412874A40218CFEB54DFA8D994B9DB7F1FF49304F1454AAE449AB395DB34A981CF00

Function 0101CB1B Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b0a05d5148e052c2a0a939ce91fdfde1f6a4db0eace6e7c69fc406848a4624
Instruction ID: 598a2bd9bfab3a2bf238029019810fe6181ff738d185c437eb56a55c354476c4
Opcode Fuzzy Hash: 49b0a05d5148e052c2a0a939ce91fdfde1f6a4db0eace6e7c69fc406848a4624
Instruction Fuzzy Hash: 30413974940218CFEB54DFA8DA94B9DB7F1FF4A304F1494AAD449AB295DB38A885CF00

Function 06104F18 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad63b47e076192469ae3304e35d55ef695213ca73c2e17f3ebd416ce8fcd789
Instruction ID: 24d7bafbc3478250edd4290df00123f98316bdfe566d25d95c58c80cf6df70d3
Opcode Fuzzy Hash: 9ad63b47e076192469ae3304e35d55ef695213ca73c2e17f3ebd416ce8fcd789
Instruction Fuzzy Hash: 2521A030704195DFFF58DE6D88C0ABB7BEEEB99240B054826F651CB284DBB0C801C7A0

Function 0101A8E2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4303868d2c8daf9dd34874b0ee3a4f97ca09405d570e9af5f37b03900ae8a11
Instruction ID: 594320eb750737b9a9185b96f2e987c9fe67816764e80f93dd22fab188b16108
Opcode Fuzzy Hash: b4303868d2c8daf9dd34874b0ee3a4f97ca09405d570e9af5f37b03900ae8a11
Instruction Fuzzy Hash: 0221E139A01255DFCF11DBB8C4409EE37B1EF89220B21C599D84A9B254DA34EA42CBD1

Function 0101C85D Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6b3d4988d0c236859c0e38a5d81132f757569fb1b1d8f3a7fa10db792329c1
Instruction ID: 2917621e91042bf3ea626b252c2e5dcb4841434b4657bb4f5873a8667f5be5ef
Opcode Fuzzy Hash: 6f6b3d4988d0c236859c0e38a5d81132f757569fb1b1d8f3a7fa10db792329c1
Instruction Fuzzy Hash: 47416A74940219CFEB54DFA8D990B9DB7F1FF4A304F1480AAD449AB395DB38A881CF00

Function 00FCD005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459051468.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fcd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d6ea91a89c722395d6d3b1e9255e6c57bb36e95fd2a2aca690208c16ffda16
Instruction ID: badb3b7f64e7a4de163eb4e17093eb67868d0f4881f74a892f5e9dbb5f473b6b
Opcode Fuzzy Hash: 80d6ea91a89c722395d6d3b1e9255e6c57bb36e95fd2a2aca690208c16ffda16
Instruction Fuzzy Hash: A2316F7154D3C49FC713CB24C990B15BF71AB46214F29C5EBD8898F2A7C23A980ACB62

Function 00FBD4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2458973265.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02566b85f4f9ce44af6ef2beb066fe8014087609c2918e7845ab035577fa160
Instruction ID: 3ebb344bb824d63fb1631f33c70e340d7999d0a81e46848b93c90c78a8899b4f
Opcode Fuzzy Hash: b02566b85f4f9ce44af6ef2beb066fe8014087609c2918e7845ab035577fa160
Instruction Fuzzy Hash: 7C214572904204DFDB25DF15D8C0F66BF65FB98328F288568E8090B256D336D816EFA3

Function 06102130 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08040779da5528e21c9380a554c1a4e0676c464cb9b017e3c6b6d4342b24f558
Instruction ID: 5abee287b8b56882391568f8303c890374f7eeb27073a822366a5787b59d5e45
Opcode Fuzzy Hash: 08040779da5528e21c9380a554c1a4e0676c464cb9b017e3c6b6d4342b24f558
Instruction Fuzzy Hash: 75212930A482059FDF55AFA4D858B6B7BB6EF48310F004069F5058B396CB79CE55DBE0

Function 00FCD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459051468.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fcd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5784650f938fc42d0d72f20004ee25f5b3cd082651b5913b9857818bc7ba51a4
Instruction ID: 0e71b515280d10c4e10243afb009c677dcc35db2d483486a13f82474c547861d
Opcode Fuzzy Hash: 5784650f938fc42d0d72f20004ee25f5b3cd082651b5913b9857818bc7ba51a4
Instruction Fuzzy Hash: 5F213771544205EFDB14DF18DAC1F2ABB65FB84324F24C57DE84A4B29AC33AD807DA62

