Edit tour

Windows Analysis Report
Invoice.exe

Overview

General Information

Sample Name:	Invoice.exe
Analysis ID:	863303
MD5:	5ccc83a775f796de3dd319752d32a509
SHA1:	f564530c7f2e11f3320fac2a57e8abd33bd67126
SHA256:	8a6bebf08f6c223ed9821ee3b80e420060c66770402687f5c98555f9b0cd02a3
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Contains functionality to capture screen (.Net source)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Machine Learning detection for sample

.NET source code contains potential unpacker

Yara detected Generic Downloader

Sample has a suspicious name (potential lure to open the executable)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Invoice.exe (PID: 7148 cmdline: C:\Users\user\Desktop\Invoice.exe MD5: 5CCC83A775F796DE3DD319752D32A509)

RegAsm.exe (PID: 2380 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/ https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3aa:$a1: get_encryptedPassword 0xd73f:$a2: get_encryptedUsername 0xd154:$a3: get_timePasswordChanged 0xd25a:$a4: get_passwordField 0xd3c0:$a5: set_encryptedPassword 0xef90:$a7: get_logins 0xec5e:$a8: GetOutlookPasswords 0xe9a6:$a9: StartKeylogger 0xeec7:$a10: KeyLoggerEventArgs 0xe9b5:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x105792:$a1: get_encryptedPassword 0x1197ae:$a1: get_encryptedPassword 0x1ef3f2:$a1: get_encryptedPassword 0x105b27:$a2: get_encryptedUsername 0x119b43:$a2: get_encryptedUsername 0x1ef787:$a2: get_encryptedUsername 0x10553c:$a3: get_timePasswordChanged 0x119558:$a3: get_timePasswordChanged 0x1ef19c:$a3: get_timePasswordChanged 0x105642:$a4: get_passwordField 0x11965e:$a4: get_passwordField 0x1ef2a2:$a4: get_passwordField 0x1057a8:$a5: set_encryptedPassword 0x1197c4:$a5: set_encryptedPassword 0x1ef408:$a5: set_encryptedPassword 0x107378:$a7: get_logins 0x11b394:$a7: get_logins 0x1f0fd8:$a7: get_logins 0x107046:$a8: GetOutlookPasswords 0x11b062:$a8: GetOutlookPasswords 0x1f0ca6:$a8: GetOutlookPasswords
Process Memory Space: Invoice.exe PID: 7148	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Invoice.exe PID: 7148	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22e6f:$a1: get_encryptedPassword 0x23198:$a2: get_encryptedUsername 0x22c2d:$a3: get_timePasswordChanged 0x22d33:$a4: get_passwordField 0x22e85:$a5: set_encryptedPassword 0x246a0:$a7: get_logins 0x243c5:$a8: GetOutlookPasswords 0x2416f:$a9: StartKeylogger 0x245d7:$a10: KeyLoggerEventArgs 0x2417e:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegAsm.exe PID: 2380	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 2380	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2380	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x151b7:$a1: get_encryptedPassword 0x1553d:$a2: get_encryptedUsername 0x14f75:$a3: get_timePasswordChanged 0x1507b:$a4: get_passwordField 0x151cd:$a5: set_encryptedPassword 0x16d44:$a7: get_logins 0x16a12:$a8: GetOutlookPasswords 0x1675a:$a9: StartKeylogger 0x16c7b:$a10: KeyLoggerEventArgs 0x16769:$a11: KeyLoggerEventArgsEventHandler
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Invoice.exe.2f891e8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice.exe.2f891e8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xc4d4:$s1: UnHook 0xc4db:$s2: SetHook 0xc4e3:$s3: CallNextHook 0xc4f0:$s4: _hook
0.2.Invoice.exe.2f891e8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb7aa:$a1: get_encryptedPassword 0xbb3f:$a2: get_encryptedUsername 0xb554:$a3: get_timePasswordChanged 0xb65a:$a4: get_passwordField 0xb7c0:$a5: set_encryptedPassword 0xd390:$a7: get_logins 0xd05e:$a8: GetOutlookPasswords 0xcda6:$a9: StartKeylogger 0xd2c7:$a10: KeyLoggerEventArgs 0xcdb5:$a11: KeyLoggerEventArgsEventHandler
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xe2d4:$s1: UnHook 0xe2db:$s2: SetHook 0xe2e3:$s3: CallNextHook 0xe2f0:$s4: _hook
1.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd5aa:$a1: get_encryptedPassword 0xd93f:$a2: get_encryptedUsername 0xd354:$a3: get_timePasswordChanged 0xd45a:$a4: get_passwordField 0xd5c0:$a5: set_encryptedPassword 0xf190:$a7: get_logins 0xee5e:$a8: GetOutlookPasswords 0xeba6:$a9: StartKeylogger 0xf0c7:$a10: KeyLoggerEventArgs 0xebb5:$a11: KeyLoggerEventArgsEventHandler
0.2.Invoice.exe.2f891e8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Invoice.exe.2f891e8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice.exe.2f891e8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xe2d4:$s1: UnHook 0x222f0:$s1: UnHook 0xf7f34:$s1: UnHook 0xe2db:$s2: SetHook 0x222f7:$s2: SetHook 0xf7f3b:$s2: SetHook 0xe2e3:$s3: CallNextHook 0x222ff:$s3: CallNextHook 0xf7f43:$s3: CallNextHook 0xe2f0:$s4: _hook 0x2230c:$s4: _hook 0xf7f50:$s4: _hook
0.2.Invoice.exe.2f891e8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd5aa:$a1: get_encryptedPassword 0x215c6:$a1: get_encryptedPassword 0xf720a:$a1: get_encryptedPassword 0xd93f:$a2: get_encryptedUsername 0x2195b:$a2: get_encryptedUsername 0xf759f:$a2: get_encryptedUsername 0xd354:$a3: get_timePasswordChanged 0x21370:$a3: get_timePasswordChanged 0xf6fb4:$a3: get_timePasswordChanged 0xd45a:$a4: get_passwordField 0x21476:$a4: get_passwordField 0xf70ba:$a4: get_passwordField 0xd5c0:$a5: set_encryptedPassword 0x215dc:$a5: set_encryptedPassword 0xf7220:$a5: set_encryptedPassword 0xf190:$a7: get_logins 0x231ac:$a7: get_logins 0xf8df0:$a7: get_logins 0xee5e:$a8: GetOutlookPasswords 0x22e7a:$a8: GetOutlookPasswords 0xf8abe:$a8: GetOutlookPasswords
0.2.Invoice.exe.2eabbb0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Invoice.exe.2eabbb0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice.exe.2eabbb0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xeb90c:$s1: UnHook 0xff928:$s1: UnHook 0x1d556c:$s1: UnHook 0xeb913:$s2: SetHook 0xff92f:$s2: SetHook 0x1d5573:$s2: SetHook 0xeb91b:$s3: CallNextHook 0xff937:$s3: CallNextHook 0x1d557b:$s3: CallNextHook 0xeb928:$s4: _hook 0xff944:$s4: _hook 0x1d5588:$s4: _hook
0.2.Invoice.exe.2eabbb0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xeabe2:$a1: get_encryptedPassword 0xfebfe:$a1: get_encryptedPassword 0x1d4842:$a1: get_encryptedPassword 0xeaf77:$a2: get_encryptedUsername 0xfef93:$a2: get_encryptedUsername 0x1d4bd7:$a2: get_encryptedUsername 0xea98c:$a3: get_timePasswordChanged 0xfe9a8:$a3: get_timePasswordChanged 0x1d45ec:$a3: get_timePasswordChanged 0xeaa92:$a4: get_passwordField 0xfeaae:$a4: get_passwordField 0x1d46f2:$a4: get_passwordField 0xeabf8:$a5: set_encryptedPassword 0xfec14:$a5: set_encryptedPassword 0x1d4858:$a5: set_encryptedPassword 0xec7c8:$a7: get_logins 0x1007e4:$a7: get_logins 0x1d6428:$a7: get_logins 0xec496:$a8: GetOutlookPasswords 0x1004b2:$a8: GetOutlookPasswords 0x1d60f6:$a8: GetOutlookPasswords
0.2.Invoice.exe.2ea857c.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Invoice.exe.2ea857c.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice.exe.2ea857c.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xeef40:$s1: UnHook 0x102f5c:$s1: UnHook 0x1d8ba0:$s1: UnHook 0xeef47:$s2: SetHook 0x102f63:$s2: SetHook 0x1d8ba7:$s2: SetHook 0xeef4f:$s3: CallNextHook 0x102f6b:$s3: CallNextHook 0x1d8baf:$s3: CallNextHook 0xeef5c:$s4: _hook 0x102f78:$s4: _hook 0x1d8bbc:$s4: _hook
0.2.Invoice.exe.2ea857c.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xee216:$a1: get_encryptedPassword 0x102232:$a1: get_encryptedPassword 0x1d7e76:$a1: get_encryptedPassword 0xee5ab:$a2: get_encryptedUsername 0x1025c7:$a2: get_encryptedUsername 0x1d820b:$a2: get_encryptedUsername 0xedfc0:$a3: get_timePasswordChanged 0x101fdc:$a3: get_timePasswordChanged 0x1d7c20:$a3: get_timePasswordChanged 0xee0c6:$a4: get_passwordField 0x1020e2:$a4: get_passwordField 0x1d7d26:$a4: get_passwordField 0xee22c:$a5: set_encryptedPassword 0x102248:$a5: set_encryptedPassword 0x1d7e8c:$a5: set_encryptedPassword 0xefdfc:$a7: get_logins 0x103e18:$a7: get_logins 0x1d9a5c:$a7: get_logins 0xefaca:$a8: GetOutlookPasswords 0x103ae6:$a8: GetOutlookPasswords 0x1d972a:$a8: GetOutlookPasswords
Click to see the 14 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Invoice.exe	ReversingLabs: Detection: 21%
Source: Invoice.exe	Virustotal: Detection: 20%			Perma Link

Machine Learning detection for sample

Source: Invoice.exe

Joe Sandbox ML: detected

Source: Invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Invoice.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: F:\Desktop V500\important\CSharp-RunPE-master\RunPE\obj\Debug\SeaCyanPul.pdb source: Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Invoice.exe, 00000000.00000002.259381177.00000000054E0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 03034610h	1_2_030341F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 03033825h	1_2_03032D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 03033EC9h	1_2_03033C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0303E5E9h	1_2_0303E330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0303EE99h	1_2_0303EBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_03032258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_03032A6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 03034610h	1_2_030341E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0303F2F1h	1_2_0303F038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_0303288B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0303FBA1h	1_2_0303F8E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0303EA41h	1_2_0303E787
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 03034610h	1_2_0303453E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0303F749h	1_2_0303F48F

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.2f891e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.2eabbb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.2ea857c.0.raw.unpack, type: UNPACKEDPE

Source: Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Invoice.exe	String found in binary or memory: http://edstarcoordinator.com/api.asmx/GetSystems
Source: Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.cs

.Net Code: TakeScreenshot

Source: Invoice.exe, 00000000.00000002.256149307.00000000011DA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Invoice.exe.2f891e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Invoice.exe.2f891e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Invoice.exe.2f891e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Invoice.exe.2f891e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Invoice.exe.2eabbb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Invoice.exe.2eabbb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Invoice.exe.2ea857c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Invoice.exe.2ea857c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Invoice.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice.exe

Sample has a suspicious name (potential lure to open the executable)

Source: Invoice.exe

Static file information: Suspicious name

Source: Invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Invoice.exe.2f891e8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Invoice.exe.2f891e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Invoice.exe.2f891e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Invoice.exe.2f891e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Invoice.exe.2eabbb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Invoice.exe.2eabbb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Invoice.exe.2ea857c.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Invoice.exe.2ea857c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Invoice.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Invoice.exe	Code function: 0_2_013550D0	0_2_013550D0
Source: C:\Users\user\Desktop\Invoice.exe	Code function: 0_2_0135F9B0	0_2_0135F9B0
Source: C:\Users\user\Desktop\Invoice.exe	Code function: 0_2_0135E5E8	0_2_0135E5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0303B2A9	1_2_0303B2A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0303A9C8	1_2_0303A9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_030366B8	1_2_030366B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_03032D38	1_2_03032D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_03033C08	1_2_03033C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0303E330	1_2_0303E330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0303EBE0	1_2_0303EBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0303ABE8	1_2_0303ABE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_03032230	1_2_03032230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0303A230	1_2_0303A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0303A240	1_2_0303A240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_03032258	1_2_03032258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0303F038	1_2_0303F038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0303F8E8	1_2_0303F8E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0303E787	1_2_0303E787
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0303F48F	1_2_0303F48F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_057E5260	1_2_057E5260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_057EE248	1_2_057EE248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_057E7F60	1_2_057E7F60

Source: Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSeaCyanPul.dll" vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKrakenStub.exe6 vs Invoice.exe
Source: Invoice.exe, 00000000.00000003.246609960.000000000124D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.259381177.00000000054E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSeaCyanPul.dll" vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.259017463.0000000005420000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs Invoice.exe
Source: Invoice.exe, 00000000.00000000.245827312.0000000000ABE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRareCommodityHelper.exeH vs Invoice.exe
Source: Invoice.exe, 00000000.00000002.258459348.0000000003EC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs Invoice.exe
Source: Invoice.exe	Binary or memory string: OriginalFilenameRareCommodityHelper.exeH vs Invoice.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: Invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Invoice.exe	ReversingLabs: Detection: 21%
Source: Invoice.exe	Virustotal: Detection: 20%

Source: Invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice.exe C:\Users\user\Desktop\Invoice.exe
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\Invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: C:\Users\user\Desktop\Invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0

Source: Invoice.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Invoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: Invoice.exe, RareCommodityHelper/MainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenDumpedList.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Users\user\Desktop\Invoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Invoice.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: Invoice.exe, PathNode.cs

.Net Code: ANTR3ND0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: initial sample

Static PE information: section name: .text entropy: 7.692787601373311

Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Invoice.exe TID: 2888

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Invoice.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Invoice.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0303A9C8 LdrInitializeThunk,

1_2_0303A9C8

Source: C:\Users\user\Desktop\Invoice.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/FFDecryptor.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')

Source: C:\Users\user\Desktop\Invoice.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Jump to behavior

Source: C:\Users\user\Desktop\Invoice.exe	Queries volume information: C:\Users\user\Desktop\Invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 0.2.Invoice.exe.2f891e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.2f891e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.2eabbb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice.exe.2ea857c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice.exe PID: 7148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Process Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Email Collection	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	11 Archive Collected Data	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Remote System Discovery	SSH	2 Data from Local System	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Invoice.exe	22%	ReversingLabs	Win32.Trojan.Pwsx
Invoice.exe	20%	Virustotal		Browse
Invoice.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://edstarcoordinator.com/api.asmx/GetSystems	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot	Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://edstarcoordinator.com/api.asmx/GetSystems	Invoice.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	863303
Start date and time:	2023-05-10 20:49:15 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Invoice.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 110 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target Invoice.exe, PID 7148 because it is empty
Not all processes where analyzed, report is missing behavior information

Process:	C:\Users\user\Desktop\Invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	886
Entropy (8bit):	5.325593152230861
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhgLE4qE4j:MgvjHK5HKXE1qHiYHKhQnogLHqHj
MD5:	AC2CBF71E733CA2B84323E871BD62FDD
SHA1:	6B351F2F58892315B9D344A58451C6390DD108DE
SHA-256:	7439A0D64BAF07FC16F8F3026113B49A1F095C1398837AFD89EF8F21BF3CCBC8
SHA-512:	7D4633EFECEFCA05CB911FAD832C249A80F7C72A5041943D6D4B409DDB3DEE93CD3A9791D44092711FFF305A54A70AF4B2045B7515774A06E6B86EE49F67287F
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.666683658861415
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Invoice.exe
File size:	240640
MD5:	5ccc83a775f796de3dd319752d32a509
SHA1:	f564530c7f2e11f3320fac2a57e8abd33bd67126
SHA256:	8a6bebf08f6c223ed9821ee3b80e420060c66770402687f5c98555f9b0cd02a3
SHA512:	8c44dc190c9201edaae3075ece5625b23035c0313b5c6715b2620f1d59f721b3b02402dfa22515e949b7f174496c66b2b7060291f5cb8d01ad9339a51dbaf089
SSDEEP:	6144:T1XQakQ0JFxbIBMPYVmmF2qHyodW5hdn3dXmjMAajj13mauq:ZXQaQbO8d33dcMAA
TLSH:	C634D00533FC4441F6FA5F7F68B091E00B727E0B5A75E68E4D8A64CD28E27124993B27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.Zd..............0.................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x43c1ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x645AD232 [Tue May 9 23:07:30 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c160	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e000	0x5f6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3a1b4	0x3a200	False	0.7659442204301076	data	7.692787601373311	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3e000	0x5f6	0x600	False	0.423828125	data	4.196950651817995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x3e0a0	0x36c	data
RT_MANIFEST	0x3e40c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

• Invoice.exe
• RegAsm.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• Invoice.exe
• RegAsm.exe

Click to jump to process

Target ID:	0
Start time:	20:50:14
Start date:	10/05/2023
Path:	C:\Users\user\Desktop\Invoice.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Invoice.exe
Imagebase:	0xa80000
File size:	240640 bytes
MD5 hash:	5CCC83A775F796DE3DD319752D32A509
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	20:50:18
Start date:	10/05/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0xf40000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Function 0135F9B0 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8840cb89007693344bf8ffd3476a804e61d280e17893b364e55a508e17e587
Instruction ID: 9442942c5e011359a2f3fca066a12c0c2c0534e2a7ea03f47e3c388f574b18b9
Opcode Fuzzy Hash: 1f8840cb89007693344bf8ffd3476a804e61d280e17893b364e55a508e17e587
Instruction Fuzzy Hash: 6DF16D30A002499FDB48DFA8C494AAEBBF6FF88304F148569E81AAB355DB31DC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013550D0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44eaa2a8d6def172e8f647e5882626984780a0011c80c3161bdad4b78e724af8
Instruction ID: 1bbd3e1e4a4516323677fb99b4dbc21651f2ad41d808428069d27a1f6b2ed469
Opcode Fuzzy Hash: 44eaa2a8d6def172e8f647e5882626984780a0011c80c3161bdad4b78e724af8
Instruction Fuzzy Hash: 58819630B082189FCB5CAB74946467E7BB7BFC8700F14881EE446E7389DE3998068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0135BA58 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

d, xrefs: 0135BBA4

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 2ab33c721775b3d5f6e05e38d36c06ea402086303f73628cdd2facc917e21c39
Instruction ID: 27db4f5895dfea6048a289a6298846bc3780c63ca2345279410c2811c9e65999
Opcode Fuzzy Hash: 2ab33c721775b3d5f6e05e38d36c06ea402086303f73628cdd2facc917e21c39
Instruction Fuzzy Hash: A7616A34A00A0A8FCB15CF59C4C08AAFBB6FF88314714856AD9199B62ADB30F951CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01357868 Relevance: 1.4, Instructions: 1385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d64bc97ba7216cf879c92c776a259aedcd11c77d5f62af4b58e4744573405c5
Instruction ID: faceda6322a3a260c634d5284a92d1a8007b05f3ec3b4e4ac481745869e7ea0d
Opcode Fuzzy Hash: 5d64bc97ba7216cf879c92c776a259aedcd11c77d5f62af4b58e4744573405c5
Instruction Fuzzy Hash: 60E23934A4021D9FDB25AF60D860BEDBB36FF89341F40459AEA0A2B385DB315D85DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0135C263 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

#, xrefs: 0135C27B

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 272dda2f7728387f1228dfc323edcfe2eecd0c8322057edd17e4d35eabfeaa07
Instruction ID: ea45e15920792f4daab408d05c8b0708600e4b55110c9ebaf96c0579c1f80d81
Opcode Fuzzy Hash: 272dda2f7728387f1228dfc323edcfe2eecd0c8322057edd17e4d35eabfeaa07
Instruction Fuzzy Hash: 7F1162330083C14FC7468FA8A8A25C17F71EE53A6930909E7CA89CB113C328881FDB96

Uniqueness

Uniqueness Score: -1.00%

Function 0135C2C0 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1779147767b31ef92865615fb74e9b944ca65aa34d41e99b530a260b57bfdbba
Instruction ID: ce783b342673f02ca6808e9263c3432b3efef949197168e304f6eece911c4d01
Opcode Fuzzy Hash: 1779147767b31ef92865615fb74e9b944ca65aa34d41e99b530a260b57bfdbba
Instruction Fuzzy Hash: C9E12530B04309CFDBA68BAD8450D6A3BEAEF85A1C715506ADD0BEB352DE28CC01C761