Function 061EA3C0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd48ef2061af30609618e33a10c759528facdc898029ae83e86e34c7d2f9114
Instruction ID: 394268e23e0d34b0e5132e97443509373afbe1d56390baedb0a1748afcf47d95
Opcode Fuzzy Hash: 8cd48ef2061af30609618e33a10c759528facdc898029ae83e86e34c7d2f9114
Instruction Fuzzy Hash: D411E935B0C2905FDB4A6FB8881055E7FA3DFC9250714445BE545DB382DE244D0697D6

Function 00FBD4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2458973265.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fbd000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aefa39c72e49aac85116d5fe2c4f933ecd2cd860edb7137c11890580317dc46
Instruction ID: 41b56cc58332fcaef9a63ab2f42ff7cfd5a38b8946b9ffbb7c35f7da886db226
Opcode Fuzzy Hash: 6aefa39c72e49aac85116d5fe2c4f933ecd2cd860edb7137c11890580317dc46
Instruction Fuzzy Hash: 28110376804240CFCB16CF00D5C0B56BF72FB84324F28C5A9D8090B656C33AD85ADFA2

Function 0101C8A7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92dc2272cb78d7ca8a52633e9f99f54304a0c81cf742b8f4b3bc993f902fbbf
Instruction ID: 0d6cbf23223d1d54b5951503a850739dc034cf54bfb6bcc6b872f610088dd97a
Opcode Fuzzy Hash: e92dc2272cb78d7ca8a52633e9f99f54304a0c81cf742b8f4b3bc993f902fbbf
Instruction Fuzzy Hash: AE111274E81249CFEB14CFA9CA88AADBBF2BF49310F149469C045AB259D778C945CF00

Function 061EA668 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba070076dcf4e1402367e0239823c1e1646a784677222dd6faddf913570dd5c3
Instruction ID: ae809606c3b5a5cc27dd31436cceadf643176d5e0bf8d007dedb95f22c57d854
Opcode Fuzzy Hash: ba070076dcf4e1402367e0239823c1e1646a784677222dd6faddf913570dd5c3
Instruction Fuzzy Hash: CB1167768002499FDB10CF99C945BDEBFF8EF48320F108419E558B7250C339AA90DFA5

Function 061E9F30 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14640fbdb2cda8e495fd6ac900313a39ebb05a1fa7de30e956c141240303c700
Instruction ID: 0cb37df5361b122a891afa2cff200443d80c6bbf229ee7179f3f00e411724156
Opcode Fuzzy Hash: 14640fbdb2cda8e495fd6ac900313a39ebb05a1fa7de30e956c141240303c700
Instruction Fuzzy Hash: 011156768002499FDB10CF99C944BEEBFF4EF48320F108419E618B7210D339A950DFA5

Function 06102978 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7e8c6a3a4f4f245f361b738d93ba19cfa7781ce7de4012991813458f13ded7
Instruction ID: 3ad9a42fd7fb628979a192ffda9eaf6bf41952060bc0a2d072a445f0ca160372
Opcode Fuzzy Hash: 4a7e8c6a3a4f4f245f361b738d93ba19cfa7781ce7de4012991813458f13ded7
Instruction Fuzzy Hash: 3F017B32A041443FDB169F559C01AEB3FEADF8A350B148016F584C3181CA71C911D7E0

Function 0101E790 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe57cfee0dbdf6081fb60991d2d116bcfd0a219f361143a0ff25291e86bea5fa
Instruction ID: e6d8d0356e540f67fe0cf846c96dc61fae50468d5f45fc6ca65a1a756188ecda
Opcode Fuzzy Hash: fe57cfee0dbdf6081fb60991d2d116bcfd0a219f361143a0ff25291e86bea5fa
Instruction Fuzzy Hash: 4E01D132B002158BE765ABBAD84866E76EBAFC45643604479EE05C7314FE74DC0086A1