Uniqueness

Uniqueness Score: -1.00%

Function 0135D2C8 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfa7552837f8b41749a6cb9c490a27f9532cdf1e53c8b7d652b7b0e00598849
Instruction ID: d169f4fd2c00f9e16e45249a100e0f9fba95cfd18dc922345019d9b3f77e39d7
Opcode Fuzzy Hash: 8cfa7552837f8b41749a6cb9c490a27f9532cdf1e53c8b7d652b7b0e00598849
Instruction Fuzzy Hash: 38F19D70B00346CFDB64CFA9C484AAABBF5EF48708F148929E946DB751DB34E845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0135CBE8 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbacd672bb40797cacd0b21930bc8a154f21441f48920581be45221ab52073ef
Instruction ID: 3c562cd2845c367bab2f8e2b0186e6060f053739c8cfcf8fd81ce764ea09e412
Opcode Fuzzy Hash: cbacd672bb40797cacd0b21930bc8a154f21441f48920581be45221ab52073ef
Instruction Fuzzy Hash: 3DA13471A003058FC704AB78D4B99EC7FBAFF91254745996AE90AEF251EF309C0987D0

Uniqueness

Uniqueness Score: -1.00%

Function 0135CBF8 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e3760f65ea8fa331fe37b3ef00173749670cb4aef0b95b62b9521cc1bcfbe5
Instruction ID: 90ef767d8628eca1cee5263f226406cb37e4dbcf29154c504b8f4af151c628b2
Opcode Fuzzy Hash: e8e3760f65ea8fa331fe37b3ef00173749670cb4aef0b95b62b9521cc1bcfbe5
Instruction Fuzzy Hash: EAA11271A003058FC704AB78D4B99EDBFBAFF91254745996AE90AEF251EF30AC0587D0

Uniqueness

Uniqueness Score: -1.00%

Function 0135DEA8 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17293d5176f0336e75d736d7396e83c01dbd323349a05a4e43d7ea70882f27cc
Instruction ID: ee822c253fc5a6921233c9449830d988393f564a96a8d2c8f7ea27a94620b9a8
Opcode Fuzzy Hash: 17293d5176f0336e75d736d7396e83c01dbd323349a05a4e43d7ea70882f27cc
Instruction Fuzzy Hash: 3D9186307102154BFB581A7E8854BFAFAAAAFD5B49B14403EED06CB392DF35CA41C761

Uniqueness

Uniqueness Score: -1.00%

Function 0135A7EB Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f707a3d2beba2ba1f4ddbd1337f9d84ad88cbecad9d3f03273242ed531a198
Instruction ID: eae09c1e79c7bc2a4efe4a143dd6e9755cca6fa34b53e15fd87b4a28bb550102
Opcode Fuzzy Hash: a8f707a3d2beba2ba1f4ddbd1337f9d84ad88cbecad9d3f03273242ed531a198
Instruction Fuzzy Hash: 1181A234B00209CFEBA69B7D8150D397FE6AF85A08B1542AADD06DB361EE34CC41EB51

Uniqueness

Uniqueness Score: -1.00%

Function 01357511 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27568a65b50519807856d06625719426cd81a41d71a353c95e7fb3d0007ae8de
Instruction ID: feb3ed44bd89fb83925bb5885a47b76f3ec60f252d066c6cb291500c49c809b4
Opcode Fuzzy Hash: 27568a65b50519807856d06625719426cd81a41d71a353c95e7fb3d0007ae8de
Instruction Fuzzy Hash: 51A13C346007469FC704DF28C4A4999BBB2FF993107518EA9E44A8B772DB30FC4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 01357520 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2abbc08e549c3d2c3ca12879c5ad352210bd4955e05e43978efac59bf4bd84
Instruction ID: 002ea4ac562c6e6fc1d0c114815f7e418485b67d2646d0b6ee60c8b9291bbda6
Opcode Fuzzy Hash: ba2abbc08e549c3d2c3ca12879c5ad352210bd4955e05e43978efac59bf4bd84
Instruction Fuzzy Hash: 74A12C346007469FC744DF28C4A499ABBB2FF993107558E69E54A8B772DB30FC4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 01359900 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d6c4efacf9f78a12506ffae11e4eb90463872eb9066bd8dac9120551b8d33f
Instruction ID: 7a0f00da3e964eb533115e58ee2555c94a7710982b9981af9ef5cc342127bc2f
Opcode Fuzzy Hash: 25d6c4efacf9f78a12506ffae11e4eb90463872eb9066bd8dac9120551b8d33f
Instruction Fuzzy Hash: D5619C3560024A8FCB04DF58C4949AEFBB6FF85314B14CA69D9499B212DB31FC46CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01354E22 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be59e9a50506ab21558f116a162dc59ac2973b06367719849326ecd6be091de
Instruction ID: ac7facb719c6b0c9e97a79034ff221393dbb027c171fa74f2d57ea37a1304ed2
Opcode Fuzzy Hash: 0be59e9a50506ab21558f116a162dc59ac2973b06367719849326ecd6be091de
Instruction Fuzzy Hash: 10717E74E002188FCB44DFA9D99499DBBF2FF89310F20916AE919AB365DB31AC45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01354E30 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85fe43568da345104674e44532de89b1d20230b3088b33379d08df7a25268303
Instruction ID: 0fa8a42a94d7ef33f524165e11fc8b1f4ee660c0ad7d33701ad53d8f8fee4ca6
Opcode Fuzzy Hash: 85fe43568da345104674e44532de89b1d20230b3088b33379d08df7a25268303
Instruction Fuzzy Hash: 1B717F74E002188FCB44DFA9D99499DBBF2FF89310F208169E919AB365DB31AC45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0135B3A7 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0baba7a3ed84fbea83eed64e9cb8491aeb57939541db139cdbc22d77d62dd05
Instruction ID: a54473caef2e32ee7c5d5aa904af412ad228515ce32003682686d0bb3a746b19
Opcode Fuzzy Hash: f0baba7a3ed84fbea83eed64e9cb8491aeb57939541db139cdbc22d77d62dd05
Instruction Fuzzy Hash: D051C2352103029FD714EB34C4A56AABBB7FF943007548E2AE54A8B656DF70EC0ACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01355B48 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab0fb9f794ff3d19eddd688956718e8598c898843ed739d31107a6ed0126fb4
Instruction ID: a7406d191a4df3f8e9815a137b5361bafebbdac805ca1b213198633b72e7a0c4
Opcode Fuzzy Hash: 1ab0fb9f794ff3d19eddd688956718e8598c898843ed739d31107a6ed0126fb4
Instruction Fuzzy Hash: 0C51B574E10218DFCB09DFA9D8959DDBBB6FF89300F10812AE805AB364DB356942CF44

Uniqueness

Uniqueness Score: -1.00%

Function 01359FA8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37eb632002f41b6b0be06ceccc1765f6efd2c5268892f447c13e481b7ff4ad9d
Instruction ID: 545799af732b4218dffcc4f5c37f61c4f116863acef0d2cee1a645c55708b452
Opcode Fuzzy Hash: 37eb632002f41b6b0be06ceccc1765f6efd2c5268892f447c13e481b7ff4ad9d
Instruction Fuzzy Hash: 814182702007415FE355EF78C4B5A99BBB2AF91310B84CE69D18A8F552DB70A84D8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0135D2B8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c8ab7943e368ff5f798f80b80aa4dda748ff697f7688c51d1d361fc1033f29
Instruction ID: 7ef8b6897603391c05f382f6f442b25470c3840582708f97038f360efdf97301
Opcode Fuzzy Hash: 61c8ab7943e368ff5f798f80b80aa4dda748ff697f7688c51d1d361fc1033f29
Instruction Fuzzy Hash: F2416A70E0021A8FCB44CFA8C9849EEBBB2FF89314F558555D905EB356DB34E942CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0135B3D0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa270220c1b5ee0cff81c870f3e6a8a953c4e5a8e205ae1ba6638344ac588ee
Instruction ID: fdf50b71dd48af16b35a8af6b0894a842f8db87c019ce2b29bbc55799e74cb5b
Opcode Fuzzy Hash: 9fa270220c1b5ee0cff81c870f3e6a8a953c4e5a8e205ae1ba6638344ac588ee
Instruction Fuzzy Hash: A04142352103029FD314EB34D4A96AABBB7FBD4300B548E2DE54A8B655DF71EC0A8BD4

Uniqueness

Uniqueness Score: -1.00%

Function 01359FD0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf901a4f4b5757cbc3aef2e64803babdcb741d0691a6d588ba4292bed79a639
Instruction ID: 3ce132d9dd2b45b3a4e6e5679c139d54f0613d249f434de514f7ea5400e5353f
Opcode Fuzzy Hash: cdf901a4f4b5757cbc3aef2e64803babdcb741d0691a6d588ba4292bed79a639
Instruction Fuzzy Hash: AF4151302007415FE354EF69C4A4A99BBB6AF91320B94CE6DD18A4F562DB71B8488BD1

Uniqueness

Uniqueness Score: -1.00%

Function 013597F0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13bddc36534517d64f66a2f826756c4a3d3da1a77643d0bfdfb816b059eebbca
Instruction ID: beaa42263556d5b53d4a0e0ec55b5cd8f78f76098e3820bb9b01ac8e59350405
Opcode Fuzzy Hash: 13bddc36534517d64f66a2f826756c4a3d3da1a77643d0bfdfb816b059eebbca
Instruction Fuzzy Hash: 6E31D632B00620DFC765CB6DC98496ABBE6EF84A5571A8679EC49DB742DB30EC0187D0

Uniqueness

Uniqueness Score: -1.00%

Function 01354CAF Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d7c8f63811e4411cc105d916ee88bcd16cc8d55c0b48ab2e23c56c8a3dca22
Instruction ID: 1da6e57e08220163c0da32cf91f65812ae4f362ce4075762e7f34b68633e89c3
Opcode Fuzzy Hash: 22d7c8f63811e4411cc105d916ee88bcd16cc8d55c0b48ab2e23c56c8a3dca22
Instruction Fuzzy Hash: 18417274E012099FCB44DFA9D595AEEBBF2FF89300F109169E905A7360DB31A905CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01355539 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3f7a259e662099e6bd1d94cc76e2de14498b70bae6269b7e2c5fcce3a4e914
Instruction ID: 6c8735a7215b3f2e8b40edccc9b214b5da04d8b61f0787b4f17defff7331137b
Opcode Fuzzy Hash: ca3f7a259e662099e6bd1d94cc76e2de14498b70bae6269b7e2c5fcce3a4e914
Instruction Fuzzy Hash: 3B4191B5E002099FCB44DFA9D594ADEBBF2FF89301F209169E905A7360DB31A905CF54

Uniqueness

Uniqueness Score: -1.00%

Function 013544B8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cceab914da51ddac79d718fdb189e28e7ee50e20e847eddc5e095c64afed1de3
Instruction ID: 052341500794bcf1572863462b244b269185164c037267df0852c4074842cda3
Opcode Fuzzy Hash: cceab914da51ddac79d718fdb189e28e7ee50e20e847eddc5e095c64afed1de3
Instruction Fuzzy Hash: 532178B0900256CBCB6D9B6DD580D7EBBB5AB41A4CB050D26ED1597A51FB30EC80C390