Function 0101E792 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a675418a154bacc47669b551512dbd6cde91ed9526d8421bc27115dece683e
Instruction ID: 92be28ac2bdb2cf18de7ca3bdfead0e1b62d33a79d059d5fdbf28068b50dcfb6
Opcode Fuzzy Hash: 71a675418a154bacc47669b551512dbd6cde91ed9526d8421bc27115dece683e
Instruction Fuzzy Hash: 6E018136B002158FE765ABB9984867E76EBAFC46643604479ED05C7314FE74DC0186A1

Function 06102988 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d541941bff026b8efccd72093258a9a185e7d00a42105670c5d7f638e957355
Instruction ID: 7ed7f519b99e1d487dec97be36585a69c7710dac2d3f812192cf1a451f5dd6b6
Opcode Fuzzy Hash: 7d541941bff026b8efccd72093258a9a185e7d00a42105670c5d7f638e957355
Instruction Fuzzy Hash: 71012632F400146F9F45AE559C04AAF3BDBDFC8790B14802AF505D3280CBB18D119BE0

Function 01013810 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcca5d0fecd24bc691f8ab7c1b3d1fdd7a0ae904c79d231412525bccdadd063
Instruction ID: cb43b05d8b9c0b214613ae93752995cd5142deae0cafa7dba9dbc3f735b3fb39
Opcode Fuzzy Hash: cdcca5d0fecd24bc691f8ab7c1b3d1fdd7a0ae904c79d231412525bccdadd063
Instruction Fuzzy Hash: 3B115A74A0021ACFCF58DFA8D940BAEB7B2FB85300F0089A5E445EB258D7799A41CF54

Function 0610F698 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aec873e56a5389433f20c530237b09b6c27f4fc7669386e637f85623f0fea97
Instruction ID: 42de37bd33586cca644ef07984181fbba9c97aad8665e2928ca925b141bef60f
Opcode Fuzzy Hash: 8aec873e56a5389433f20c530237b09b6c27f4fc7669386e637f85623f0fea97
Instruction Fuzzy Hash: E4F01D30B041089BCB08EBB8955AB6D7AE6EF84300F2084789509AB795DE789E46DB95

Function 061E9570 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63249fe4ad8cbc64a63f9856bf35991ecdcc504ac0607dcf3abae885ec91143b
Instruction ID: ffdc6b192bcff08efe48dea89a7541412fe7ac5be475b950600b833c413de5af
Opcode Fuzzy Hash: 63249fe4ad8cbc64a63f9856bf35991ecdcc504ac0607dcf3abae885ec91143b
Instruction Fuzzy Hash: 5601E474E05618CFEB68CF29C940BA9B7F2AF49301F0598E6D50DA3242E3308A81CF51

Function 061EA430 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5ad3a847dcf4e42aaf946ab488fe6aae5124d45f426117bccc672f29b2016b
Instruction ID: ba36e6ad9970ddbb3793e6f177f4591da5c7796a5ef951031ac1cd600ba6925d
Opcode Fuzzy Hash: 8b5ad3a847dcf4e42aaf946ab488fe6aae5124d45f426117bccc672f29b2016b
Instruction Fuzzy Hash: D0F0E9727041287B9B099E98DC408AF7FABEBC8250B00442AFA09D3340DA359C11A7A9

Function 061E39E3 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c519242db9f09fb5badc5453b296a1badf075825d691021bd5bb111055dc08b
Instruction ID: 7efbab1cd434b98b42bb0a73ad59c422c98d6860b051772549f69323b64c0442
Opcode Fuzzy Hash: 6c519242db9f09fb5badc5453b296a1badf075825d691021bd5bb111055dc08b
Instruction Fuzzy Hash: EB017270A44569CFDBA8DA19C8547ACB6F6FB84304F11C5E4909AA7260DF349EC2DF90

Function 061E9794 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb61f9ba4608b14b58a3914c2b2e996ca07c6ee4780576e9503c790d3a46900
Instruction ID: 8da207caa8af1c78a17f8b5948c2e9c4c99b7d59869065feddaa119e6f0b041c
Opcode Fuzzy Hash: 5bb61f9ba4608b14b58a3914c2b2e996ca07c6ee4780576e9503c790d3a46900
Instruction Fuzzy Hash: AB01D6B0D44228CFDBA4DB68C895BEDB7B1AB59300F1085A9D089A7290CBB46EC4CF44

Function 061E8C1F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea34d1ba5de96512b88578b42bb505586a79336656d89c071f948a38a630734
Instruction ID: 5f1ccacb6ad3d137f1a466f89ffa5b96ff4652988505e090258373be60299ff8
Opcode Fuzzy Hash: 1ea34d1ba5de96512b88578b42bb505586a79336656d89c071f948a38a630734
Instruction Fuzzy Hash: 130160B4901618CFDBA4CF68C994B9DB7B2EF09305F2045E9D509A7360DB359E81CF40

Function 061E8680 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87ed1456069ff50c87d2aa6261e649af5b4f334f5820e5e4114e1a08589ffa6
Instruction ID: f27f3ebce34d485f4ea97bfde7075bbc5b7c41321ccc21f996ddfd7c70bbf275
Opcode Fuzzy Hash: e87ed1456069ff50c87d2aa6261e649af5b4f334f5820e5e4114e1a08589ffa6
Instruction Fuzzy Hash: 5201AF74A01218CFDBA4CF69C994BE9B7F2FF09304F6001A9D04AAB291DB359E91CF01

Function 01010890 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7e94218b0cba0418dbd957d58e30b7e1fab001ccc1f6280fa574ba6ce8fa41
Instruction ID: 61418db9bb2a12cd0594593b9bf6699f712f079217c2f6bee9031453ec77437b
Opcode Fuzzy Hash: 0e7e94218b0cba0418dbd957d58e30b7e1fab001ccc1f6280fa574ba6ce8fa41
Instruction Fuzzy Hash: 46E09B7044C3C98FD712C7B4A8656D97FB16B03600B1541DBE4E99705BD6B94186C752

Function 01013521 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02a560110ec4bb9a9f349979dff8d4daf2fb7e68c7f6d2becc6269a611e6437
Instruction ID: 0a40af665942f9a318f411b3013997d91663b0dcd0c5212817f8b958890fe828
Opcode Fuzzy Hash: a02a560110ec4bb9a9f349979dff8d4daf2fb7e68c7f6d2becc6269a611e6437
Instruction Fuzzy Hash: 70F05E3050021BCFCF24DFA8E840BAE7B70FB42315F000A54E045BB294D7B99A458F54

Function 01013F17 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12852b23e6c904d4824b7071eb445babf1bfc4bda9fac5592ab0b4eec6f278f4
Instruction ID: a34747f7253dae28d843d7eb3ec340f38089cf243c1673b00fc97f6f00220b08
Opcode Fuzzy Hash: 12852b23e6c904d4824b7071eb445babf1bfc4bda9fac5592ab0b4eec6f278f4
Instruction Fuzzy Hash: BFE0E5B280125CAFE754DF74EA067D97BB4EB02208F00019DC18457190EB751904D740

Function 061E876D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d20a9b25307447c45d78947f92d2bea7e3c10ba34a3d175f6a08810949704f
Instruction ID: 2d4d9f2cb0d319a2fd82864a199b6537b49da8bbdd37c381a261ed5c7d064542
Opcode Fuzzy Hash: 61d20a9b25307447c45d78947f92d2bea7e3c10ba34a3d175f6a08810949704f
Instruction Fuzzy Hash: 5FF01275A54228CFEB24DF10D886BECB7B2FB44301F1081A9E049A7294CB384E84EF90

Function 0101A8A1 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f616cab87596a66cc41bd273d78b0ef5c60e61b3ad8fca0dc8465f32cfb33bd
Instruction ID: b3de92660389dda7a213a5438a23be02e4e4dab65803132bae0c2af0efa68c65
Opcode Fuzzy Hash: 2f616cab87596a66cc41bd273d78b0ef5c60e61b3ad8fca0dc8465f32cfb33bd
Instruction Fuzzy Hash: 73E02631C203A78BCB02ABF0AC080EEBF34EFC2210B4482ABC16437001EB30161AC3A1

Function 01013F28 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c90d789d319c52e2fc5fcff23f4e0944ed845ded88e3c0c9107e6cab7a31b5
Instruction ID: eb4163cd775deddabc19f60cdafed0589b16b78f5660ed90363acba4b72334ed
Opcode Fuzzy Hash: 98c90d789d319c52e2fc5fcff23f4e0944ed845ded88e3c0c9107e6cab7a31b5
Instruction Fuzzy Hash: CEE02670C043ACEFE750DB78EA06BAA7BF4FB02318F44029CD08897291D7752A04E791