Uniqueness

Uniqueness Score: -1.00%

Function 01354CC0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56899e421182dd284f910c00adfcb93a69cf0b5a40a5d011dd11d062b8118b0
Instruction ID: b06149aaea7e8e530b28b0b95f3b957d940f02b8c16ed4f2c20b0c4acf4a389d
Opcode Fuzzy Hash: d56899e421182dd284f910c00adfcb93a69cf0b5a40a5d011dd11d062b8118b0
Instruction Fuzzy Hash: B0416074E012099FCB48DFA9D5949AEBBF2BF89300F209169E915A7360DB31A905CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01355548 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cae07b2af8454bea98e37b21748cc9727bb8395984b8b8cce4c9d672ead6c2f
Instruction ID: 7d0782474375ab08d61d7addb75a9722a08d80e0233559ebea95ed53ad2ac8da
Opcode Fuzzy Hash: 9cae07b2af8454bea98e37b21748cc9727bb8395984b8b8cce4c9d672ead6c2f
Instruction Fuzzy Hash: AB418F74E002099FCB44DFA9D59499EBBF2FF89200F209169E905AB360DB31A905CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01356117 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba6bd44bf448dd593c5ff314ccc0eb2de1bb27260784243991c2a11f075e747
Instruction ID: 82126859f4a435e5d736c8fd831a164d6d0a8c0dc080e997cf4260bf5866de78
Opcode Fuzzy Hash: fba6bd44bf448dd593c5ff314ccc0eb2de1bb27260784243991c2a11f075e747
Instruction Fuzzy Hash: 9E218EF26043854FD702DE28D8A6BD93B72EFA6254B44092ED445CB243EA64C50AC791

Uniqueness

Uniqueness Score: -1.00%

Function 0135A570 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbf85e5654632bc8fa195039bc515953eba9342782def79efb775409ab2158d
Instruction ID: fc19e22d1a0f2b60cc3bfad58e4a3520b5f7d4c14987bb5d8a437d723d0de3ee
Opcode Fuzzy Hash: 5bbf85e5654632bc8fa195039bc515953eba9342782def79efb775409ab2158d
Instruction Fuzzy Hash: 172165343013421FF708AB7598757BE2A67EBE1220F998D39E546CF295DE71AC0A47D0

Uniqueness

Uniqueness Score: -1.00%

Function 013598EF Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83995ea3037c96d097c6e824c37defa67f4ada72bd546dbe0b2909198adf4449
Instruction ID: 35eaf92a6187d61e6af2fcf011ae437726581173079b120282fa1251132f37d4
Opcode Fuzzy Hash: 83995ea3037c96d097c6e824c37defa67f4ada72bd546dbe0b2909198adf4449
Instruction Fuzzy Hash: 9621D1766006269FC711CF6CC9809AAFBB5FF486643158B26E899DBA02D730FC45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0135A580 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d5abbbb0541f2b0c11fdd51925834b89507731ee759573f57e99e2da690c91
Instruction ID: 222374f07be6d74e7ead8803eddcf7cef3435b5c76b6117f380ca309bdfc21cf
Opcode Fuzzy Hash: 53d5abbbb0541f2b0c11fdd51925834b89507731ee759573f57e99e2da690c91
Instruction Fuzzy Hash: 102165343013061BF708AB7598757BE6677FBE0220F898D38EA468F285DE71AC0A47D0

Uniqueness

Uniqueness Score: -1.00%

Function 054D0048 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259332256.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54d0000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecfe9c1537215ff397e9826f3e185c63faa2e5e3a0d38fd6a28e4d2b0be6cef
Instruction ID: a86f95fdf3d7b0a78ea2b32887eff45b07865731ca332d579e8ef6ccec63eeb9
Opcode Fuzzy Hash: 3ecfe9c1537215ff397e9826f3e185c63faa2e5e3a0d38fd6a28e4d2b0be6cef
Instruction Fuzzy Hash: 9411D231304205ABCB259A6AA4645BBF797EFC5261F28806FD94EC7350FE36C842C361

Uniqueness

Uniqueness Score: -1.00%

Function 054D0001 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259332256.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54d0000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2d0ecef4162f7dc32725cab7e496b83a1511dc69bfbe9d8b082c3be93dfd37
Instruction ID: 353b9dbe405cd92103863e59057dbc6532cce72ca4e1a4ffe95a7c363b43254c
Opcode Fuzzy Hash: 5c2d0ecef4162f7dc32725cab7e496b83a1511dc69bfbe9d8b082c3be93dfd37
Instruction Fuzzy Hash: 3E21BE2610E3C4AFC713463198686A67F72AF83290B1E01C7D889CB2A3F5288D48C772

Uniqueness

Uniqueness Score: -1.00%

Function 01357820 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec0c90af3b1f46fd465a99373c2a1ee29bcf6883e3736b7de1451723946155b
Instruction ID: cfedcd856b9965d735a130a0dc2196618f25f15ff98269d5881aef25e05d4456
Opcode Fuzzy Hash: dec0c90af3b1f46fd465a99373c2a1ee29bcf6883e3736b7de1451723946155b
Instruction Fuzzy Hash: DA210731704290CFCB07DB1DD8D9A597F62EF92614B4944AACEC58F247CA30D847C796

Uniqueness

Uniqueness Score: -1.00%

Function 013561AF Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 802438e07961670080d8ad35cbba7d3940439a77792020848d210a72faec3d56
Instruction ID: 8d7dde072d3737e18916735537a80d5788b13424c943571f241e788ed9b20389
Opcode Fuzzy Hash: 802438e07961670080d8ad35cbba7d3940439a77792020848d210a72faec3d56
Instruction Fuzzy Hash: C91136B12047854FC3029F68D8B1ADA7BB2EFD5304F44496AD4498F292EE74980A87E1

Uniqueness

Uniqueness Score: -1.00%

Function 0135DA98 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b60e3a3c0e066dcd4100034708d6e774d4b83db9a86e1768b9c4192725fd67
Instruction ID: 949802f6350e536befc662661d220d97bac6364ff37144be281786c17560ec71
Opcode Fuzzy Hash: 68b60e3a3c0e066dcd4100034708d6e774d4b83db9a86e1768b9c4192725fd67
Instruction Fuzzy Hash: 1611C6323152148BEB185B7EB4446AABFABEFC066A314407BF60ACB341CF35C846C791

Uniqueness

Uniqueness Score: -1.00%

Function 0135F9A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5faebb82e385da850a712c8f9ad5064009ea156538de1d763f7bb30bbdb0bb
Instruction ID: 71a84fe784c48e8079b814129ed29a29926df135038591593284607714db7f3f
Opcode Fuzzy Hash: 6f5faebb82e385da850a712c8f9ad5064009ea156538de1d763f7bb30bbdb0bb
Instruction Fuzzy Hash: 70218031A00248AFDF15CFE4D845F9EBBB9FF48710F04806AE911AB356DA31D855CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01355658 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05095438d531452b3e8e51177fd6c5a1e87743f4b9ca29b20e24459c02da5e52
Instruction ID: 7fe82d4c66d76ae24bd0a39bd8eb2a57a82a847faf22a797a51340eff376daa4
Opcode Fuzzy Hash: 05095438d531452b3e8e51177fd6c5a1e87743f4b9ca29b20e24459c02da5e52
Instruction Fuzzy Hash: 2421F675E00209DFCB08DFA5D945AEEBBB6FB88300F208069D805A7354DB359945DF54

Uniqueness

Uniqueness Score: -1.00%

Function 01355B38 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059b2fa959d87ecdf2d56f071953c29a84e4fbf086cb4a42c502d7d9afb335c0
Instruction ID: beabc46cc2448ec335f97fc39dfaa83a2a591fc0e84f39d727cdae5ff3ed53ee
Opcode Fuzzy Hash: 059b2fa959d87ecdf2d56f071953c29a84e4fbf086cb4a42c502d7d9afb335c0
Instruction Fuzzy Hash: 7421F838A14218CFDB49DFA9D485AECBBF5FB49314F14816AEC09A7356CB31A806CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0135DC40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcd6c3c8ea4f6ab007b2be2b8157cc003982ec2897c3f229e97fabf7795348f
Instruction ID: 42ee80d99996aa9f4ef32b5d893d8086009bc8a3b82472a468988321fb7d0e4d
Opcode Fuzzy Hash: 7bcd6c3c8ea4f6ab007b2be2b8157cc003982ec2897c3f229e97fabf7795348f
Instruction Fuzzy Hash: 7811E2317017009FE7268FAAD480D53BFB6EF85728B1485AAEA4A8B313C731E885C750

Uniqueness

Uniqueness Score: -1.00%

Function 013543F9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78752a5d95f49bc11f6399b0832ec1ab47205d9085483041dc1c620f5b9e979f
Instruction ID: a0e3ca1d1e7d2c0fd94d52f5de46e8bfc7fb1d55a6c9b8bc11c0acd23d882940
Opcode Fuzzy Hash: 78752a5d95f49bc11f6399b0832ec1ab47205d9085483041dc1c620f5b9e979f
Instruction Fuzzy Hash: AA112532384244BFD3119775EC56F967FA9EB46720F24406AF249DB3D6C969AC02C394

Uniqueness

Uniqueness Score: -1.00%

Function 0135A688 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46bb6f2e6254e20631ccc7a664c636cb36abf5cbc68fc83f3738fa53e9aef78
Instruction ID: 2c0399901d0fef248699cfa642e4cca38b989cde1cc42ae13516ce5237432eca
Opcode Fuzzy Hash: c46bb6f2e6254e20631ccc7a664c636cb36abf5cbc68fc83f3738fa53e9aef78
Instruction Fuzzy Hash: BC11BB742007028FCB19DF6CD4A492ABBB1FFC4214B008A69D9469B302DB74DD05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013597C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f4b541dae96aa9066af5bbe8005c0c2f38caf93bbe8e5d4fe1beeb385eff64
Instruction ID: c47da4c327d44b2499db9d1498fa9c3e1244073e7d56060c42b412c6255e6b78
Opcode Fuzzy Hash: 90f4b541dae96aa9066af5bbe8005c0c2f38caf93bbe8e5d4fe1beeb385eff64
Instruction Fuzzy Hash: 3D119D31A09250CFC752CB58C994F9ABFF5EF85624B1988AAD8899B213C630EC00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01355668 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de535cf6808d08a1e54b062f6e8bb3fa354e277445e6057a4d9267f9d0613b9
Instruction ID: 6cdaeb8ccf387896d58229590b5fcb3c4c6505aad4e02ff74eada7c51662a7f7
Opcode Fuzzy Hash: 9de535cf6808d08a1e54b062f6e8bb3fa354e277445e6057a4d9267f9d0613b9
Instruction Fuzzy Hash: 4121E378E00209CFCB08DFA6D9559EEBBB6FF88300F208068D805A7354DB35A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0135BA48 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e29005bd4461ca787f95e2d6a7e50980a410790fd7a81782b76c463d87c083
Instruction ID: f70b165250bba378b9fc69849db40b5906b40f9b5fded19eeb5b9d0d5eec732c
Opcode Fuzzy Hash: 98e29005bd4461ca787f95e2d6a7e50980a410790fd7a81782b76c463d87c083
Instruction Fuzzy Hash: F1217F31A04605CFCF19DF59C8C48AEFBB6FF843147148566E909DB26ADB70E914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0135DCF8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27d029c7f40bcf0ad2ccf674750d57551de6085b4d47c98685dd90e1d1d0a37
Instruction ID: ead33e842919145e5de9d60221091a50f6b9897089f2f9d2ec3c7071dcbcc2f7
Opcode Fuzzy Hash: e27d029c7f40bcf0ad2ccf674750d57551de6085b4d47c98685dd90e1d1d0a37
Instruction Fuzzy Hash: 3501F5303052155BFB6416AF8444BBBAEEE9FC4B55F44403BAE0AC7781DE65CC81C362

Uniqueness

Uniqueness Score: -1.00%

Function 01356299 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157a695611c948815e7ac7e6367e146b9f6ae7ceae6ab078fe802fc77cf973b5
Instruction ID: f5de2b12e273d8574b3be4a17bcc039aebb78011bc92433f3c4bd45c71708c5a
Opcode Fuzzy Hash: 157a695611c948815e7ac7e6367e146b9f6ae7ceae6ab078fe802fc77cf973b5
Instruction Fuzzy Hash: 9A110270A04205CBDB25DF78D4296ECBBF2BF88301F288529E882B7259CB365849CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0135A698 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01bec2094ef4e54941816daee99cef61e3b747dffa8061d7b8e158b643c284e5
Instruction ID: 10dc1585ca3c9c1c63319b9c586d760cbf0d85fe42949a2981b1c503ef5304db
Opcode Fuzzy Hash: 01bec2094ef4e54941816daee99cef61e3b747dffa8061d7b8e158b643c284e5
Instruction Fuzzy Hash: 75118C742007168BCB68DB6CD4A0D5EBBB5FFD4624B008A29E9069B301DB75EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 013561E8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa79640598909e2056e3e31e27870bb6396fba753e93e9cb7c67a1629581d745
Instruction ID: 60216f225a05c7506cdb241dba42c265aa8bfbabc29689772899a8144f7a5768
Opcode Fuzzy Hash: fa79640598909e2056e3e31e27870bb6396fba753e93e9cb7c67a1629581d745
Instruction Fuzzy Hash: 5A11E9703002094BD714EF6DD861A9E77A7EFC8354F908939E8458B650DE70AC0587E1

Uniqueness

Uniqueness Score: -1.00%

Function 01354408 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7526abbf91772a25a47867f7e675860357da42783675d9860a2533023415b44d
Instruction ID: 5b09b0a7e5f875835273633ecbb2a2e9b04584e9609b6e792240e7e82d91406d
Opcode Fuzzy Hash: 7526abbf91772a25a47867f7e675860357da42783675d9860a2533023415b44d
Instruction Fuzzy Hash: 1E11C031344208AFD310DB2AEC59F567FAAEF85B10F5540A6E209DF3E6CA65AC018794

Uniqueness

Uniqueness Score: -1.00%

Function 01359B08 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada27348a9e5ad19312cad22e9aefad015b7999086c9aaf6fd649fc1b3d29715
Instruction ID: dd34c01a88f50a4d5f358565b0829f61c7f04c82c98f67eee0e5199615932efa
Opcode Fuzzy Hash: ada27348a9e5ad19312cad22e9aefad015b7999086c9aaf6fd649fc1b3d29715
Instruction Fuzzy Hash: 78115E342007465FC714EB28D46489ABFB6EFD12143148E6ED49A8B262DF71AD0F8BD4

Uniqueness

Uniqueness Score: -1.00%

Function 013562A8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26fd84f9339c1414f1bac5e00252523c57395fa064ab8f7daef34e35ac3050f
Instruction ID: 397b7adce7304d8e81fc0d750c4dafe6ac19774b6785a18be306e4e02e0f5e40
Opcode Fuzzy Hash: d26fd84f9339c1414f1bac5e00252523c57395fa064ab8f7daef34e35ac3050f
Instruction Fuzzy Hash: 5711EF70A04209CBDB24DF69D459AEDBBF2BF88700F24C129E842B7259DF324849CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01354A90 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8fb56290b754a5091506d6174358f0f0b4cadf00b600acd07f276730d2f102
Instruction ID: 66d35aa0a2415b9c83cb1d75c8750f9587040e3a99d896ef47149657e4b4e2ed
Opcode Fuzzy Hash: 2d8fb56290b754a5091506d6174358f0f0b4cadf00b600acd07f276730d2f102
Instruction Fuzzy Hash: 8E21513491124ADFCB48EFA9E555AEE7FB1FB48300F008A66E50193359DB342A46CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 01359B18 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9448c435ca0803daa6abe278f5561373c2d8701701f8d62fbc582cd37424c1
Instruction ID: 98eda39e6c276d0ea53fda705568b707d9d7748b732edd181db3a25bfadbea51
Opcode Fuzzy Hash: 3b9448c435ca0803daa6abe278f5561373c2d8701701f8d62fbc582cd37424c1
Instruction Fuzzy Hash: BE115E302007469BC714DF28D4A489ABBB6FFD13143148E2DD55A8B661DF72AC0B8BD4

Uniqueness

Uniqueness Score: -1.00%

Function 0135CF60 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e581cd6796e82e3548f1ad7362f4c0a11bd677308c79879ff818a8c3720e7f
Instruction ID: 142b18976bdcee87e683b4ea5dcef1e06359015570059bb7227a7b4cdedd3aa4
Opcode Fuzzy Hash: 09e581cd6796e82e3548f1ad7362f4c0a11bd677308c79879ff818a8c3720e7f
Instruction Fuzzy Hash: 9401A2B47003146FD3189A7E9454B56BAEEEFC9660B50812EFA0DCB381EE71DC46C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 01354AA0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2114f511383b96ba767ce05fc56bdf4417d52ecd0edb084b1fb35f47f17f14b8
Instruction ID: 5fd10f92e5138c573e873c495445456c386184ba8ad02220ca406033c6d71e70
Opcode Fuzzy Hash: 2114f511383b96ba767ce05fc56bdf4417d52ecd0edb084b1fb35f47f17f14b8
Instruction Fuzzy Hash: B511123491125EDFCB48EF6AE4559AEBBB1FB88300F008A26E50593359DF306A46CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 01355D51 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0ca92e3b79d3af802a7584849b207fcd9a83fb986a0785c9f2b5d4820dbcae
Instruction ID: fd1f08ea6e068ad1f6c70bc60adf6bec3a6c0279ebb17cb26da655af662717cf
Opcode Fuzzy Hash: 8f0ca92e3b79d3af802a7584849b207fcd9a83fb986a0785c9f2b5d4820dbcae
Instruction Fuzzy Hash: CDF02877B093522BF712055A4C50EBF7FABDFC5660F0A8066FE4587182CA26CC12E3A1

Uniqueness

Uniqueness Score: -1.00%

Function 01355D60 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb292b63d1b3275683b13a7bc33d855c292c3537f238bd3ecd6c1d92c77d85b
Instruction ID: 9f2054126f285a051c6b0f2ae8286f9c33ce23b65a84ad6864dc9bfca52feb48
Opcode Fuzzy Hash: 2eb292b63d1b3275683b13a7bc33d855c292c3537f238bd3ecd6c1d92c77d85b
Instruction Fuzzy Hash: E2F0E977B0022667F715044B9C54FBF6EABDBC4AA1F0A4036FF0583240CA36DD51A3A0

Uniqueness

Uniqueness Score: -1.00%

Function 01354368 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8123377beed462e6961661804facbf7253ff77a4f37dd01311f62fdf20d6cf68
Instruction ID: a462269e752df95ff25e14b3a796066df2bc04b914b254561b7d72a71730ed32
Opcode Fuzzy Hash: 8123377beed462e6961661804facbf7253ff77a4f37dd01311f62fdf20d6cf68
Instruction Fuzzy Hash: C901817490014EEFCF40FF79E5A098E7BB5FB84304F204A6AD40597219EA306E459B90

Uniqueness

Uniqueness Score: -1.00%

Function 0135DC30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8bdeea92618ff35e8626fc9ccf2daeecd8911a43252594dfa7a6ed97f66d87
Instruction ID: d1c0e52077e8c20f143e5539235d78edd33f3f2c5581b5c25bf7bd8bc68d62a3
Opcode Fuzzy Hash: ea8bdeea92618ff35e8626fc9ccf2daeecd8911a43252594dfa7a6ed97f66d87
Instruction Fuzzy Hash: 51F0A7B3600200AFF7264A6AED44E83BFFAEF85765759406AE908C7312DB21D845C721

Uniqueness

Uniqueness Score: -1.00%

Function 01354378 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655838134978bb62001248aca21b856ddb5fb7cbb1a13cc269d54c94b98b2983
Instruction ID: 72ebe3747cafb581794a934cbf8efea8602a558af5db938fbb27803927725a58
Opcode Fuzzy Hash: 655838134978bb62001248aca21b856ddb5fb7cbb1a13cc269d54c94b98b2983
Instruction Fuzzy Hash: 5EF01274A0011EEFCF44FF79E56089E7BB5FB88604B204E6AD40597218EB306E55DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 013504D8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bda00eb9ebdad612861d95fe10f60a1c43d5e5455b8c7c463ea41c6b2a1f566
Instruction ID: 800577deb217c69c73a633ea5bad258b9296ca52c0c4bb66cfd683c82c6f5d02
Opcode Fuzzy Hash: 6bda00eb9ebdad612861d95fe10f60a1c43d5e5455b8c7c463ea41c6b2a1f566
Instruction Fuzzy Hash: F0F0E2396041658FCB46EB68E0609E97BF1EF8E600B1485AFE0068B667CA209C01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01354210 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070b5289a75ab31b98e42357ef367146435533ea9e3336265017f06e2854821f
Instruction ID: f2b7c1e6afce5832e733b21107ef93f44ec637ecb5de532f130a9e819931f57e
Opcode Fuzzy Hash: 070b5289a75ab31b98e42357ef367146435533ea9e3336265017f06e2854821f
Instruction Fuzzy Hash: 02F05470D0014DBFCB40EFBDD59568D7FB4FB85200F505AAED409AB310DA315E458791

Uniqueness

Uniqueness Score: -1.00%

Function 01355449 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa86908a9123404306bfe30078d286325c0683e13e154442af66f7a0f650bed
Instruction ID: 7646248ddf9da046df8c7c636fda303c487285676c1a30b8ab2b0692a12f8d37
Opcode Fuzzy Hash: 2fa86908a9123404306bfe30078d286325c0683e13e154442af66f7a0f650bed
Instruction Fuzzy Hash: ECF03A70961209EFCB48EF68E455BDD7FB0EB48301F104A66EA0497315EA305A45CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0135DE60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4adf9cc3da5bd06eefa615cb99b270777a2eead674376b06e31501207b1f036b
Instruction ID: c2fa42bf798f156e624736ea8edd89dc690d0b028c1cca30ad5954a2e4ceda63
Opcode Fuzzy Hash: 4adf9cc3da5bd06eefa615cb99b270777a2eead674376b06e31501207b1f036b
Instruction Fuzzy Hash: AFE04F363101145BC7249A4EE404D9ABBAEDFD9771B148037FA0CC7320CE71DC5296E4

Uniqueness

Uniqueness Score: -1.00%

Function 01354220 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd154165c7edc3f4c65fbd2b19fe85a41903b8459263f7bda0bd8b7aa09a3e7b
Instruction ID: 7338620245eff6d30fa0fc20bde35f65f18749ffee0ff8ea80a4788a09a938a9
Opcode Fuzzy Hash: dd154165c7edc3f4c65fbd2b19fe85a41903b8459263f7bda0bd8b7aa09a3e7b
Instruction Fuzzy Hash: 5EF03070D0010EEFCB40EFBDD56559CBBB5FB84200F605AAAC409AB210EA302F448B80

Uniqueness

Uniqueness Score: -1.00%

Function 013545C9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133d2a255ee559be199958572b6884d6deadf2c41e7b84cdb75c3a662e90b65b
Instruction ID: 6f4d83b2092168b5a852e15d68ddde8a1fde8b9e48459759a8e1fd17ac5db441
Opcode Fuzzy Hash: 133d2a255ee559be199958572b6884d6deadf2c41e7b84cdb75c3a662e90b65b
Instruction Fuzzy Hash: FDE06D34425345CFD7499F70A56E2BA7F70DB07302B006989E44993101DE340150CA18

Uniqueness

Uniqueness Score: -1.00%

Function 01355458 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa487bd24134a3b8e1897138df82b63545bf1cb9253e7f1e96a2c368f6be3cc
Instruction ID: 9b15d4f6a1c690b4a72f2fa91ed8a1677c0b927e46cfbd6cbb54d26905e020dc
Opcode Fuzzy Hash: 3fa487bd24134a3b8e1897138df82b63545bf1cb9253e7f1e96a2c368f6be3cc
Instruction Fuzzy Hash: 50F0FE7096121DEFCB48EF79E455A9D7FB0EB44305F104A66E90493215EA306A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01350457 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd40e4486d71530bf4ab4bdefa27341dc72c732a2446843527de50ab52a4b46
Instruction ID: 4920f0e3b97dce6ebe35ce5906627f45955e470e18cff26a25236cd961c7adc9
Opcode Fuzzy Hash: 5bd40e4486d71530bf4ab4bdefa27341dc72c732a2446843527de50ab52a4b46
Instruction Fuzzy Hash: 09E092308443089FCB41EFA4E8150EA7BB4EF493107008AABCC45D7216D63A1E028B80

Uniqueness

Uniqueness Score: -1.00%

Function 013504E8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbaae8d267af20822659efffd3bfe9b94169a49e6257babffeb380928519fbd
Instruction ID: b028b4d629b7cfc678107dacca50adf3e37f78a7687471febf73dcbffe28f1fe
Opcode Fuzzy Hash: 5dbaae8d267af20822659efffd3bfe9b94169a49e6257babffeb380928519fbd
Instruction Fuzzy Hash: 73E092396004158FCB45FBAAF050999B3E9EB48604B10852AE50A8B755CA31AC408F94

Uniqueness

Uniqueness Score: -1.00%

Function 0135A771 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ed514f50da6a034585dc0e83fb4aa407bf89d44aabf14af3ef72f9b28c224b
Instruction ID: 910ade209b66eb5323ae553968bd4521bcde4155c7cd7f412a4229a2234a9f78
Opcode Fuzzy Hash: 15ed514f50da6a034585dc0e83fb4aa407bf89d44aabf14af3ef72f9b28c224b
Instruction Fuzzy Hash: EFF01C30D09349EFCB05DFA8D45909CBFB1AF46304F0045EAE445E7251DB344A08CF41

Uniqueness

Uniqueness Score: -1.00%

Function 013545D8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012b5a3d377fd0bec23c6c29033d6b6f2ba37204a4c61ab5bdf6241224d3ae28
Instruction ID: 3d3fdacace64be02d2d04976b3d9e0630cdd79edbc79e20e46bb38b66c6b5698
Opcode Fuzzy Hash: 012b5a3d377fd0bec23c6c29033d6b6f2ba37204a4c61ab5bdf6241224d3ae28
Instruction Fuzzy Hash: EFE0EC70872309DBD748AF75E45E6AABFB8EB0B306F01AD55F90993500DF3145408A59

Uniqueness

Uniqueness Score: -1.00%

Function 01350499 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ebb84d82bda738d8732281c4308bca761194818f340cd9bff80fbe32fb962ce
Instruction ID: 0563fc7b46647505d4a1115bba6235decda010e11e8054e19bd51ad2f56cd0c2
Opcode Fuzzy Hash: 3ebb84d82bda738d8732281c4308bca761194818f340cd9bff80fbe32fb962ce
Instruction Fuzzy Hash: 52E0DF396442918FCB02AB3994548683FB2BF8A320310439BD845CB327CA319C428B81

Uniqueness

Uniqueness Score: -1.00%

Function 01354278 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b6a7762856e7c458cb875e40bd471a3695b70d542ca4b10c367c25850cdbc7
Instruction ID: efcb3814a354baa4eb3440b28d9cd266f34d3b00c8c6ae2f4bfa8f709df9acba
Opcode Fuzzy Hash: a1b6a7762856e7c458cb875e40bd471a3695b70d542ca4b10c367c25850cdbc7
Instruction Fuzzy Hash: 78E0C2366201108FD3086B14E84ABD97BAAFF88720F084166F50AC7351CF69DC01C744

Uniqueness

Uniqueness Score: -1.00%

Function 01354330 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84806da96d9197494d26e465feaed34e8bccefa6b5ef5660499a7274e3f6b63
Instruction ID: 92fb9de411a772a8bfa7843f1e56d8926254927790f2b21dbecc1658552df166
Opcode Fuzzy Hash: f84806da96d9197494d26e465feaed34e8bccefa6b5ef5660499a7274e3f6b63
Instruction Fuzzy Hash: D1E02E3A7002109FC720AF18E841B9A7BE8FF0CB00F040166FA46C3360DB65EC01CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0135A780 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae8ce2c9f0981ec92cf96cab6d9bd6602bfa9f75b1003301614d252f6cc0a6a
Instruction ID: f89bfc2a2122581f4fc0934629da79d165c46643b2949596741eee298344033e
Opcode Fuzzy Hash: fae8ce2c9f0981ec92cf96cab6d9bd6602bfa9f75b1003301614d252f6cc0a6a
Instruction Fuzzy Hash: 69E09A74E04208AFCB44DFA8D45559DBBB5AB48304F0085A9E449E7340EA345A04CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0135C7B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8feacdd3a3ac68c192fa2f5aeba067ff31913e57a2502aaafe20aa2d8433f7
Instruction ID: 1bbbdf48c20d57d65ad2701c46c6732a52a8e59c102e935a7d1515bf34ceea8e
Opcode Fuzzy Hash: 4f8feacdd3a3ac68c192fa2f5aeba067ff31913e57a2502aaafe20aa2d8433f7
Instruction Fuzzy Hash: 63D012315456849FD3064A248C553857FB09F17311B990097C552CA257C66C494ACB65

Uniqueness

Uniqueness Score: -1.00%

Function 0135465E Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049d485c59ea899ab6640a48e2973431b02457cec9ba410ee492956c534435c6
Instruction ID: ad7747b1ffd7b6572461b14dfadad16b3c69c9d029e595f888dbdaf7272ce982
Opcode Fuzzy Hash: 049d485c59ea899ab6640a48e2973431b02457cec9ba410ee492956c534435c6
Instruction Fuzzy Hash: 0DD0A932955308C28A048BA0A42D074BFB1DA8320D304A88AEC5E92A00DA2282108608

Uniqueness

Uniqueness Score: -1.00%

Function 01354340 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b601fae09ee9e974e4468ccf724cf3c47d920e1994dd7891570a128a9b0cfc
Instruction ID: 3e92cefda23b1f06e5c4302dab89f9e0e67e06273be76854af8f224cdd72814a
Opcode Fuzzy Hash: 70b601fae09ee9e974e4468ccf724cf3c47d920e1994dd7891570a128a9b0cfc
Instruction Fuzzy Hash: 97D0A734300514DFC7109B19E804E597BE9FF4D710F100156F546C7364CB61AC008B84

Uniqueness

Uniqueness Score: -1.00%

Function 01354288 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b2123baffb589232999dfe09199d36dba96d4d139e5f17ec8dbabaa5226fb3
Instruction ID: ba38a8305d6bf2163a6e52871fc0e2f21e2eaf2f6398cd092582fe0774c4770c
Opcode Fuzzy Hash: 53b2123baffb589232999dfe09199d36dba96d4d139e5f17ec8dbabaa5226fb3
Instruction Fuzzy Hash: 87D05E383202108FC708AB29E5498997BAAFF8862170441A6F90A87351CF719C00CB84

Uniqueness

Uniqueness Score: -1.00%

Function 01350468 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3c811e291ad9f583588ca5c9c2926927cad15c62d8bcd77c5282a04a50066f
Instruction ID: ae7ad0366e0d5984f8244eb3b4e86223eaada0ca9849f88e369bc80784a8a3c7
Opcode Fuzzy Hash: be3c811e291ad9f583588ca5c9c2926927cad15c62d8bcd77c5282a04a50066f
Instruction Fuzzy Hash: A8D01770D0020DEFCB40EFA9E91545EBBB9EB483007108AA6D80993208EA366E008F90

Uniqueness

Uniqueness Score: -1.00%

Function 013504A8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71575e49e568920ca94ce5fecff0a64fabd9cd916599c139aeb8bdbb5a7cb34
Instruction ID: e76bd19775e2c09d65167991083ff53870c1fe0d1b8fa09db6d1a9844ad877aa
Opcode Fuzzy Hash: e71575e49e568920ca94ce5fecff0a64fabd9cd916599c139aeb8bdbb5a7cb34
Instruction Fuzzy Hash: 55D0C7797506148FD744EB79E44491537B7BB8C7243504256E90DC732ADE31EC818B55

Uniqueness

Uniqueness Score: -1.00%

Function 0135A748 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab08d30cc267f7ec255b51a5561f9d9232e4771b71cfd8f136cba4f974352e0f
Instruction ID: 6321ca236aaf956f46bb82e62d10ef844f517f0bc6d10d9537cf9e551ae8a624
Opcode Fuzzy Hash: ab08d30cc267f7ec255b51a5561f9d9232e4771b71cfd8f136cba4f974352e0f
Instruction Fuzzy Hash: 65D02272E4E3C88FC3038E548E431243B20EA03202B0602C7DC84DB366D5258E1187A2

Uniqueness

Uniqueness Score: -1.00%

Function 0135BC40 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa35753772269768b635d5265c8cff900785077ec6263ca6832f91fed03c7114
Instruction ID: b77d1c3fd343f31ce5911ebdfbab4797fc70b8c4a93b8f98e0f5b7c755a94f1e
Opcode Fuzzy Hash: fa35753772269768b635d5265c8cff900785077ec6263ca6832f91fed03c7114
Instruction Fuzzy Hash: 25D0C93205E3808FC3460B20F85A0407B35AE02631B1446D3A86ACF197DA56889ECF91

Uniqueness

Uniqueness Score: -1.00%

Function 013564AB Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d13244164822d19fc030560cd51636f1298811fa07da3e76185ce6f3b928008
Instruction ID: c8076bb8ebb99fb6b9797df26390576548e1e4bedc706227c86d5b0e40ff13b3
Opcode Fuzzy Hash: 8d13244164822d19fc030560cd51636f1298811fa07da3e76185ce6f3b928008
Instruction Fuzzy Hash: B8C012315045758BC2586B58A0204DD3BB5BFDE6103054D99E04E4B15ACF624C0643D5

Uniqueness

Uniqueness Score: -1.00%

Function 01350442 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f57640a3eb3fed86a1d953cd0c3cea4e2aeab62fcd727cd396e342953a8f929
Instruction ID: ca9b62348f155cd3fa11d347c13e4d3160a47ce228ec8a3d2f51d75117d4967c
Opcode Fuzzy Hash: 7f57640a3eb3fed86a1d953cd0c3cea4e2aeab62fcd727cd396e342953a8f929
Instruction Fuzzy Hash: 48C09232A493624FC3030AB08C181E17BE0EE921613AF01E7D090C7661D2AC4A868791

Uniqueness

Uniqueness Score: -1.00%

Function 0135A758 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfed8b1b420a2ff7a697df5475833a7160e02444b6c58aed48c8332f1a703260
Instruction ID: ac8a8cdd6a387cabb28999e7e95688e18285ccd0b8f899d82a786f5a3bc313f1
Opcode Fuzzy Hash: cfed8b1b420a2ff7a697df5475833a7160e02444b6c58aed48c8332f1a703260
Instruction Fuzzy Hash: BBB0927190930CAF8710DE99980192ABBACDA0A214F0006DAF90897310E936A91056E6

Uniqueness

Uniqueness Score: -1.00%

Function 0135C298 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa3ea83cf2b86232d28e80f3f5b68ba0c10dbb13f94743943666aaa1eb0427f
Instruction ID: a71e820ea6719d892dc954b0c11eb15bf12dfa72c9fd5873c6a13a8c1368350c
Opcode Fuzzy Hash: 5aa3ea83cf2b86232d28e80f3f5b68ba0c10dbb13f94743943666aaa1eb0427f
Instruction Fuzzy Hash: 4EB0123202030F4BCA807B5DF8158587B6D96C02083408D30F10E4551B5E6074018AC8

Uniqueness

Uniqueness Score: -1.00%

Function 0135BC50 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3eec13af112bca44cddcba26d3c2d659d20a497ddb56ae4ef1d333000f3579
Instruction ID: 5eef39d546df1ee82c0c7c914fc5c56911aef76f6dcdbdb29608f330827bf68b
Opcode Fuzzy Hash: 9e3eec13af112bca44cddcba26d3c2d659d20a497ddb56ae4ef1d333000f3579
Instruction Fuzzy Hash: B0B012320183088783405758FC06415739C6A406347348364B07D8A2D9CE17B8578B44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0135E5E8 Relevance: 1.3, Instructions: 1268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256602050.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1350000_Invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fc3a99ec8ab15a16afc849af8d8fb7fb186ea91fa6930313216e4e35258939
Instruction ID: 71abdb06a40c81d910dd464a55353016d9f1ff56a4d086ed4fc87aaacf1784d2
Opcode Fuzzy Hash: b1fc3a99ec8ab15a16afc849af8d8fb7fb186ea91fa6930313216e4e35258939
Instruction Fuzzy Hash: D3C22634A00219CFDB69DF68C894BADBBB2FF49305F1084A9E949A7251CB35DE81CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 2380, Parent PID: 7148COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.1%
Total number of Nodes:	42
Total number of Limit Nodes:	1

Executed Functions

Function 03032D38 Relevance: 2.2, APIs: 1, Instructions: 689
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03032E8D

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0ec4d10b9cca7ccd71e69343d99840bbcb3a740ce664afa6a2842ccb57dbe3e8
Instruction ID: 328feed257149f36460dd7c48983c0e0d0d8a8f49ab40cded4db52c2dc4e1773
Opcode Fuzzy Hash: 0ec4d10b9cca7ccd71e69343d99840bbcb3a740ce664afa6a2842ccb57dbe3e8
Instruction Fuzzy Hash: 3872AB74E01269CFDB64DF69C884BDDBBB6BB8A300F1481EAD409A7255DB349E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0303A9C8 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6ea4f5cd58d35fc25947e6b4a32d8607244e8bfe713f3f7a63ca9d6c6bdf97
Instruction ID: 7619a4391a2e5dded52e0ea11a3d68fd14f1ef67e93b40c295cdec8ce3679ff1
Opcode Fuzzy Hash: 1a6ea4f5cd58d35fc25947e6b4a32d8607244e8bfe713f3f7a63ca9d6c6bdf97
Instruction Fuzzy Hash: BC325774E01219CFDB18DFA8C884BADFBB6BF89300F1485A9D449AB355DB349981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03033C08 Relevance: .3, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1033b4f3f833d55c689b70dd944ba3db5d6a253e5eb212aa585bcaac3283acd8
Instruction ID: 88b2d956a7989b050d85c7f8aca8411021aea7b7f865197abe31dd0bde2f09c7
Opcode Fuzzy Hash: 1033b4f3f833d55c689b70dd944ba3db5d6a253e5eb212aa585bcaac3283acd8
Instruction Fuzzy Hash: 5CD19F74E01218CFDB58DFA9D998B9DBBB2BF89300F1081AAD809AB355DB355D85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 030341E9 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58941791e7ed585a4b5e03026cedf07628a9a95a5578b1edaeabc5e4eb9520ac
Instruction ID: 68e85a996887c55a74e4f740352585de4a8c9320970e3614ac797d337acb99e5
Opcode Fuzzy Hash: 58941791e7ed585a4b5e03026cedf07628a9a95a5578b1edaeabc5e4eb9520ac
Instruction Fuzzy Hash: EAA1F170E01208CFDB14DFA9C988BDDBBB1FF89304F248269D509AB2A1DB759985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 030341F8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a53a88f0fcdf0a064791e1821a747ca7cdfe4f45557213c46da560e12de405
Instruction ID: 0014e43c98122b9ffc42f1692241143dcf79f4cf438b250fa17c22155b21a170
Opcode Fuzzy Hash: 06a53a88f0fcdf0a064791e1821a747ca7cdfe4f45557213c46da560e12de405
Instruction Fuzzy Hash: 8EA10170E01208CFDB14DFA9C988B9DBBB1FF89304F248269D508AB2A1DB759985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0303453E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a25a74c9cb4d144b59d779cbfeb493a3c8473642add3c1bf6132aefd8d96ec1
Instruction ID: 7996e317fb191cc09265448d589940b1eb253eb77e7f4b265823135a6929578d
Opcode Fuzzy Hash: 5a25a74c9cb4d144b59d779cbfeb493a3c8473642add3c1bf6132aefd8d96ec1
Instruction Fuzzy Hash: 5C910374E01208CFDB14DFA9C888BDCBBB5FF49310F2482A9E409AB291DB759985CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0303DDA8 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(000000FF), ref: 0303DF0A

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 442ab97cd99664a23506b6eaf15fa876a17b0832035332c066afa82493d6bb90
Instruction ID: b9b31246911c97e253197cbc30f478b4b8059e9a82c9bc94a6d1617cbd01d51c
Opcode Fuzzy Hash: 442ab97cd99664a23506b6eaf15fa876a17b0832035332c066afa82493d6bb90
Instruction Fuzzy Hash: 145100B4D02208DFDB18DFAAD8886DDFBB6BF89310F14C529E414AB294DB749945CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0303DF43 Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709001d959d41919d07da3279a1a69602afdcac13df993a94090e5a770f6f230
Instruction ID: eaa7af7ce8076d5a60dcd4fdbb6e490fff8e82566bb12c521b33b7ead1ad96e1
Opcode Fuzzy Hash: 709001d959d41919d07da3279a1a69602afdcac13df993a94090e5a770f6f230
Instruction Fuzzy Hash: 5151F0B4D06208CFCB14DFA9D4846DCFBBABF4A311F248569E419BB294D7749885CF14

Uniqueness

Uniqueness Score: -1.00%

Function 03031921 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 0303197E

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b2e80622c493232b8e32083f2668aced9c22d2ffff1884932547b2adc69ae1a0
Instruction ID: e902414b6f08dc192db4c2f9a625829d2aff2e43e88cfa62a74156a44d9615d0
Opcode Fuzzy Hash: b2e80622c493232b8e32083f2668aced9c22d2ffff1884932547b2adc69ae1a0
Instruction Fuzzy Hash: 3B3184718253069FC719BFB0E5AC2AE7BB4FB0F313B046C55E01AD919ADB3A0585CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03032E1D Relevance: 1.6, APIs: 1, Instructions: 103
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03032E8D

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6fcdcf6ef35d96776c3773b459c85552e80125cc9eb61e53f6a9c1c0bd367161
Instruction ID: 1a4e1c543bff65b61cfb4ccb0d9972d2a24938d50ca15accef70ffd9fa8fb237
Opcode Fuzzy Hash: 6fcdcf6ef35d96776c3773b459c85552e80125cc9eb61e53f6a9c1c0bd367161
Instruction Fuzzy Hash: C9419D74A02228CFCB69DF68D898AD9B7B6FB89301F1045EAD409A7361D7359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03031930 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 0303197E

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 091e734fae40cee241de8b43f329b6253ba85b4b0cfa423bbf6c0bfc7c9607ae
Instruction ID: b7a538b2c92e11140e8baba1e6b54f08e043704e0b76391758582e469d4d9204
Opcode Fuzzy Hash: 091e734fae40cee241de8b43f329b6253ba85b4b0cfa423bbf6c0bfc7c9607ae
Instruction Fuzzy Hash: FB312071921306DFC718BFB0A5AC2AE7BB5FB0F713B006C55E00A99299DB3A4595CB60

Uniqueness

Uniqueness Score: -1.00%

Function 057E6F34 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 057EC131

Memory Dump Source

Source File: 00000001.00000002.514617206.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_57e0000_RegAsm.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 45ffaead816daa421a7f6a0bc57ef6cafb7dc05a420b7c0e6fbe12248e015e0e
Instruction ID: 7ca19b160fdec363fffb6d110b4ac074e7ecdaca008ebe382387b9f24579f951
Opcode Fuzzy Hash: 45ffaead816daa421a7f6a0bc57ef6cafb7dc05a420b7c0e6fbe12248e015e0e
Instruction Fuzzy Hash: 57414AB8A003058FCB15CF59C888AAABBF9FF9D314F24C559D419A7321D774A841DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 057ED180 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 057EE085

Memory Dump Source

Source File: 00000001.00000002.514617206.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_57e0000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5176259ee3a2f4286b4ff88919db7be81f6db6173f6a5f0b918e5710bcad13b1
Instruction ID: 5fb59e7343d8742771f324aa04719b4c10b13ae199623a70ba912c222ba74d1c
Opcode Fuzzy Hash: 5176259ee3a2f4286b4ff88919db7be81f6db6173f6a5f0b918e5710bcad13b1
Instruction Fuzzy Hash: 041106B1D003489FCB20CF9AD484BDEBBF8EB58314F248859D519A7600D379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 057EE028 Relevance: 1.5, APIs: 1, Instructions: 45
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 057EE085

Memory Dump Source

Source File: 00000001.00000002.514617206.00000000057E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_57e0000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2067aaaf09dd2da68008d85dd7c4b575e084cb0bee3be8117c078e1ea4ec7066
Instruction ID: 7b1205f7b133accc5c4ec3fbb281304d28d1966b956d49ca95157e87ea303c47
Opcode Fuzzy Hash: 2067aaaf09dd2da68008d85dd7c4b575e084cb0bee3be8117c078e1ea4ec7066
Instruction Fuzzy Hash: 8D1136B59002488FCB20CFA9C484BDEBFF4EB58324F24885AD859A7300C379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0168D61C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.512710786.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_168d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c7e201dd8238f711053d2de3128182db5f33119667cb979b461a02e8b6eda0
Instruction ID: 0d6e616e26e147eff7e40467daf4505a213a53909df24cac041b345fa4c24834
Opcode Fuzzy Hash: d6c7e201dd8238f711053d2de3128182db5f33119667cb979b461a02e8b6eda0
Instruction Fuzzy Hash: 73210371500248DFDB05EF58DCC0B16BF66FB84328F208669E9090B286C336D896CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0168D530 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.512710786.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_168d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c79638a1917a3e4f20c90d8663931129a3590d596905fd4a24b7ea6a4250a80
Instruction ID: e15bea12dc6d79ba2917c59ba7949064c6f4c9633a97d66c57295d8033d0f454
Opcode Fuzzy Hash: 6c79638a1917a3e4f20c90d8663931129a3590d596905fd4a24b7ea6a4250a80
Instruction Fuzzy Hash: D221D671544244DFDB16EF58DDC0B26BF65FB84318F24866AE9090B286C336D856CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0169D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.512765275.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_169d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e365a0ceb434cf7df4133901fbed4ad13eb7dbc05904f5f5e83114fc772f7352
Instruction ID: d1cc68437305eb0cb931bd3bd25a966f052d417a647c3d272635c0d7b6ffd91f
Opcode Fuzzy Hash: e365a0ceb434cf7df4133901fbed4ad13eb7dbc05904f5f5e83114fc772f7352
Instruction Fuzzy Hash: BF21CF71604240DFDF15CF68D8C4B26BB69EB84354F20C679D84A4B346C33AD847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0169D006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.512765275.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_169d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3daf1e82b52eed62646207538e24c76f8fc0a065a9c012f54bb5047698e9a6ef
Instruction ID: 81f5eb253d8e008a0f07e461cdd753c34ec6ead734821fc6b4e972d69f182ca6
Opcode Fuzzy Hash: 3daf1e82b52eed62646207538e24c76f8fc0a065a9c012f54bb5047698e9a6ef
Instruction Fuzzy Hash: 20219F755083809FDB02CF64D994B11BFB5EB46314F24C5EAD8498F2A7C33AD816CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0168D52B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.512710786.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_168d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe138b9911e6ea3d89020ae8d569046520ae6eb03e5c7ee4123045da37d9d711
Instruction ID: ff2c4d9d8fece1df6b1d8a240ca17529812a5c7ff660d2e8d6e98f193d883a58
Opcode Fuzzy Hash: fe138b9911e6ea3d89020ae8d569046520ae6eb03e5c7ee4123045da37d9d711
Instruction Fuzzy Hash: 8011BE76904284CFDB12DF54D9C4B16BF62FB84324F24C6AAD8094B257C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0168D617 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.512710786.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_168d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe138b9911e6ea3d89020ae8d569046520ae6eb03e5c7ee4123045da37d9d711
Instruction ID: 47353a92b681569a0dc489bbccacd11188b3442e51add79157b891e1415de3f2
Opcode Fuzzy Hash: fe138b9911e6ea3d89020ae8d569046520ae6eb03e5c7ee4123045da37d9d711
Instruction Fuzzy Hash: CD11EE76504284CFCB02DF04D9C4B16BF72FB84324F24C6A9D8080B257C33AD49ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03032258 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0a922aef5a233b4eda53ff0948b88a0a9422a5fb8e970c07f1e64bec96f8c0
Instruction ID: 3d1182d01fc6d2e5c5cddfacc1b02911136b90e74521811dca6b825bb7a6a42c
Opcode Fuzzy Hash: 4a0a922aef5a233b4eda53ff0948b88a0a9422a5fb8e970c07f1e64bec96f8c0
Instruction Fuzzy Hash: 60529C74E01229CFDB68DF69C884B9DBBB6BF89300F1085EAD409A7254DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0303F8E8 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a97784df5a751482688488177546b3343f249c4018ad5a03be189c92c1e413
Instruction ID: defb1f0d4fe4b669e1e5e553c2c0f4ccdf9d39488c4283145c75506fc1d71aaf
Opcode Fuzzy Hash: f0a97784df5a751482688488177546b3343f249c4018ad5a03be189c92c1e413
Instruction Fuzzy Hash: 0AD1D374E01259CFDB14DFA9D994B9DBBB2EF89300F2080AAD809AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0303EBE0 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b16cf3ef3bdff5a1547c28fb69989ddc154783f21fcd205bdf90f9d2e8b464b
Instruction ID: faef8ba8b3f28120e59a5f89afcce9231a8dce07d32cd731303d5569cf5d9799
Opcode Fuzzy Hash: 8b16cf3ef3bdff5a1547c28fb69989ddc154783f21fcd205bdf90f9d2e8b464b
Instruction Fuzzy Hash: B8D1D174E01218CFDB18DFA9D994B9DBBB2EF89300F2081AAD809AB355DB355D85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0303E330 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4117e38db02b4cd6aeb8db68b48ec654e14227622b5a27df288c54c160d139b
Instruction ID: e9e920101e05af90106bdb8122c794e1e1c8c2d92019a4be07c60c6ee339d400
Opcode Fuzzy Hash: d4117e38db02b4cd6aeb8db68b48ec654e14227622b5a27df288c54c160d139b
Instruction Fuzzy Hash: 52D1E174E01218CFDB18DFA9D994BADBBB2BF89300F1481AAD809AB355DB345D85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0303F48F Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c2aecf92e764cdcafde5cdf347a5c52ab52ef1695a6f1331a927e1717cec83
Instruction ID: 0a5aea831b5907388d1c839aaec2c6f10dfbd59fb961deb4bf4df87407adb169
Opcode Fuzzy Hash: a9c2aecf92e764cdcafde5cdf347a5c52ab52ef1695a6f1331a927e1717cec83
Instruction Fuzzy Hash: 4ED1C274E01218CFDB58DFA9D994B9DBBB2EF89300F1081AAD809AB355DB355D85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0303E787 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c5b86cf86cce70034a5becbecaa4078a99ae65b7627a9266f99786e89ecbfe96
Instruction ID: a38d4c18e624d6e71814b01537b7c8cc95b76e6a5304f3d85624c6d890d28a4b
Opcode Fuzzy Hash: c5b86cf86cce70034a5becbecaa4078a99ae65b7627a9266f99786e89ecbfe96
Instruction Fuzzy Hash: 3AD1B174E01218CFDB54DFA9D994B9DBBB2EF89300F2081AAD809AB355DB355D85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0303F038 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59101fc54941d228f68eb6352b215591276caa07269ec0c7bb38001deb60038
Instruction ID: 059ee86a4f9f575f2eeee21309609c2100c6cb2189a6b4317864f591d26d2cd7
Opcode Fuzzy Hash: f59101fc54941d228f68eb6352b215591276caa07269ec0c7bb38001deb60038
Instruction Fuzzy Hash: 5DC1B274E01218CFDB58DFA9D994B9DBBB6EF89300F1080AAD809AB355DB355D85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0303288B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe2c01ad6d4e92af9984d0b8b57b85d4b009ccb4e2ff5030d7b25cceb4922ce
Instruction ID: 3f91a77be87e10c039b89366eb41d20e172732f2c426575425be03ef58dbf677
Opcode Fuzzy Hash: 3fe2c01ad6d4e92af9984d0b8b57b85d4b009ccb4e2ff5030d7b25cceb4922ce
Instruction Fuzzy Hash: 23A18C74A01229CFDB68DF64D894B99BBB2BF4A301F1085EAD40AA7354DB319EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03032A6D Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.513312156.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3030000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1071b934b536e919063ab0574caa307dad44c941c0a25fe1610e3e4c6b9138c5
Instruction ID: e760775a4636ddf549889f0fafd508c1b8ff748287f14908b66c4719c4a47f81
Opcode Fuzzy Hash: 1071b934b536e919063ab0574caa307dad44c941c0a25fe1610e3e4c6b9138c5
Instruction Fuzzy Hash: 7E519F74A05229CFCB68DF64D894B99B7B2BF4A301F5045EAD40AA7254CB329EC1CF50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
Invoice.exe