Function 061E88E4 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a90791127886480d5db37e4d176fc503ddb1ab8ee52099c79209da1eb59fcd
Instruction ID: a6f8334219f78ceb4f2e5e3c721f8301ea202856691d1f9a2b66dd3cb4df77d1
Opcode Fuzzy Hash: 38a90791127886480d5db37e4d176fc503ddb1ab8ee52099c79209da1eb59fcd
Instruction Fuzzy Hash: 26F0B274900619CFEFA0DF69C984BEDB3B2EF06300F6082AAD549A3241CB319E848F50

Function 06103179 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d19eb5b1a763ba7fee21e177e361f17bf5bd9e6b3a232c18382fc7d8244f452
Instruction ID: b62bec21e1a0eab71139eed660667014a6e9192d89f0ea865911837a327eea6e
Opcode Fuzzy Hash: 6d19eb5b1a763ba7fee21e177e361f17bf5bd9e6b3a232c18382fc7d8244f452
Instruction Fuzzy Hash: 30D02B384443440EDB02BBB8BC959D53F6FEB84301F048561F1846A6DBDDB8594296B7

Function 06105D55 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d5f8d348edb1e583018d4153f15377444006f31997b58b6365301406b8e280
Instruction ID: d86f0df5ce3be4d824e5d7a8996a4e23278be095175c6f68dd961aa0ad557673
Opcode Fuzzy Hash: f0d5f8d348edb1e583018d4153f15377444006f31997b58b6365301406b8e280
Instruction Fuzzy Hash: 12D0673AB40048DFCB049F9CE8409DDBBB6FB9C221B148116EA15A7265C631A921DB50

Function 06103188 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2462912802.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6100000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcffadacc6215864b7aef2f04f125a00f4ae555f30fa4b89cb0ae927db4a5276
Instruction ID: 27e8ee4da95add12d3329370d48ebcffe2b003816730ffd8026ff06593e38984
Opcode Fuzzy Hash: dcffadacc6215864b7aef2f04f125a00f4ae555f30fa4b89cb0ae927db4a5276
Instruction Fuzzy Hash: 0EC012345402084ACB05FBB9F895555776EF6C0202F409510B2497669ADEBC1A065AA5

Function 0101E360 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c4a1169ae35dc08e5a172368296ca84898205fac58b35b5fe385183a744f9f
Instruction ID: a45e9175eebc6ad61c489f0be7c276605375b9f3bd03779bfb5430d251e0c570
Opcode Fuzzy Hash: 09c4a1169ae35dc08e5a172368296ca84898205fac58b35b5fe385183a744f9f
Instruction Fuzzy Hash: 31C092EEC2EAC59FEF034330B9D60D17FB2E50330931644EBD08286093A508441B9B01

Function 01013872 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cda86493a18775ac06df674b1e19d04910a96c54b2afcd06fb277809c08c87
Instruction ID: f63ecc960fc9480fff196ee9f406a1d27f46fc067cdd401ce0aee98f417092c9
Opcode Fuzzy Hash: c7cda86493a18775ac06df674b1e19d04910a96c54b2afcd06fb277809c08c87
Instruction Fuzzy Hash: 26D092349102998BDB18EF24C8547AF7A73BB41604F0004A8A08A77298CB345A80CE82

Function 0101CAD1 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3124d48c6ffa5bbbac4eaae95f4b349b74d0dbf5223713abeff9b52dfa3195
Instruction ID: 772dc976c484c5d52ab2f1080033738f9e0bf350aef6210633e2b0474c07dd83
Opcode Fuzzy Hash: 2f3124d48c6ffa5bbbac4eaae95f4b349b74d0dbf5223713abeff9b52dfa3195
Instruction Fuzzy Hash: 6FD06774902219CFEB51CF65DD48F8CB7B1BB48301F205295D40DA3250CB345A888F14

Function 010108A0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cefd56f7cf994129caf79a4144c7a94489c639cc3b4786bd235a2c195e290d1b
Instruction ID: 5e24bd64625aece56ac6afa2e4ffece401299bb041b56583e862eefd81563f3a
Opcode Fuzzy Hash: cefd56f7cf994129caf79a4144c7a94489c639cc3b4786bd235a2c195e290d1b
Instruction Fuzzy Hash: B8B09B31044B1D47F5145794790AB7477EC7701605FC00154A69D0246557A46094D5D5

Non-executed Functions

Function 061E7EE5 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

gw=, xrefs: 061E7C6F

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: gw=
API String ID: 0-3191234272
Opcode ID: 2869fdc2c13348f5ae33ce97713cc55df4fe7592f1445e18c621cd07b088a249
Instruction ID: 9df622e67c1b04890583dafb453f4e7326289e14ff3b161abf1e088927166ca4
Opcode Fuzzy Hash: 2869fdc2c13348f5ae33ce97713cc55df4fe7592f1445e18c621cd07b088a249
Instruction Fuzzy Hash: 0A41AF74904218CFEBA4CF68C994BECBBF1FB49304F1481AAD549AB2A0C7749A84CF40

Function 061E7C4D Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

gw=, xrefs: 061E7C6F

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: gw=
API String ID: 0-3191234272
Opcode ID: 2873a127a3b534fa4cb71a1c1dc647a88061eea29ed70ed45e817a36ed1b4559
Instruction ID: 77f55995ba42a4b4c95691fa35ee7feaf278534167a0d9cb817502eb78c69756
Opcode Fuzzy Hash: 2873a127a3b534fa4cb71a1c1dc647a88061eea29ed70ed45e817a36ed1b4559
Instruction Fuzzy Hash: FD31A174904218CFEBA4DF64C995BEDBBF1FB49300F1081AAD549A7290CB749E81CF40

Function 061E79F8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f14de2eb43b5e5017a3b646095a8c7402a6b8b9d8314c736dac72c0fdc453cf
Instruction ID: a28589ab10791e76c3fe0f242b8bbcd8e5dba35e20c6d3ec7127037d222659b4
Opcode Fuzzy Hash: 5f14de2eb43b5e5017a3b646095a8c7402a6b8b9d8314c736dac72c0fdc453cf
Instruction Fuzzy Hash: 5841F574D44718CFEB54CFA5C944BEDBBF2BB89300F1480AAD508A72A4DB349A85CF40

Function 061E7E24 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1984dc8e6fed9953785d52660c6e143a5e5727b5e0723ff2b532d6f81d9261
Instruction ID: 1aa39f2255f052673c581f9f71392e8bd9abbc6044ae0a05c9b627b5a89eb0ff
Opcode Fuzzy Hash: ed1984dc8e6fed9953785d52660c6e143a5e5727b5e0723ff2b532d6f81d9261
Instruction Fuzzy Hash: F031CC749016288FEBA4CFA8D994BECB7F2FB48300F1041AAD049A7290CB349E85DF40

Function 061E7AA8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950bc0069791d7c74c4ee8d0396a15a5353f1b87f52e2714e711081abf426504
Instruction ID: 857615ad5446a1ef2f355718c07cab1eceed38614c2f45bd265c220cb4adf392
Opcode Fuzzy Hash: 950bc0069791d7c74c4ee8d0396a15a5353f1b87f52e2714e711081abf426504
Instruction Fuzzy Hash: A031D178D4031ACFEBA4CFA4C984BADB7F1FB48300F1080A9D509AB290DB748A85DF40

Function 061E802E Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ffabdebb18e4ec302410f441efcd437114b183e6de9c365f7270312b22f749
Instruction ID: 109502582347e67b052576651bf11a44c8fd79d17ee12f0f0ec2f2d45383bfdc
Opcode Fuzzy Hash: a5ffabdebb18e4ec302410f441efcd437114b183e6de9c365f7270312b22f749
Instruction Fuzzy Hash: C631E274D04728CFEB64DF64D998BACBBB2FB49305F1041A9D009AB2A0CB759E85DF40

Function 061E7BDF Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b697fd66fa43313ff9d0968212da882bdfcfec607fc35af9ae7573e10af9c3
Instruction ID: 1186574d5e4e5286946b5c4abb296220934b1fb0294442d471874241703e92b4
Opcode Fuzzy Hash: 01b697fd66fa43313ff9d0968212da882bdfcfec607fc35af9ae7573e10af9c3
Instruction Fuzzy Hash: 0021D574D40718CFEB64DF54C989BACBBB2FB48301F2481A9D509A72A5C7349E85DF40

Function 061E7FB1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f19fbff9e8aa73db31f16a96ab10cac6530213589eb2867c2f5cc8501d495e
Instruction ID: c6b8b588efb77cd71da165d5a94f7fcbb3e98985355065b3aa004096733bfe72
Opcode Fuzzy Hash: 28f19fbff9e8aa73db31f16a96ab10cac6530213589eb2867c2f5cc8501d495e
Instruction Fuzzy Hash: B2213674E00719CFEB60CFA4C944BADB7B2FB85304F5441A9D148AB290C7748E84CF41

Function 061E7E91 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b31e7379659215a9693baf6a216ba564c8a2de50f2efc6fa3ba0a1cd22586b4
Instruction ID: 1b694a3b9c838ad16469c6b95eac0547a124dc86498206ee5624d154dc321ae3
Opcode Fuzzy Hash: 0b31e7379659215a9693baf6a216ba564c8a2de50f2efc6fa3ba0a1cd22586b4
Instruction Fuzzy Hash: FA11CD75D44719CFEB64CF94D988BACBBF2FB48305F1481AAD009A72A4C7798A85DF40

Function 061E7D09 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140aabe195d693558771cac9ffac09fe5f1394ec367726b337cc62efd98f970b
Instruction ID: 8345bd04a7581a560736e97f563de99df20f919a1dcee1652e52da5b8edf4f07
Opcode Fuzzy Hash: 140aabe195d693558771cac9ffac09fe5f1394ec367726b337cc62efd98f970b
Instruction Fuzzy Hash: 32110275D45718CFEB54CF94D988BACBBF2FB44305F1480AAD008A72A0DB788A84DF50

Function 061E7B2C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143d4ba3e484f086e940f5d3b885f9716923b5eb37e4ba5b2cd80b8846ba8f69
Instruction ID: 0102159ac025ed99950eb0d3be3a8c2ca7620a24ad5beedc0bf4f0a02eafeff9
Opcode Fuzzy Hash: 143d4ba3e484f086e940f5d3b885f9716923b5eb37e4ba5b2cd80b8846ba8f69
Instruction Fuzzy Hash: 82110274E44718CFEB60DF94D888BACB7B2BB89301F5445AAD109AB290CB749E84DF40

Function 061E7A87 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b89c184aebcdeb65a5077c3575161339e3b2c54154441f415124e9e4fe06ca8
Instruction ID: e9d77a65ca538bfddce3d7cacca91a2d2ce6b54950fff143d961b09f65f3a059
Opcode Fuzzy Hash: 9b89c184aebcdeb65a5077c3575161339e3b2c54154441f415124e9e4fe06ca8
Instruction Fuzzy Hash: EB010474E44729CFEB50CF94D995BACB7B2FB44305F1481AAD109A7294CB748E85DF40

Function 061E1AB5 Relevance: 5.1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

Strings

=, xrefs: 061E08DB
D, xrefs: 061E090B
G, xrefs: 061E08E2
H, xrefs: 061E0198

Memory Dump Source

Source File: 00000009.00000002.2463025561.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_61e0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: =$D$G$H
API String ID: 0-3069978989
Opcode ID: 2b4f32f46e57a244577c31de0125a4e570673b56fe48160fc403b44e0e062ea6
Instruction ID: a6230d4bce3b0851fb4c140a6b120a019e618d28c505f8bcc330193684dfc3a8
Opcode Fuzzy Hash: 2b4f32f46e57a244577c31de0125a4e570673b56fe48160fc403b44e0e062ea6
Instruction Fuzzy Hash: 492119B0905518CFEB94CF98C884B99B7F0FB49306F1051E6C14DA7150C7B4CA99CF64

Function 01011A5E Relevance: 5.0, Strings: 4, Instructions: 23COMMON

Download Yara Rule

Strings

NE*, xrefs: 01011A7D
r, xrefs: 01011AB7
B, xrefs: 01011A8A
o, xrefs: 01011A72

Memory Dump Source

Source File: 00000009.00000002.2459274493.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1010000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: B$NE*$r$o
API String ID: 0-1509964745
Opcode ID: 055153da0426aea384a84bd0f71e6808889a7af2e2a1aa227b106eb76e4edb63
Instruction ID: 130455a9cf301022ab8f4049177a9d0eec45b2a275a93da7dffbe4c7a116302a
Opcode Fuzzy Hash: 055153da0426aea384a84bd0f71e6808889a7af2e2a1aa227b106eb76e4edb63
Instruction Fuzzy Hash: DBF0DAB4E0421C9FDB54CF5AD45579AB7B2FB89300F50C0E9E48997249CB389B859F44

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
RicevutaBonificoSepa1745392212214#U00b7PDF.scr.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre