Edit tour

Windows Analysis Report
rPROFORMAINVOICE-PO_ATS_1036.exe

Overview

General Information

Sample name:	rPROFORMAINVOICE-PO_ATS_1036.exe
Analysis ID:	1518225
MD5:	ccdc6abb91cba9b82fcea9f02aaeffac
SHA1:	8badde3b9cb21b8f6cd0fcf75f8b94a545fa35ea
SHA256:	55ead53e3dff6db18ab2e0a9e353c4f39e6d0ce7ad0dd506dd7ce92d866b7eaa
Tags:	AsyncRATexeuser-Porcupine
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the user root directory

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Process Tree

System is w10x64

rPROFORMAINVOICE-PO_ATS_1036.exe (PID: 6180 cmdline: "C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe" MD5: CCDC6ABB91CBA9B82FCEA9F02AAEFFAC)

conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 3756 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 6604 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1588 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["67.215.224.133"], "Port": "5454", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3246247886.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000002.3246247886.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e88:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f25:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x703a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b34:$cnc4: POST / HTTP/1.1
00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x319e18:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x319eb5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x319fca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x319ac4:$cnc4: POST / HTTP/1.1
00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x231a70:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x246ff8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x231b0d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x247095:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x231c22:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2471aa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x23171c:$cnc4: POST / HTTP/1.1 0x246ca4:$cnc4: POST / HTTP/1.1
Process Memory Space: rPROFORMAINVOICE-PO_ATS_1036.exe PID: 6180	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: MSBuild.exe PID: 3756	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5288:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5325:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x543a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4f34:$cnc4: POST / HTTP/1.1
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5288:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5325:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x543a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4f34:$cnc4: POST / HTTP/1.1
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5288:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5325:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x543a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4f34:$cnc4: POST / HTTP/1.1
2.2.MSBuild.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7088:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7125:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x723a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d34:$cnc4: POST / HTTP/1.1
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7088:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7125:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x723a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d34:$cnc4: POST / HTTP/1.1
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7088:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7125:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x723a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d34:$cnc4: POST / HTTP/1.1
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7088:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1c610:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7125:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1c6ad:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x723a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1c7c2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d34:$cnc4: POST / HTTP/1.1 0x1c2bc:$cnc4: POST / HTTP/1.1
Click to see the 9 entries

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T14:26:58.181877+0200	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	58154	67.215.224.133	5454	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3247456184.0000000002B51000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["67.215.224.133"], "Port": "5454", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: rPROFORMAINVOICE-PO_ATS_1036.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	String decryptor: 67.215.224.133
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	String decryptor: 5454
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	String decryptor: <123456789>
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack	String decryptor: USB.exe

Source: rPROFORMAINVOICE-PO_ATS_1036.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbCw? source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb$ source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.PDBs source: MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb( source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.00000000010E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: o.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbZE source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: %%.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3246919937.0000000001163000.00000004.00000020.00020000.00000000.sdmp, WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.pdbH source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbSx, source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb' source: MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER24F5.tmp.dmp.9.dr

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then push rbx	0_2_00007FF78BA0CC30
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then push rbx	0_2_00007FF78B9DFAA0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF78BA37A90
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF78B9DF9C0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then mov rax, rcx	0_2_00007FF78B9C9FC0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then push rdi	0_2_00007FF78BA34450
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 4x nop then push rdi	0_2_00007FF78BA30200

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:58148 -> 67.215.224.133:5454
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:58154 -> 67.215.224.133:5454

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 67.215.224.133

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 67.215.224.133:5454

Source: global traffic

TCP traffic: 192.168.2.4:58130 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.224.133

Source: global traffic

DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002B51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net

Source: unknown

Network traffic detected: HTTP traffic on port 49675 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, XLogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.3246247886.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rPROFORMAINVOICE-PO_ATS_1036.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B980C50	0_2_00007FF78B980C50
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97DFD0	0_2_00007FF78B97DFD0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B969340	0_2_00007FF78B969340
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B978200	0_2_00007FF78B978200
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B976190	0_2_00007FF78B976190
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97D16A	0_2_00007FF78B97D16A
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B978830	0_2_00007FF78B978830
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B971520	0_2_00007FF78B971520
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B974CD9	0_2_00007FF78B974CD9
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B985C20	0_2_00007FF78B985C20
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B987C79	0_2_00007FF78B987C79
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98BBA0	0_2_00007FF78B98BBA0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78BA17BA0	0_2_00007FF78BA17BA0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97FB40	0_2_00007FF78B97FB40
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78BA12AC0	0_2_00007FF78BA12AC0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B994A40	0_2_00007FF78B994A40
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B966A50	0_2_00007FF78B966A50
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B956A50	0_2_00007FF78B956A50
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B979A50	0_2_00007FF78B979A50
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9899C3	0_2_00007FF78B9899C3
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B961A00	0_2_00007FF78B961A00
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98F960	0_2_00007FF78B98F960
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9680D0	0_2_00007FF78B9680D0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78BA200E0	0_2_00007FF78BA200E0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B96EFE0	0_2_00007FF78B96EFE0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B983F60	0_2_00007FF78B983F60
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98BEA0	0_2_00007FF78B98BEA0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97FDD0	0_2_00007FF78B97FDD0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B972D30	0_2_00007FF78B972D30
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9744D0	0_2_00007FF78B9744D0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98B4F0	0_2_00007FF78B98B4F0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97A420	0_2_00007FF78B97A420
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B959430	0_2_00007FF78B959430
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78BA03480	0_2_00007FF78BA03480
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B960470	0_2_00007FF78B960470
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B981470	0_2_00007FF78B981470
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9583C4	0_2_00007FF78B9583C4
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98D320	0_2_00007FF78B98D320
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B984390	0_2_00007FF78B984390
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B970360	0_2_00007FF78B970360
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B982370	0_2_00007FF78B982370
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9892CE	0_2_00007FF78B9892CE
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9852E0	0_2_00007FF78B9852E0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78BA2E240	0_2_00007FF78BA2E240
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B958220	0_2_00007FF78B958220
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98F280	0_2_00007FF78B98F280
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9891B0	0_2_00007FF78B9891B0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B991200	0_2_00007FF78B991200
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B975200	0_2_00007FF78B975200
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98B180	0_2_00007FF78B98B180
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B96E8A0	0_2_00007FF78B96E8A0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B95A8B0	0_2_00007FF78B95A8B0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9B1910	0_2_00007FF78B9B1910
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9888D9	0_2_00007FF78B9888D9
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97A850	0_2_00007FF78B97A850
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98A7B0	0_2_00007FF78B98A7B0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98C800	0_2_00007FF78B98C800
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9767F0	0_2_00007FF78B9767F0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B962750	0_2_00007FF78B962750
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B97B6B0	0_2_00007FF78B97B6B0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B973640	0_2_00007FF78B973640
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B9835C0	0_2_00007FF78B9835C0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B976610	0_2_00007FF78B976610
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: 0_2_00007FF78B98E540	0_2_00007FF78B98E540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00FFEB98	2_2_00FFEB98

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Code function: String function: 00007FF78B95C1A0 appears 63 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1588

Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Binary or memory string: OriginalFilename vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1694534154.000002544EA00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient2.exe4 vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient2.exe4 vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe, 00000000.00000002.1693833580.000002544BF88000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe
Source: rPROFORMAINVOICE-PO_ATS_1036.exe.0.dr	Binary or memory string: OriginalFilenameSYSWIN32TaskStartPromise.dllR vs rPROFORMAINVOICE-PO_ATS_1036.exe

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.3246247886.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb(

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/6@1/1

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Code function: 0_2_00007FF78B961830 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,

0_2_00007FF78B961830

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

File created: C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3756
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\gZovO7Orbqb3wmDO

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1a708cb1-4ad5-4c75-a775-0cae34537d3d

Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rPROFORMAINVOICE-PO_ATS_1036.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

File read: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe "C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe"
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1588
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: rPROFORMAINVOICE-PO_ATS_1036.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: rPROFORMAINVOICE-PO_ATS_1036.exe

Static file information: File size 1464832 > 1048576

Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rPROFORMAINVOICE-PO_ATS_1036.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: rPROFORMAINVOICE-PO_ATS_1036.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbCw? source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb$ source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.PDBs source: MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb( source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.00000000010E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: o.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbZE source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: %%.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3246919937.0000000001163000.00000004.00000020.00020000.00000000.sdmp, WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.pdbH source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbSx, source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: MSBuild.exe, 00000002.00000002.3249101557.000000000540A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb' source: MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER24F5.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER24F5.tmp.dmp.9.dr

Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, Messages.cs	.Net Code: Memory

Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: section name: .managed
Source: rPROFORMAINVOICE-PO_ATS_1036.exe	Static PE information: section name: hydrated
Source: rPROFORMAINVOICE-PO_ATS_1036.exe.0.dr	Static PE information: section name: .managed
Source: rPROFORMAINVOICE-PO_ATS_1036.exe.0.dr	Static PE information: section name: hydrated

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

File created: C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe

Jump to dropped file

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

File created: C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

File created: C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory allocated: 25447A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4B50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1705			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 8096			Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-29135

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1508	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3916	Thread sleep count: 1705 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3916	Thread sleep count: 8096 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Code function: 0_2_00007FF78B961460 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF78B961460

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 00000002.00000002.3246919937.000000000112D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Code function: 0_2_00007FF78B9BB64C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF78B9BB64C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40A000	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000	Jump to behavior
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: AEE008	Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

Jump to behavior

Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-^q
Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: MSBuild.exe, 00000002.00000002.3247456184.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: GetLocaleInfoEx,		0_2_00007FF78B9E8FB0
Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe	Code function: GetLocaleInfoEx,		0_2_00007FF78B9E9080

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe

Code function: 0_2_00007FF78B960030 GetSystemTimeAsFileTime,

0_2_00007FF78B960030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: MSBuild.exe, 00000002.00000002.3246919937.0000000001170000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.3246919937.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3246247886.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPROFORMAINVOICE-PO_ATS_1036.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3756, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544bf12d90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e23ff70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPROFORMAINVOICE-PO_ATS_1036.exe.2544e22a9e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3246247886.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPROFORMAINVOICE-PO_ATS_1036.exe PID: 6180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3756, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	111 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	312 Process Injection	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	312 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Deobfuscate/Decode Files or Information	Cached Domain Credentials	25 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rPROFORMAINVOICE-PO_ATS_1036.exe	66%	ReversingLabs	Win64.Trojan.XWorm

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe	66%	ReversingLabs	Win64.Trojan.XWorm

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
67.215.224.133	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
67.215.224.133	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.9.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000002.00000002.3247456184.0000000002B51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
67.215.224.133	unknown	United States		8100	ASN-QUADRANET-GLOBALUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518225
Start date and time:	2024-09-25 14:24:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rPROFORMAINVOICE-PO_ATS_1036.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 2.16.100.168, 88.221.110.91, 52.165.164.15, 192.229.221.95, 40.69.42.241, 20.3.187.198, 4.175.87.197, 20.12.23.50, 20.190.159.0, 40.126.31.67, 20.190.159.75, 20.190.159.68, 20.190.159.2, 20.190.159.4, 20.190.159.64, 20.190.159.71, 20.189.173.22
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: rPROFORMAINVOICE-PO_ATS_1036.exe

Simulations

Behavior and APIs

Time	Type	Description
08:25:27	API Interceptor	3247831x Sleep call for process: MSBuild.exe modified
08:27:56	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	9YOOBuBZtj.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	6Zx9GI028y.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	y4FSQMICGJ.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	75kTq6Y4Ck.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	4ZVhm9dOfO.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	https://u47138932.ct.sendgrid.net/ls/click?upn=u001.WHU40Igm1lAOGuvv-2FdvXEBICo64I-2Fww-2F4GhUU-2BYAtPpG2Rlg5ZO0npuLCJUQ0th-2Bv7jiqZNwXXutQuRULDJ5gA-3D-3D49di_E3jX7UdwUvWW16GmiaKN7FkCRVuYellJjDDE2zc2thlrACmxCpdiqjVeZzrtBBh53HG3diRIaSJROX1IVISX2iuKwpzfFmWnT0Yv1uEikhvgBfP7OQn0yqcVecNZ3iDwFjYYj57BnYIOhDpPo4MTwnwub6p2B5GRghh6ChqtreR11LT6WpJx-2FcmruvU1xEGNLDsifcIUnQKgQbqTLc4vnXmCfsmjYgCm0e-2BBQgOUn5pv0HzAWJQ2BG0SXnTVfDBoH7QelwM6AwzcQNq8DXMWRJRTblKEKJioXfF0zfGmiftnizJbYIB8-2FjHg4nz-2F3zTP2EmyELP4FGD6jsuXOmnDDCfknw4WJyH33Agg5tAwQOjntCHuuZi6vcl6SPJyVNsvolpRM7Yp8Ri5gQksC1pfj2rC-2F45nF8bhK3EHs4VmIWpDl-2FDZcfZMpI50qinszZEtLmF7m8gZv-2BkUvlKpTvm-2FfTLIu2iSZcVBG0sGFMm-2FoR-2BR6O0SBoX53s7fd6zbqziWuPg2tLfHjJjraKZEwqpZnbaHuJ-2F-2F-2FWqvTwBSaffuKdeB6vfA0b-2FDnJiZ4Bk6qAzG08EbfonMWuWwAbXPPNlz7-2FPhMaRZIj5qYmImFuGJee8m0N-2Bht2q6llhNWiP4ZMXXLYVHteEexUAugvquxsOpI6vqnHcQgc-2FVpUHpOp2BMHZLkW2qrpJH8BCyfTdYFr6iQwd7HzQDsc429SLZFXzK95V1E-2FXG1a3sGhwhN8XAY0nnJSxwwGLn2jP8dTD9xQetC2exPt5-2F-2FqgJQ5bXuDHvFZTrNGco6SJBPNyS9ynWfuYpvIc2j9CNYEYBIXjxGimgN-2BOoaRDXClnNK36cnrLjExHKdCfLb6GbsD03m-2Bb3lMo-3D	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://xv5jxkerkk.nl-ams-1.linodeobjects.com/index.htm?url=dc-systemes.jcrnastercontracting.com&corid=	Get hash	malicious	HtmlDropper	Browse	192.229.221.95
	file.exe	Get hash	malicious	SmokeLoader	Browse	192.229.221.95
	https://auth.securetnet.com/44850b/fb7c75ee-a59f-4721-a974-2d0b2fad0b9b	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://app.pipefy.com/public/phase_redirect/f86fa292-1317-4dc5-8112-3af168025951?origin=email	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	34467890.doc	Get hash	malicious	Unknown	Browse	66.63.187.123
	Swift.doc	Get hash	malicious	AgentTesla	Browse	66.63.187.123
	XjPA2pnUhC.exe	Get hash	malicious	Remcos, DBatLoader	Browse	192.161.184.44
	BANK PAYMENT COPY.doc	Get hash	malicious	XWorm	Browse	66.63.187.123
	https://2836500.vip/	Get hash	malicious	Unknown	Browse	27.0.235.55
	#U0631#U0648#U0632 #U0633#U06cc#U0627#U0647 #U06a9#U0627#U0631#U06af#U0631.exe	Get hash	malicious	Unknown	Browse	45.95.233.246
	#U0631#U0648#U0632 #U0633#U06cc#U0627#U0647 #U06a9#U0627#U0631#U06af#U0631.exe	Get hash	malicious	Unknown	Browse	45.95.233.246
	#U0641#U0631#U0627#U062e#U0648#U0627#U0646 #U0631#U0648#U0632 #U06a9#U0627#U0631#U06af#U0631.exe	Get hash	malicious	Unknown	Browse	45.95.233.246
	Drawing_Products_Materials_and_Samples_IMG.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	64.188.18.75
	11062370MXQRQ353000718_001.doc	Get hash	malicious	Unknown	Browse	66.63.187.123

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msbuild.exe_c0d52432dfe3ceb750b4c6e7cd4c95a2e207481_11e7f0f4_f83a3f6a-ba45-452e-b37a-b98497531510\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1701646477935583
Encrypted:	false
SSDEEP:	192:/tzxScO3aXGT0BU/Ka6THyChC/zuiFzZ24IO8G:Zxi3aXxBU/KaWSp/zuiFzY4IO8G
MD5:	66CC108814C483D97B492FE85EFE7336
SHA1:	CA37A90FF23051EF908170041292FAD04D30C5D8
SHA-256:	EC13F2AA645508A955EACF5DC02C1789964B8C8C8AAA2F2C90607C0A09308735
SHA-512:	361F1EB08BECF5D45A49C66E2A532BF4F3DE66ACA14F65C979D6F52B62C9DE285C332434A9D6ACC0F88AC1072CF9DF474722A0EEB9A359755856DA65E6B44291
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.4.0.8.5.9.0.7.9.3.1.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.4.0.8.6.0.1.5.7.3.9.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.3.a.3.f.6.a.-.b.a.4.5.-.4.5.2.e.-.b.3.7.a.-.b.9.8.4.9.7.5.3.1.5.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.a.c.4.4.8.c.-.0.1.d.a.-.4.0.1.7.-.8.a.c.d.-.8.5.c.a.0.0.8.8.e.e.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.s.b.u.i.l.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.a.c.-.0.0.0.1.-.0.0.1.4.-.b.0.c.8.-.e.0.f.c.4.5.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.6.2.5.6.a.0.1.5.9.6.8.8.f.0.5.6.0.b.0.1.5.d.a.4.d.9.6.7.f.4.1.c.b.f.8.c.9.b.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER24F5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 25 12:27:39 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	330460
Entropy (8bit):	3.6666584031052403
Encrypted:	false
SSDEEP:	3072:y3dCx2c0s4uEqkdXW8rfwqtNnY+LTg3NytN4XfUlOl:ytPc0s47wknYsTgdyte
MD5:	90CC49AAC8858896A4098D11817730D6
SHA1:	8FDBE9DFF0FF0DC4EB501706B1C76274399F753F
SHA-256:	5E291D8EF29B861E061965F244C3F6C7AF73B092BD1CDC4874F8591FE993B6F2
SHA-512:	7F5183B38F814ACDFE70DBF19F1E666A84055F39C88F52A9A8BF93A6199BB7396269FD21C0C4A2DB4FC65BD7B3F3DA3A62A36E0304DBA2FCB2309F423544CD87
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f....................................$...t'.......)..._..........`.......8...........T...........h>..t............'...........)..............................................................................eJ.......*......GenuineIntel............T...........0..f....L........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER27E4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6384
Entropy (8bit):	3.717767588768132
Encrypted:	false
SSDEEP:	192:R6l7wVeJWg6XJ+YZzVapr689boJCsfqupm:R6lXJh6Z+Yn0oJBfTE
MD5:	88931B628AEB489AD8C495AB58063178
SHA1:	53CEFDE1885D76F545B97869A31882932F8C05EF
SHA-256:	F2CA7F0FB8E2E44964FAF4CAEE480B77BA32C53612D48235D2E861343C0E42F2
SHA-512:	62A6EAE5B537BE4CA153ACD53E5F2D8CF71E83F4540B80DFA3DC574DAE1D18182F3BA9B3DD533614FA2BB817B86EBF645960C81DDAA18DBD6A665D4AC40DEFEA
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2833.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4729
Entropy (8bit):	4.448828040781326
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5NJg77aI9sfWpW8VYj2Ym8M4JoxFqI+q8vulmLCd:uIjf5nI7OO7VCJUKomLCd
MD5:	9147A3187C8547ABBF9C751D3C16EF3B
SHA1:	92C8D631D03EBFBE85BA4328A86E4D8083C14A3B
SHA-256:	FC05361E079AB959AAE1E0430385FBC124C91F93E86B64C309D5409CF9D2B97B
SHA-512:	442400464F7968263B24CEA00690E7120265DE9742A66A62FB1AD5AE39EC4DCCFBE58DEBC7FE8F9C07CA385BEA051B2B1B91E0C6F6297B31A396153B51AA01F9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515730" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe

Download File

Process:	C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1464832
Entropy (8bit):	6.886828046222246
Encrypted:	false
SSDEEP:	24576:rAonTAWtaG9kwX2t684Bnndby1UuFLan9k5TRM7phylfihgdElWlVjD:rAodtaG9kS2U84B+FLan9k5TRM9zlgVj
MD5:	CCDC6ABB91CBA9B82FCEA9F02AAEFFAC
SHA1:	8BADDE3B9CB21B8F6CD0FCF75F8B94A545FA35EA
SHA-256:	55EAD53E3DFF6DB18AB2E0A9E353C4F39E6D0CE7AD0DD506DD7CE92D866B7EAA
SHA-512:	216E011F71E2783EC85B21AE98A1952D9C0F8FF7325E7001C177B3FFAEBA5407446E42C05393BB33B6DCFD430EB81323343A24C9F6A2597709A6DF26D0CAF7DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......E...E...E...D...E...D...E...D/..E..BE...EJ..D...E...E..E...D...E...D...E...E...E...DD..EI..D...EI..D...E................PE..d......f.........."....).n..........,..........@.............................`............`.............................................\...................................P.......Z..T....................]..(....Y..@............................................text............................... ..`.managed(z.......\|.................. ..`hydrated.................................rdata..jl.......n...r..............@..@.data...............................@....pdata..............................@..@.rsrc..............................@..@.reloc.......P.......T..............@..B................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466344412417991
Encrypted:	false
SSDEEP:	6144:TIXfpi67eLPU9skLmb0b4OWSPKaJG8nAgejZMMhA2gX4WABl0uNddwBCswSb+:EXD94OWlLZMM6YFH7++
MD5:	A2791C4437591F26E21ADBDA86022287
SHA1:	9062DBD6220E38A9B7F80232F3D6A0A59F29B24C
SHA-256:	F918B0A1D009CF60BA2882873F985900109FAE7F909079E80512291A343E4A7C
SHA-512:	DE67D87AAEBF79171DF90A365D90CAB5E7BB63CE157A16C02B40322618EF45582C967766F064DF1BAFBE02F35CCC364F8CCE3A6BA171DF7CBACFD7D2E8DF825B
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.3=OF...............................................................................................................................................................................................................................................................................................................................................r.*{........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.886828046222246
TrID:	Win64 Executable GUI (202006/5) 77.37% InstallShield setup (43055/19) 16.49% Win64 Executable (generic) (12005/4) 4.60% Generic Win/DOS Executable (2004/3) 0.77% DOS Executable Generic (2002/1) 0.77%
File name:	rPROFORMAINVOICE-PO_ATS_1036.exe
File size:	1'464'832 bytes
MD5:	ccdc6abb91cba9b82fcea9f02aaeffac
SHA1:	8badde3b9cb21b8f6cd0fcf75f8b94a545fa35ea
SHA256:	55ead53e3dff6db18ab2e0a9e353c4f39e6d0ce7ad0dd506dd7ce92d866b7eaa
SHA512:	216e011f71e2783ec85b21ae98a1952d9c0f8ff7325e7001c177b3ffaeba5407446e42c05393bb33b6dcfd430eb81323343a24c9f6a2597709a6df26d0caf7df
SSDEEP:	24576:rAonTAWtaG9kwX2t684Bnndby1UuFLan9k5TRM7phylfihgdElWlVjD:rAodtaG9kS2U84B+FLan9k5TRM9zlgVj
TLSH:	B765BE19E3A911FCD52BC634CB51A233E6B174560B21A5CB0B99C7452FB3EE16B7B302
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......E...E...E...D...E...D...E...D/..E..BE...EJ..D...E...E...E...D...E...D...E...E...E...DD..EI..D...EI..D...E...............

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14006ac2c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66E5ADB8 [Sat Sep 14 15:37:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	22a65106d3d84ea74d966fa0424a5a0c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FB9B48ABE6Ch
dec eax
add esp, 28h
jmp 00007FB9B48AB697h
int3
int3
jmp 00007FB9B48AC1E8h
int3
int3
int3
dec eax
sub esp, 28h
call 00007FB9B48AC1E4h
jmp 00007FB9B48AB824h
xor eax, eax
dec eax
add esp, 28h
ret
int3
int3
jmp 00007FB9B48AB80Ch
int3
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FB9B48AB832h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FB9B48AB835h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FB9B48AB82Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FB9B48AB836h
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00000049h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x17f3c0	0x5c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17f41c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19c000	0x8cec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x18f000	0xcdec	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a5000	0x5b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x165ae0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x165d00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1659a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11a000	0x6a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6f188	0x6f200	16824105689e93571b28f6d652acf3f1	False	0.45466728768278963	data	6.6338226603175485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.managed	0x71000	0x77a28	0x77c00	459fe8e4d0429964edfb07e39e66b232	False	0.46850331093423797	data	6.473781869755907	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
hydrated	0xe9000	0x30498	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x11a000	0x66c6a	0x66e00	66005403fd51b790f6bebcfc93bfd20a	False	0.48810088851761846	data	6.702713768992107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x181000	0xd5a8	0x1800	9d5075bd44b367f703d8e922b003398a	False	0.2294921875	data	3.190641782829915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x18f000	0xcdec	0xce00	638451eb673a6cdf25f666b19f1b8bb4	False	0.49419751213592233	data	6.064103613023274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x19c000	0x8cec	0x8e00	44a3fd7e9e9250b96fa62a4cdb150fb0	False	0.9726287411971831	data	7.961008846506978	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1a5000	0x5b8	0x600	adcf9b9e4d3994d1018ad464f4f1db74	False	0.5826822916666666	data	5.215191968056739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
BINARY	0x19c130	0x8694	data	1.000609543712992
RT_VERSION	0x1a47c4	0x33c	data	0.3864734299516908
RT_MANIFEST	0x1a4b00	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
ADVAPI32.dll	RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegEnumValueW
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenerateSymmetricKey, BCryptDestroyKey, BCryptOpenAlgorithmProvider, BCryptGenRandom
KERNEL32.dll	TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, GetConsoleWindow, FreeConsole, AllocConsole, SetLastError, GetLastError, LocalFree, CloseHandle, ExitProcess, GetTickCount64, FormatMessageW, K32EnumProcessModulesEx, IsWow64Process, GetExitCodeProcess, OpenProcess, K32EnumProcesses, K32GetModuleInformation, K32GetModuleBaseNameW, K32GetModuleFileNameExW, GetProcessId, DuplicateHandle, GetCurrentProcess, CloseThreadpoolIo, GetCurrentProcessId, MultiByteToWideChar, GetStdHandle, RaiseFailFastException, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, FindStringOrdinal, GetCurrentThread, Sleep, DeleteCriticalSection, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, InitializeCriticalSection, InitializeConditionVariable, WaitForMultipleObjectsEx, QueryPerformanceFrequency, GetFullPathNameW, GetLongPathNameW, WideCharToMultiByte, LocalAlloc, GetConsoleOutputCP, GetProcAddress, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CreateFileW, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, GetThreadPriority, SetThreadPriority, WriteFile, GetCurrentProcessorNumberEx, SetEvent, CreateEventExW, GetEnvironmentVariableW, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, TerminateProcess, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, ResumeThread, GetThreadContext, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, VirtualQuery, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlLookupFunctionEntry, InitializeSListHead
ole32.dll	CoGetApartmentType, CoTaskMemAlloc, CoUninitialize, CoInitializeEx, CoTaskMemFree, CoWaitForMultipleHandles
api-ms-win-crt-heap-l1-1-0.dll	malloc, free, _callnewh, calloc, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-string-l1-1-0.dll	strcmp, _stricmp, strcpy_s, strncpy_s, wcsncmp
api-ms-win-crt-convert-l1-1-0.dll	strtoull
api-ms-win-crt-runtime-l1-1-0.dll	__p___wargv, _cexit, exit, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, __p___argc, _exit, abort, _initterm_e, _c_exit, _register_thread_local_exe_atexit_callback, _seh_filter_exe, _set_app_type, _initterm, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsprintf_s, __stdio_common_vfprintf, __p__commode, _set_fmode, __stdio_common_vsscanf, __acrt_iob_func
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-25T14:26:30.991268+0200	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	58148	67.215.224.133	5454	TCP
2024-09-25T14:26:58.181877+0200	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	58154	67.215.224.133	5454	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 14:25:24.065973043 CEST	49675	443	192.168.2.4	173.222.162.32
Sep 25, 2024 14:25:28.083329916 CEST	49730	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:28.088262081 CEST	5454	49730	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:28.088402033 CEST	49730	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:28.178103924 CEST	49730	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:28.183857918 CEST	5454	49730	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:29.657665968 CEST	5454	49730	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:29.657776117 CEST	49730	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:31.753740072 CEST	49730	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:31.755755901 CEST	49731	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:31.758657932 CEST	5454	49730	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:31.760586977 CEST	5454	49731	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:31.760701895 CEST	49731	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:31.774903059 CEST	49731	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:31.779848099 CEST	5454	49731	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:33.333336115 CEST	5454	49731	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:33.333420992 CEST	49731	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:37.503679991 CEST	49731	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:37.504909992 CEST	49733	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:37.508531094 CEST	5454	49731	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:37.509776115 CEST	5454	49733	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:37.509869099 CEST	49733	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:37.528363943 CEST	49733	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:37.533220053 CEST	5454	49733	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:39.080449104 CEST	5454	49733	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:39.080744028 CEST	49733	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:41.449673891 CEST	49723	80	192.168.2.4	93.184.221.240
Sep 25, 2024 14:25:41.454740047 CEST	80	49723	93.184.221.240	192.168.2.4
Sep 25, 2024 14:25:41.455638885 CEST	49723	80	192.168.2.4	93.184.221.240
Sep 25, 2024 14:25:41.941034079 CEST	49733	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:41.942063093 CEST	49739	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:41.946024895 CEST	5454	49733	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:41.946892023 CEST	5454	49739	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:41.946970940 CEST	49739	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:41.963135004 CEST	49739	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:41.969373941 CEST	5454	49739	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:43.621519089 CEST	5454	49739	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:43.621603966 CEST	49739	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:46.817111015 CEST	49739	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:46.819411993 CEST	49740	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:46.847575903 CEST	5454	49739	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:46.851737976 CEST	5454	49740	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:46.851867914 CEST	49740	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:46.866580963 CEST	49740	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:46.889198065 CEST	5454	49740	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:48.810291052 CEST	5454	49740	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:48.810313940 CEST	5454	49740	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:48.810436964 CEST	49740	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:50.972501040 CEST	49740	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:50.974397898 CEST	49741	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:50.984384060 CEST	5454	49740	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:50.986604929 CEST	5454	49741	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:50.986764908 CEST	49741	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:51.005218029 CEST	49741	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:51.014213085 CEST	5454	49741	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:52.615550041 CEST	5454	49741	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:52.615706921 CEST	49741	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:53.229340076 CEST	58130	53	192.168.2.4	162.159.36.2
Sep 25, 2024 14:25:53.244033098 CEST	53	58130	162.159.36.2	192.168.2.4
Sep 25, 2024 14:25:53.244157076 CEST	58130	53	192.168.2.4	162.159.36.2
Sep 25, 2024 14:25:53.244318008 CEST	58130	53	192.168.2.4	162.159.36.2
Sep 25, 2024 14:25:53.253160000 CEST	53	58130	162.159.36.2	192.168.2.4
Sep 25, 2024 14:25:53.742116928 CEST	53	58130	162.159.36.2	192.168.2.4
Sep 25, 2024 14:25:53.747014999 CEST	58130	53	192.168.2.4	162.159.36.2
Sep 25, 2024 14:25:53.770323992 CEST	53	58130	162.159.36.2	192.168.2.4
Sep 25, 2024 14:25:53.770412922 CEST	58130	53	192.168.2.4	162.159.36.2
Sep 25, 2024 14:25:55.256213903 CEST	49741	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:55.257733107 CEST	58132	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:55.275494099 CEST	5454	49741	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:55.275835037 CEST	5454	58132	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:55.275928020 CEST	58132	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:55.309695005 CEST	58132	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:25:55.318092108 CEST	5454	58132	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:57.102610111 CEST	5454	58132	67.215.224.133	192.168.2.4
Sep 25, 2024 14:25:57.102737904 CEST	58132	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:00.378905058 CEST	58132	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:00.379981995 CEST	58136	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:00.385278940 CEST	5454	58132	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:00.386301994 CEST	5454	58136	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:00.386456966 CEST	58136	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:00.400599957 CEST	58136	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:00.406557083 CEST	5454	58136	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:02.002873898 CEST	5454	58136	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:02.004323959 CEST	58136	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:04.735771894 CEST	58136	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:04.738430023 CEST	58137	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:04.741015911 CEST	5454	58136	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:04.743268013 CEST	5454	58137	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:04.743407011 CEST	58137	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:04.825062990 CEST	58137	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:04.832082987 CEST	5454	58137	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:06.314150095 CEST	5454	58137	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:06.314321995 CEST	58137	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:08.175514936 CEST	58137	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:08.176774025 CEST	58138	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:08.180438995 CEST	5454	58137	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:08.181571960 CEST	5454	58138	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:08.181669950 CEST	58138	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:08.198577881 CEST	58138	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:08.205084085 CEST	5454	58138	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:09.774266005 CEST	5454	58138	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:09.774523973 CEST	58138	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:11.847414970 CEST	58138	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:11.848463058 CEST	58139	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:11.853703022 CEST	5454	58138	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:11.854245901 CEST	5454	58139	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:11.854361057 CEST	58139	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:11.868599892 CEST	58139	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:11.874130964 CEST	5454	58139	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:13.423770905 CEST	5454	58139	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:13.423935890 CEST	58139	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:14.691088915 CEST	58139	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:14.691900015 CEST	58140	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:14.695868015 CEST	5454	58139	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:14.696682930 CEST	5454	58140	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:14.696774960 CEST	58140	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:14.709603071 CEST	58140	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:14.714493990 CEST	5454	58140	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:16.291531086 CEST	5454	58140	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:16.291796923 CEST	58140	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:16.993506908 CEST	58140	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:16.995414972 CEST	58141	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:16.998446941 CEST	5454	58140	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:17.000303984 CEST	5454	58141	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:17.000408888 CEST	58141	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:17.015047073 CEST	58141	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:17.020503998 CEST	5454	58141	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:18.582076073 CEST	5454	58141	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:18.582269907 CEST	58141	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:18.612953901 CEST	58141	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:18.613837004 CEST	58142	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:18.617872000 CEST	5454	58141	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:18.618629932 CEST	5454	58142	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:18.618702888 CEST	58142	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:18.630337954 CEST	58142	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:18.635185003 CEST	5454	58142	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:20.209152937 CEST	5454	58142	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:20.209280968 CEST	58142	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:20.253637075 CEST	58142	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:20.254601955 CEST	58143	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:20.258690119 CEST	5454	58142	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:20.259438038 CEST	5454	58143	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:20.259510994 CEST	58143	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:20.275404930 CEST	58143	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:20.280431986 CEST	5454	58143	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:21.831409931 CEST	5454	58143	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:21.831787109 CEST	58143	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:22.597367048 CEST	58143	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:22.598351955 CEST	58144	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:22.602257013 CEST	5454	58143	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:22.603224993 CEST	5454	58144	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:22.603303909 CEST	58144	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:22.615725994 CEST	58144	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:22.620670080 CEST	5454	58144	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:24.193614006 CEST	5454	58144	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:24.193706036 CEST	58144	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:24.737910986 CEST	58144	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:24.738836050 CEST	58145	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:24.742870092 CEST	5454	58144	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:24.743771076 CEST	5454	58145	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:24.743868113 CEST	58145	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:24.755249977 CEST	58145	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:24.760010004 CEST	5454	58145	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:26.334225893 CEST	5454	58145	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:26.334414005 CEST	58145	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:26.628647089 CEST	58145	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:26.629576921 CEST	58146	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:26.635847092 CEST	5454	58145	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:26.638817072 CEST	5454	58146	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:26.638987064 CEST	58146	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:26.651000977 CEST	58146	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:26.658725023 CEST	5454	58146	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:28.223449945 CEST	5454	58146	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:28.223608017 CEST	58146	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:28.347368002 CEST	58146	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:28.348355055 CEST	58147	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:28.352257013 CEST	5454	58146	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:28.353271008 CEST	5454	58147	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:28.353348970 CEST	58147	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:28.364743948 CEST	58147	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:28.369584084 CEST	5454	58147	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:29.285067081 CEST	49724	80	192.168.2.4	93.184.221.240
Sep 25, 2024 14:26:29.290213108 CEST	80	49724	93.184.221.240	192.168.2.4
Sep 25, 2024 14:26:29.290318966 CEST	49724	80	192.168.2.4	93.184.221.240
Sep 25, 2024 14:26:29.942154884 CEST	5454	58147	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:29.942270041 CEST	58147	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:29.958025932 CEST	58147	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:29.960786104 CEST	58148	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:29.963066101 CEST	5454	58147	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:29.965708971 CEST	5454	58148	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:29.965823889 CEST	58148	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:29.978579044 CEST	58148	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:29.983582020 CEST	5454	58148	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:30.991267920 CEST	58148	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:30.997365952 CEST	5454	58148	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:31.019622087 CEST	58148	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:31.025746107 CEST	5454	58148	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:31.238322020 CEST	58148	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:31.243350983 CEST	5454	58148	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:31.604201078 CEST	5454	58148	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:31.605653048 CEST	58148	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:31.606267929 CEST	58148	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:31.607856035 CEST	58149	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:31.610990047 CEST	5454	58148	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:31.612750053 CEST	5454	58149	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:31.612865925 CEST	58149	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:31.643135071 CEST	58149	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:31.648066998 CEST	5454	58149	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:33.191458941 CEST	5454	58149	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:33.192709923 CEST	58149	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:36.831597090 CEST	58149	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:36.834301949 CEST	58150	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:36.836584091 CEST	5454	58149	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:36.839253902 CEST	5454	58150	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:36.839340925 CEST	58150	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:36.876773119 CEST	58150	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:36.881786108 CEST	5454	58150	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:37.363272905 CEST	58150	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:37.368345022 CEST	5454	58150	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:37.441286087 CEST	58150	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:37.446258068 CEST	5454	58150	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:38.409243107 CEST	5454	58150	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:38.409400940 CEST	58150	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:42.458300114 CEST	58151	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:42.458301067 CEST	58150	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:42.464808941 CEST	5454	58150	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:42.464822054 CEST	5454	58151	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:42.464945078 CEST	58151	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:42.561379910 CEST	58151	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:42.566240072 CEST	5454	58151	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:44.054091930 CEST	5454	58151	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:44.054164886 CEST	58151	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:47.613071918 CEST	58151	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:47.615159988 CEST	58152	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:47.618063927 CEST	5454	58151	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:47.620073080 CEST	5454	58152	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:47.620145082 CEST	58152	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:47.652051926 CEST	58152	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:47.657244921 CEST	5454	58152	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:47.707494020 CEST	58152	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:47.754436970 CEST	5454	58152	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:47.816276073 CEST	58152	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:47.823379993 CEST	5454	58152	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:49.283936977 CEST	5454	58152	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:49.284056902 CEST	58152	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:52.847598076 CEST	58152	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:52.849544048 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:52.863617897 CEST	5454	58152	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:52.864392042 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:52.866596937 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:52.937750101 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:52.942728996 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:53.350121021 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:53.657653093 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:53.691361904 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:53.691378117 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:53.722594023 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:53.740813971 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:53.831291914 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:53.840766907 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:53.923512936 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:53.948157072 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:53.961719990 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:53.970104933 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:54.034586906 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:54.044466019 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:54.046842098 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:54.058393955 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:54.144751072 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:54.154185057 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:54.510936975 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:54.511003971 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:57.987931013 CEST	58153	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:57.990403891 CEST	58154	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:57.993298054 CEST	5454	58153	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:57.995368958 CEST	5454	58154	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:57.995465994 CEST	58154	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:58.046135902 CEST	58154	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:58.051043034 CEST	5454	58154	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:58.152220011 CEST	58154	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:58.158212900 CEST	5454	58154	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:58.181876898 CEST	58154	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:58.400289059 CEST	5454	58154	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:59.253690958 CEST	58154	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:26:59.258692026 CEST	5454	58154	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:59.596793890 CEST	5454	58154	67.215.224.133	192.168.2.4
Sep 25, 2024 14:26:59.596863985 CEST	58154	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:03.219058990 CEST	58154	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:03.224387884 CEST	5454	58154	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:03.250720024 CEST	58155	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:03.269224882 CEST	5454	58155	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:03.269596100 CEST	58155	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:03.454819918 CEST	58155	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:03.463280916 CEST	5454	58155	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:03.553725958 CEST	58155	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:03.573621035 CEST	5454	58155	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:03.727591038 CEST	58155	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:03.734019041 CEST	5454	58155	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:03.842407942 CEST	58155	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:03.851066113 CEST	5454	58155	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:03.855220079 CEST	58155	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:03.865318060 CEST	5454	58155	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:04.637378931 CEST	58155	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:04.643294096 CEST	5454	58155	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:04.919886112 CEST	5454	58155	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:04.919986010 CEST	58155	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:08.659755945 CEST	58155	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:08.660895109 CEST	58156	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:08.664693117 CEST	5454	58155	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:08.665834904 CEST	5454	58156	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:08.665930033 CEST	58156	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:08.697635889 CEST	58156	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:08.702615976 CEST	5454	58156	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:09.721616983 CEST	58156	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:09.726579905 CEST	5454	58156	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:10.207618952 CEST	58156	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:10.383742094 CEST	5454	58156	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:10.383819103 CEST	58156	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:10.385194063 CEST	5454	58156	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:10.388837099 CEST	5454	58156	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:13.973510027 CEST	58157	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:13.978543043 CEST	5454	58157	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:13.981600046 CEST	58157	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:14.038613081 CEST	58157	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:14.043397903 CEST	5454	58157	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:15.569825888 CEST	5454	58157	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:15.569937944 CEST	58157	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:19.441677094 CEST	58157	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:19.443877935 CEST	58158	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:19.449393988 CEST	5454	58157	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:19.452023983 CEST	5454	58158	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:19.452131033 CEST	58158	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:19.478866100 CEST	58158	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:19.483747959 CEST	5454	58158	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:20.113364935 CEST	58158	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:20.118444920 CEST	5454	58158	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:20.168143988 CEST	58158	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:20.173158884 CEST	5454	58158	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:20.682256937 CEST	58158	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:20.687285900 CEST	5454	58158	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:20.881164074 CEST	58158	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:20.890012980 CEST	5454	58158	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:21.050735950 CEST	5454	58158	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:21.050952911 CEST	58158	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:25.378530025 CEST	58158	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:25.379903078 CEST	58159	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:25.384263039 CEST	5454	58158	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:25.387131929 CEST	5454	58159	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:25.387211084 CEST	58159	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:25.434683084 CEST	58159	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:25.440674067 CEST	5454	58159	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:27.180217028 CEST	5454	58159	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:27.180314064 CEST	58159	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:30.910080910 CEST	58159	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:30.913213015 CEST	58160	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:30.915056944 CEST	5454	58159	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:30.918118954 CEST	5454	58160	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:30.918201923 CEST	58160	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:30.974839926 CEST	58160	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:30.981719971 CEST	5454	58160	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:31.730832100 CEST	58160	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:31.738044977 CEST	5454	58160	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:32.488166094 CEST	5454	58160	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:32.488261938 CEST	58160	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:36.081624031 CEST	58160	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:36.082993031 CEST	58161	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:36.090447903 CEST	5454	58160	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:36.090863943 CEST	5454	58161	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:36.090943098 CEST	58161	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:36.127415895 CEST	58161	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:36.135070086 CEST	5454	58161	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:36.339238882 CEST	58161	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:36.344302893 CEST	5454	58161	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:37.237327099 CEST	58161	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:37.242489100 CEST	5454	58161	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:37.402493954 CEST	58161	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:37.407511950 CEST	5454	58161	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:37.767287016 CEST	5454	58161	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:37.767431974 CEST	58161	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:56.826611996 CEST	58161	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:56.829626083 CEST	58173	5454	192.168.2.4	67.215.224.133
Sep 25, 2024 14:27:56.996958971 CEST	5454	58161	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:56.996973038 CEST	5454	58173	67.215.224.133	192.168.2.4
Sep 25, 2024 14:27:56.997036934 CEST	58173	5454	192.168.2.4	67.215.224.133

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 14:25:53.228573084 CEST	53	57373	162.159.36.2	192.168.2.4
Sep 25, 2024 14:25:53.786108971 CEST	61884	53	192.168.2.4	1.1.1.1
Sep 25, 2024 14:25:53.833808899 CEST	53	61884	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2024 14:25:53.786108971 CEST	192.168.2.4	1.1.1.1	0x811f	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 25, 2024 14:25:40.356439114 CEST	1.1.1.1	192.168.2.4	0xea7d	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 25, 2024 14:25:40.356439114 CEST	1.1.1.1	192.168.2.4	0xea7d	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Sep 25, 2024 14:25:53.833808899 CEST	1.1.1.1	192.168.2.4	0x811f	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	08:25:20
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\rPROFORMAINVOICE-PO_ATS_1036.exe"
Imagebase:	0x7ff78b950000
File size:	1'464'832 bytes
MD5 hash:	CCDC6ABB91CBA9B82FCEA9F02AAEFFAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1693833580.000002544BC00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1694534154.000002544E000000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:25:20
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:25:20
Start date:	25/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Imagebase:	0x860000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.3246247886.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.3246247886.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:27:38
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1588
Imagebase:	0xc30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	31.5%
Total number of Nodes:	1152
Total number of Limit Nodes:	71

Executed Functions

Function 00007FF78B971520 Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1052threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF78B972074
DebugBreak.KERNEL32 ref: 00007FF78B972087
SwitchToThread.KERNEL32 ref: 00007FF78B972238
SwitchToThread.KERNEL32 ref: 00007FF78B972262
SwitchToThread.KERNEL32 ref: 00007FF78B9722EE
SwitchToThread.KERNEL32 ref: 00007FF78B97248C
SwitchToThread.KERNEL32 ref: 00007FF78B972495
SwitchToThread.KERNEL32 ref: 00007FF78B9724BF

Strings

0 E, xrefs: 00007FF78B971873

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: SwitchThread$BreakDebug
String ID: 0 E
API String ID: 223621376-1209576767
Opcode ID: 61c8feea51c96d2b55d0625f61853f3a51bfabf188de4ec07fb4fecd81a919d9
Instruction ID: 22478dac8f61413b31d14e608411463395f265cf8d0e8d592b1e97391c69e826
Opcode Fuzzy Hash: 61c8feea51c96d2b55d0625f61853f3a51bfabf188de4ec07fb4fecd81a919d9
Instruction Fuzzy Hash: D4B27A21A18692C6EA64AF2D984477AB3E0BF45B94FF84235D95D423F1EF3CE484C325

Function 00007FF78B961460 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF78B95B84A), ref: 00007FF78B96146F
GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF78B95B84A), ref: 00007FF78B9614AD
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF78B95B84A), ref: 00007FF78B9614D9
GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF78B95B84A), ref: 00007FF78B9614EA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF78B95B84A), ref: 00007FF78B9614F9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF78B95B84A), ref: 00007FF78B961590
GetProcessAffinityMask.KERNEL32 ref: 00007FF78B9615A3

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
String ID:
API String ID: 580471860-0
Opcode ID: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
Instruction ID: 81b0af78a2733cca73d521a717ef7deceaf1bd9606813a7052741cda3d454537
Opcode Fuzzy Hash: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
Instruction Fuzzy Hash: 8851A071A18786C6EA00AF5DE84456AF3A1FB4A784FE85032D94E87375EF3CE544C721

Function 00007FF78B97D16A Relevance: 9.5, APIs: 4, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF78B97D1B8

Strings

END, xrefs: 00007FF78B97D73A

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BreakDebug
String ID: END
API String ID: 456121617-2522575163
Opcode ID: 20a7085b6193554ad28110b0e8ff0c5543d49b9682d46e4e1af2237d4f8c6a77
Instruction ID: 02d34aab5ecc901887ce746d0db3619f7e235c1a46b5611f0871c59468a77afe
Opcode Fuzzy Hash: 20a7085b6193554ad28110b0e8ff0c5543d49b9682d46e4e1af2237d4f8c6a77
Instruction Fuzzy Hash: 8A828CB1A09786C6EA60BF2DE448674B3E4BF45B84FF84236D95D422B1EF3CA445C325

Function 00007FF78B978830 Relevance: 3.5, APIs: 2, Instructions: 952COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF78B9789EC
LeaveCriticalSection.KERNEL32 ref: 00007FF78B978A03

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 6f93bc1d4941456f45dda91854c7f695a82bcce70b9b063c41ad38af2987899c
Instruction ID: 2ce4fb1db9ef99c9a9a5ccb92a8eef83000a9b0fe0b8eb5ebb06b483d31c4b79
Opcode Fuzzy Hash: 6f93bc1d4941456f45dda91854c7f695a82bcce70b9b063c41ad38af2987899c
Instruction Fuzzy Hash: 60B23972A09B8686EA60AF1DE884679B3E4FB48B44FE84635C98C17775DF3CE051C325

Function 00007FF78B969340 Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

Creation of WaitForGCEvent failed, xrefs: 00007FF78B9696C1
TraceGC is not turned on, xrefs: 00007FF78B969346

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
String ID: Creation of WaitForGCEvent failed$TraceGC is not turned on
API String ID: 133006248-518909315
Opcode ID: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
Instruction ID: ee197b8da14d7e4019018296e5482358392ff76268a9d4abfd004b215fd35ff5
Opcode Fuzzy Hash: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
Instruction Fuzzy Hash: E3B16D61E0DB82C1EA55BB6CA449779E291BF4A784FF84135E94E077B2EF2CE045C321

Function 00007FF78B9E8FB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FF78B9E9026

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
Instruction ID: 9cf81822bf04a10abab94c285f16387d322d08b51f98f8a93a68792887cada34
Opcode Fuzzy Hash: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
Instruction Fuzzy Hash: B9219F33A09A91D9D764EFA9EC405E977A0FB44398FA40135FE4E83A59DF38D481C350

Function 00007FF78B97DFD0 Relevance: .7, Instructions: 685COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9d3395acc446df8bbb42c9f9c476036a8486221088c5072eea3ff1e419bc9a
Instruction ID: 1323fd5eb55489946db97b0fbe0bd9d16a635657ef82bf41ac7388f8ea9eda91
Opcode Fuzzy Hash: ab9d3395acc446df8bbb42c9f9c476036a8486221088c5072eea3ff1e419bc9a
Instruction Fuzzy Hash: 4262DE71A18B86CAEA65AF2DE444739F6E5BF44780FF48135DA1E53270EF3CA840C624

Function 00007FF78B978200 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755864b5fa2e0ffc51d8cb0fddda48fb3472de9c38ab859b6004a688e4e9f16c
Instruction ID: 5ce2d142c9a86c00b88622d7bcee841f1853c224021c3f9a170a4a59bd8790d2
Opcode Fuzzy Hash: 755864b5fa2e0ffc51d8cb0fddda48fb3472de9c38ab859b6004a688e4e9f16c
Instruction Fuzzy Hash: 5AF10811E19B8D81E9129A3F51457B5D6C17F6A7C0EBDCB32E94E367B1EB2CB081C214

Function 00007FF78B980C50 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eaec6c614a22b4bfc9c5d5be89dec5bd8cb119001862e3a8836eb87554737c1
Instruction ID: 7f380f70d3e009e3565b7d4a8cb7011887978c218f81063974ae53679a0c6ad9
Opcode Fuzzy Hash: 3eaec6c614a22b4bfc9c5d5be89dec5bd8cb119001862e3a8836eb87554737c1
Instruction Fuzzy Hash: 1AF16321D1CB8385F616FB2CA955675E291BF5A384FF89336D44D252B2FF2CB490C221

Function 00007FF78B976190 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b75d4973c46ecb9e1d334320fc60b824bc8d14c1f319ac792522a3ad0e4b68c
Instruction ID: 72e47fff774bde8c34cffb0b3b2782cb390319a1355c0669d6d3994ec996f859
Opcode Fuzzy Hash: 3b75d4973c46ecb9e1d334320fc60b824bc8d14c1f319ac792522a3ad0e4b68c
Instruction Fuzzy Hash: 40D17E72A09B82C6EB509F19E548769B7E4FB08B94FE84235DA5D03BA0DF3CE455C314

Function 00007FF78B97C9B6 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

BEGIN, xrefs: 00007FF78B97CC04
m, xrefs: 00007FF78B97CA3E
condemned generation num: %d, xrefs: 00007FF78B97CB11
.NET BGC, xrefs: 00007FF78B97CCC6
qX, xrefs: 00007FF78B97CAFA

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID: .NET BGC$BEGIN$condemned generation num: %d$m$qX
API String ID: 0-2393834873
Opcode ID: 85bfa98263a7aa4acd22e018ec2df517a95a4a9b6cb85e1c8a29af8d1d3e455b
Instruction ID: 1d613cade4d5ddd1b3c5c1328ffdb5bea45de51271dcabcf0a2b91ca0dc4264a
Opcode Fuzzy Hash: 85bfa98263a7aa4acd22e018ec2df517a95a4a9b6cb85e1c8a29af8d1d3e455b
Instruction Fuzzy Hash: ED223D61D0CA83C5F611AF2CA445AB4E3B0BF55784FE85236DA4C52272EF3CA589C365

Function 00007FF78B961010 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF78B96105B
IsProcessInJob.KERNEL32 ref: 00007FF78B96106B
QueryInformationJobObject.KERNEL32 ref: 00007FF78B96109B
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF78B961104
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF78B961143
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF78B96118C

Strings

@, xrefs: 00007FF78B961181
@, xrefs: 00007FF78B9610EC
@, xrefs: 00007FF78B961138

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
String ID: @$@$@
API String ID: 2645093340-1177533131
Opcode ID: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
Instruction ID: 8e1ad72b36f755542c5cb43f96b442af8d7e198094ac391f5ed978f6732ee25e
Opcode Fuzzy Hash: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
Instruction Fuzzy Hash: 7D41A1327086D1C5EB619F55E4147AAB3A0FB49BA0F949231DA9D43B98DF3CD445CB10

Function 00007FF78B972770 Relevance: 9.1, APIs: 6, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF78B9727B7
LeaveCriticalSection.KERNEL32 ref: 00007FF78B9727CF
SwitchToThread.KERNEL32 ref: 00007FF78B97288C
SwitchToThread.KERNEL32 ref: 00007FF78B972895
SwitchToThread.KERNEL32 ref: 00007FF78B9728BF
LeaveCriticalSection.KERNEL32 ref: 00007FF78B972963

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CriticalSectionSwitchThread$Leave$Enter
String ID:
API String ID: 1765607624-0
Opcode ID: fb0f990667423020e3bd5e8da849c1bc19f2cba59cb6fe26b82e41a2ff29db20
Instruction ID: 4c0fdd9f45fd16029eabb3ee772caae2ee57dff0790fdf2c303100240b466017
Opcode Fuzzy Hash: fb0f990667423020e3bd5e8da849c1bc19f2cba59cb6fe26b82e41a2ff29db20
Instruction Fuzzy Hash: 7D514931E1C693C6F660BF2CA8459B9B2D0BF06750FF80236E52D821F2DE2DA444D676

Function 00007FF78B95B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF78B95474F,?,?,?,?,?,?,00007FF78B951EA0), ref: 00007FF78B95B82B

Part of subcall function 00007FF78B961460: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF78B95B84A), ref: 00007FF78B96146F
Part of subcall function 00007FF78B961460: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF78B95B84A), ref: 00007FF78B9614AD
Part of subcall function 00007FF78B961460: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF78B95B84A), ref: 00007FF78B9614D9
Part of subcall function 00007FF78B961460: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF78B95B84A), ref: 00007FF78B9614EA
Part of subcall function 00007FF78B961460: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF78B95B84A), ref: 00007FF78B9614F9

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF78B95474F,?,?,?,?,?,?,00007FF78B951EA0), ref: 00007FF78B95B89D
GetProcessAffinityMask.KERNEL32 ref: 00007FF78B95B8B0
QueryInformationJobObject.KERNEL32 ref: 00007FF78B95B8FE

Strings

PROCESSOR_COUNT, xrefs: 00007FF78B95B866

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
String ID: PROCESSOR_COUNT
API String ID: 1701933505-4048346908
Opcode ID: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
Instruction ID: 20636c6577a5542a2df8699d49795bf7ec3730f977b6f4ac93c7df30ea92cbeb
Opcode Fuzzy Hash: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
Instruction Fuzzy Hash: 83317161A48E82C6EA54BF58D4D03BDE3A1FF48788FE41035D64D866B5DE2CE409C761

Function 00007FF78B954740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78B95B820: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF78B95474F,?,?,?,?,?,?,00007FF78B951EA0), ref: 00007FF78B95B82B
Part of subcall function 00007FF78B95B820: QueryInformationJobObject.KERNEL32 ref: 00007FF78B95B8FE

Part of subcall function 00007FF78B95B6C0: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF78B954778,?,?,?,?,?,?,00007FF78B951EA0), ref: 00007FF78B95B6D1

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF78B951EA0), ref: 00007FF78B9548BE

Strings

TotalStressLogSize, xrefs: 00007FF78B9547F5
StressLogLevel, xrefs: 00007FF78B954830
The required instruction sets are not supported by the current CPU., xrefs: 00007FF78B9548AA

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: AllocExceptionFailFastHandleInformationModuleObjectQueryRaise
String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
API String ID: 3403879507-2841289747
Opcode ID: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
Instruction ID: 825a4fd861f753902514990bbeeddbd3f645a701fd29cab6ba65a0b4259f6427
Opcode Fuzzy Hash: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
Instruction Fuzzy Hash: C7416E32E886C3C1E644BB68E8816B9E391BF41744FE84071EA4D976BADF2CE405C721

Function 00007FF78B9554E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF78B955595
RaiseFailFastException.KERNEL32(?,?,?,00007FF78BA0E640), ref: 00007FF78B9555C1
RaiseFailFastException.KERNEL32(?,?,?,00007FF78BA0E640), ref: 00007FF78B9555FA

Strings

Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF78B9555E6

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
API String ID: 3706814929-926682358
Opcode ID: 24fe811f686bbb4834d6a3b880013902d716c1d808400b7a0a2472452d19c6de
Instruction ID: 0127b7a3da4c747020e2dd0976d642db8e490b40adcf2b5866fe55e0cf10e8a3
Opcode Fuzzy Hash: 24fe811f686bbb4834d6a3b880013902d716c1d808400b7a0a2472452d19c6de
Instruction Fuzzy Hash: CF413D32A59A82C2EB94AF1DE484769B3A1FB04784FE84035DA4D823B1DF3DF451C761

Function 00007FF78B95BA80 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF78B95BAA1
SetThreadPriority.KERNELBASE ref: 00007FF78B95BABD
ResumeThread.KERNELBASE ref: 00007FF78B95BAC6
CloseHandle.KERNELBASE ref: 00007FF78B95BACF

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Thread$CloseCreateHandlePriorityResume
String ID:
API String ID: 3633986771-0
Opcode ID: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
Instruction ID: 90bbffe0f11ac96f03e5c31364fadeb06bd7a8fd9bc5befe69d446e0a9308f0a
Opcode Fuzzy Hash: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
Instruction Fuzzy Hash: 0EE06DE9E0570282EB14AF25E828736A350BF9EB95F985034CE5E06370EF3CD189C610

Function 00007FF78B960E30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF78B960E67
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF78B960F2C

Strings

@, xrefs: 00007FF78B960F24

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CurrentGlobalMemoryProcessStatus
String ID: @
API String ID: 3261791682-2766056989
Opcode ID: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
Instruction ID: 4daa76ba98fcf599e1bf719cec7665dee523cbdd60c22ee1edd067666195d4ef
Opcode Fuzzy Hash: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
Instruction Fuzzy Hash: 5141F771B09B8681E956DA3A9191B39D552BF5EBC0FB8C631E90E22774FF3CE481C610

Function 00007FF78B992320 Relevance: 5.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF78B97F9D9,?,?,?,?,?,00007FF78B98E9FF,?,?,?,00007FF78B9688C3), ref: 00007FF78B992360
LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF78B97F9D9,?,?,?,?,?,00007FF78B98E9FF,?,?,?,00007FF78B9688C3), ref: 00007FF78B9923D6
EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF78B97F9D9,?,?,?,?,?,00007FF78B98E9FF,?,?,?,00007FF78B9688C3), ref: 00007FF78B99242B
LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF78B97F9D9,?,?,?,?,?,00007FF78B98E9FF,?,?,?,00007FF78B9688C3), ref: 00007FF78B992451

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2f26acfbe39efda905e31c116d58f05a84f1c8e613b3a673d8beab4140165067
Instruction ID: e0b7dc88a2d8f33a8e0147166f268d49f017740c9c964065f32db6cb32a5ab1e
Opcode Fuzzy Hash: 2f26acfbe39efda905e31c116d58f05a84f1c8e613b3a673d8beab4140165067
Instruction Fuzzy Hash: 18315A61D0C692C2EA90BB2DE899779F358BF55780FF80136E94C462B1EE2CE485C371

Function 00007FF78B974020 Relevance: 5.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00007FF78B97419F,?,?,?,00007FF78B981E7B), ref: 00007FF78B97406A
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF78B97419F,?,?,?,00007FF78B981E7B), ref: 00007FF78B9740AC
EnterCriticalSection.KERNEL32(?,?,00000000,00007FF78B97419F,?,?,?,00007FF78B981E7B), ref: 00007FF78B9740D7
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF78B97419F,?,?,?,00007FF78B981E7B), ref: 00007FF78B9740F8

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
Instruction ID: c91334391698cf66646d99731d4d0225e90dce1a91cd12030d20a7fa127d2cdc
Opcode Fuzzy Hash: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
Instruction Fuzzy Hash: 33212D61A5894281EB50AF5CE8987B4A394BF157E4FF80332C52C422F5EF6CA199C362

Function 00007FF78B9616E0 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF78B9651C8,?,?,0000000A,00007FF78B964220,?,?,00000000,00007FF78B95DBB1), ref: 00007FF78B961707
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF78B9651C8,?,?,0000000A,00007FF78B964220,?,?,00000000,00007FF78B95DBB1), ref: 00007FF78B961727
VirtualAllocExNuma.KERNEL32 ref: 00007FF78B961748

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: AllocVirtual$CurrentNumaProcess
String ID:
API String ID: 647533253-0
Opcode ID: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
Instruction ID: db7b07a31442ca95d8d8e97ffacfe4b605b03ec718ce4f1b2193e069e59a6f54
Opcode Fuzzy Hash: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
Instruction Fuzzy Hash: B5F0AFB1B086D182EB209B0AF40461AA760FB4ABD4F984139EF8C17B68DF3DD581CB10

Function 00007FF78B96759B Relevance: 3.1, APIs: 2, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00007FF78B9675FE
GetTickCount64.KERNEL32 ref: 00007FF78B967683

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: 809ad7372f923a6515913861ca92157f81363f84e760b70c066024c5668aa65f
Instruction ID: fa91b2cc8c0168933383421f7ac554dad19c62ed9679a99bc3913126ffc738b5
Opcode Fuzzy Hash: 809ad7372f923a6515913861ca92157f81363f84e760b70c066024c5668aa65f
Instruction Fuzzy Hash: 31415C71E0C782C5FA64BB2DD548679E6A1BF0A784FF84436DD1D422B1DE3DE441C622

Function 00007FF78B9BB610 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF78B9BAC51,?,?,?,?,00007FF78B95FCD1,?,?,?,00007FF78B960254,00000000,00000020,?), ref: 00007FF78B9BB62A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78B9BB640

Part of subcall function 00007FF78B9BB924: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF78B9BB92D

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 205171174-0
Opcode ID: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
Instruction ID: 5f90681324fb6ec9fe8082000371dff9d62e8ca719aac4d8292bac682d1b943e
Opcode Fuzzy Hash: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
Instruction Fuzzy Hash: 6DE0EC00E099ABC1F96931AD14660B88140AF54774EBC1B38D93E442E3EF1CA856C130

Function 00007FF78B95BA40 Relevance: 3.0, APIs: 2, Instructions: 18
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF78B95BA59
CloseHandle.KERNELBASE ref: 00007FF78B95BA6C

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: afbd848b2ecd7790fe80cbff50474ccea25c37df90b3e86a6a037c059f69191f
Instruction ID: d3c04963365d4308446bb76c7087ce974ea231bd579948ae1df457c10a4e816d
Opcode Fuzzy Hash: afbd848b2ecd7790fe80cbff50474ccea25c37df90b3e86a6a037c059f69191f
Instruction Fuzzy Hash: C1D012A5E09B8182DA14EF65680152667D1BB9DB44FD54038DA4DC3330FE3CD215C910

Function 00007FF78B977A30 Relevance: 2.6, APIs: 2, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78B992480: EnterCriticalSection.KERNEL32(?,?,?,00007FF78B977A69), ref: 00007FF78B9924C4
Part of subcall function 00007FF78B992480: LeaveCriticalSection.KERNEL32(?,?,?,00007FF78B977A69), ref: 00007FF78B9924EE

EnterCriticalSection.KERNEL32 ref: 00007FF78B977B43
LeaveCriticalSection.KERNEL32 ref: 00007FF78B977B64

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
Instruction ID: da0f68a8a94348ddc1830256ec7a462725d8bd25581339bffeb1e221d08e6be4
Opcode Fuzzy Hash: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
Instruction Fuzzy Hash: A8418B61A0968281EA14AF3DD944679A7A0BF05BF4FE80335DA7C876F4DF2CE041C3A4

Function 00007FF78B9608D0 Relevance: 2.6, APIs: 2, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF78B960944

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
Instruction ID: 2554e1e6306594bd01c139eb8fdc1ff16a252f5c671cb73e3d890c78470c89db
Opcode Fuzzy Hash: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
Instruction Fuzzy Hash: F931F132B05B92C1EA14EB1A958016AA3A4FB4ABD4FA48135DF4C17BA5DF38E462C350

Function 00007FF78B992480 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FF78B977A69), ref: 00007FF78B9924C4
LeaveCriticalSection.KERNEL32(?,?,?,00007FF78B977A69), ref: 00007FF78B9924EE

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
Instruction ID: 25ce2dc1c526ab32b7cb350b8e60003098955a08d342bd8a1ff4305ab7586b7b
Opcode Fuzzy Hash: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
Instruction Fuzzy Hash: 87019E21D0C69280F6A0B76CE8886B9F394BF513D0FF80131D55C425B1DE2CE495C361

Function 00007FF78B9616A0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF78B9616B6
VirtualFree.KERNELBASE ref: 00007FF78B9616CC

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
Instruction ID: 575a0cb54588491b5cd4e9d4e11cd23a9d1d168e88536cc39c2b8b96ef38f841
Opcode Fuzzy Hash: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
Instruction Fuzzy Hash: 50E0C2B8F1614186EB18A71BA845A266251BF5FB00FE48038C40D07370DE2DA25ACB20

Function 00007FF78B9F2890 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF78B9F27CF,?,?,00000030), ref: 00007FF78B9F28E2

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d725e0b3d950bfd392393c993463a472c20741fc4ae74ea19a611fc2f3cf428b
Instruction ID: 9ca38326cfa6fb036a973dbaa9823516dfb049714119b1a6552f45b6fed4c161
Opcode Fuzzy Hash: d725e0b3d950bfd392393c993463a472c20741fc4ae74ea19a611fc2f3cf428b
Instruction Fuzzy Hash: 2D219222F4C196D4F710F66AED516BEA290BF44358FB44035EE4D467A7EE2CE882C220

Function 00007FF78B9674AB Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF78B9674F5

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 3b1958921fa04c35c2a701cc9646c22b7e924147385864a8d091c62de11b65c9
Instruction ID: 5beba5d6f729a1fd4c5e4d090fc6e990d0fbaf27798fb942da22fe95ca9fa25f
Opcode Fuzzy Hash: 3b1958921fa04c35c2a701cc9646c22b7e924147385864a8d091c62de11b65c9
Instruction Fuzzy Hash: 121105A3F1878182EA409A2594006A5A791BF8E7F0FA85331EE68436D6EF2CD442C750

Function 00007FF78B954930 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78B95B6A0: GetCurrentThreadId.KERNEL32 ref: 00007FF78B95B6A4

Part of subcall function 00007FF78B95CA20: VirtualQuery.KERNEL32 ref: 00007FF78B95CA52

RaiseFailFastException.KERNEL32 ref: 00007FF78B9549B6

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
String ID:
API String ID: 2131581837-0
Opcode ID: d896b62f651088d1b42081c4ab7746b0ce5873f34015609dc32dcd43e3b187cf
Instruction ID: a8ce521a5d340eb68719d5c5ea1781b6001033d2ad8375c8f07c145130f6c878
Opcode Fuzzy Hash: d896b62f651088d1b42081c4ab7746b0ce5873f34015609dc32dcd43e3b187cf
Instruction Fuzzy Hash: 05114C7290878282DA24AF29A44519AB760FB457B0FA48339E6BE477E6DF38D046C700

Function 00007FF78B9556A0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF78B9556F1

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: 452514a172d171043efb9d9a11994c3fb97cdc7e94a50651428492a93767d4e5
Instruction ID: 0627828335497f8c449ac89a04a1c2e1df2c652bf8132bf5357bd44eac1a5c87
Opcode Fuzzy Hash: 452514a172d171043efb9d9a11994c3fb97cdc7e94a50651428492a93767d4e5
Instruction Fuzzy Hash: DAF05E25B5868282E6147739B9C267EA251AF497A0FA85130E91D067A7CE3CE481C750

Function 00007FF78B961770 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00007FF78B96177A

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
Instruction ID: 4e59cef007db397ec917c9f6eebfa3d87066afdb37e2d41bb1f768958f09d606
Opcode Fuzzy Hash: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
Instruction Fuzzy Hash: 7AB01284F16041C2E3043723BC4270901153B1BB02FD04024D608A1260CD1CC1A54B11

Non-executed Functions

Function 00007FF78B961A00 Relevance: 118.0, Strings: 94, Instructions: 546COMMON

Download Yara Rule

Strings

LOHThreshold, xrefs: 00007FF78B961BFE
System.GC.HeapHardLimitPOH, xrefs: 00007FF78B96221B
BGCFLki, xrefs: 00007FF78B962051
System.GC.HeapHardLimitPercent, xrefs: 00007FF78B961E7B
GCNumaAware, xrefs: 00007FF78B961B57
System.GC.CpuGroup, xrefs: 00007FF78B961B78
BreakOnOOM, xrefs: 00007FF78B961ACF
System.GC.Concurrent, xrefs: 00007FF78B961A43
GCConfigLogFile, xrefs: 00007FF78B961F5E
HeapCount, xrefs: 00007FF78B961C67
GCHeapHardLimitSOHPercent, xrefs: 00007FF78B96224C
System.GC.NoAffinitize, xrefs: 00007FF78B961AF0
BGCFLEnableTBH, xrefs: 00007FF78B96217D
GCEnabledInstructionSets, xrefs: 00007FF78B9622A3
BGCFLEnableSmooth, xrefs: 00007FF78B96215F
GCHighMemPercent, xrefs: 00007FF78B961DCE
GCSpinCountUnit, xrefs: 00007FF78B96234E
System.GC.HeapHardLimit, xrefs: 00007FF78B961E59
ForceCompact, xrefs: 00007FF78B961A89
CompactRatio, xrefs: 00007FF78B961D32
System.GC.MaxHeapCount, xrefs: 00007FF78B961C7A
BGCMemGoal, xrefs: 00007FF78B961FBB
GCEnableSpecialRegions, xrefs: 00007FF78B961EF7
GCLowSkipRatio, xrefs: 00007FF78B961E3B
GCHeapHardLimitSOH, xrefs: 00007FF78B9621E6
GCConserveMem, xrefs: 00007FF78B9622D0
System.GC.HeapHardLimitLOH, xrefs: 00007FF78B9621F9
MaxHeapCount, xrefs: 00007FF78B961C89
BGCG2RatioStep, xrefs: 00007FF78B9621B9
GCTotalPhysicalMemory, xrefs: 00007FF78B961E9D
GCHeapHardLimit, xrefs: 00007FF78B961E68
LatencyLevel, xrefs: 00007FF78B961CF6
GCCpuGroup, xrefs: 00007FF78B961B8A
GCDynamicAdaptationMode, xrefs: 00007FF78B96237B
BGCMLkp, xrefs: 00007FF78B9620F2
GCHeapHardLimitPercent, xrefs: 00007FF78B961E8A
System.GC.ConserveMemory, xrefs: 00007FF78B9622C1
GCGen0MaxBudget, xrefs: 00007FF78B961DFF
RetainVM, xrefs: 00007FF78B961ABC
BGCFLkp, xrefs: 00007FF78B962033
BGCFLSmoothFactor, xrefs: 00007FF78B9620AB
Gen0Size, xrefs: 00007FF78B961C9C
LOHCompactionMode, xrefs: 00007FF78B961BE0
SegmentSize, xrefs: 00007FF78B961CBA
ConfigLogEnabled, xrefs: 00007FF78B961B36
BGCFLGradualD, xrefs: 00007FF78B9620C9
GCLogFile, xrefs: 00007FF78B961F1A
BGCMemGoalSlack, xrefs: 00007FF78B961FD9
System.GC.Name, xrefs: 00007FF78B962304, 00007FF78B96231C
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF78B962281
BGCMLki, xrefs: 00007FF78B962105
GCHeapAffinitizeRanges, xrefs: 00007FF78B961D7E, 00007FF78B961D9F
GCLargePages, xrefs: 00007FF78B961BB2
System.GC.LargePages, xrefs: 00007FF78B961BA8
BGCFLTuningEnabled, xrefs: 00007FF78B961F9D
GCHeapHardLimitPOH, xrefs: 00007FF78B96222A
System.GC.HeapAffinitizeRanges, xrefs: 00007FF78B961D72, 00007FF78B961D93
System.GC.HighMemoryPercent, xrefs: 00007FF78B961DBF
BGCFLEnableKi, xrefs: 00007FF78B962123
GCHeapHardLimitLOHPercent, xrefs: 00007FF78B962271
GCHeapHardLimitLOH, xrefs: 00007FF78B962208
LatencyMode, xrefs: 00007FF78B961CD8
GCName, xrefs: 00007FF78B96230B, 00007FF78B96232E
GCRegionSize, xrefs: 00007FF78B961ED9
BGCSpin, xrefs: 00007FF78B961C3A
ConcurrentGC, xrefs: 00007FF78B961A55
LogFile, xrefs: 00007FF78B961F2B
HeapVerifyLevel, xrefs: 00007FF78B961BC2
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF78B962267
BGCFLEnableKd, xrefs: 00007FF78B962141
GCRegionRange, xrefs: 00007FF78B961EBB
BGCFLkd, xrefs: 00007FF78B96206F
BGCFLEnableFF, xrefs: 00007FF78B96219B, 00007FF78B9622E3
LogEnabled, xrefs: 00007FF78B961B15
GCHeapHardLimitPOHPercent, xrefs: 00007FF78B962290
System.GC.Server, xrefs: 00007FF78B961A1B
BGCFLSweepGoalLOH, xrefs: 00007FF78B962015
GCProvModeStress, xrefs: 00007FF78B961DE1
System.GC.HeapHardLimitSOH, xrefs: 00007FF78B9621D7
BGCFLff, xrefs: 00007FF78B96208D
ConfigLogFile, xrefs: 00007FF78B961F6F
System.GC.HeapAffinitizeMask, xrefs: 00007FF78B961D50
BGCFLSweepGoal, xrefs: 00007FF78B961FF7
System.GC.HeapCount, xrefs: 00007FF78B961C58
GCGen1MaxBudget, xrefs: 00007FF78B961E1D
LogFileSize, xrefs: 00007FF78B961D14
NoAffinitize, xrefs: 00007FF78B961B02
System.GC.DynamicAdaptationMode, xrefs: 00007FF78B96236C
System.GC.RetainVM, xrefs: 00007FF78B961AAA
GCHeapAffinitizeMask, xrefs: 00007FF78B961D5F
ServerGC, xrefs: 00007FF78B961A2A
BGCSpinCount, xrefs: 00007FF78B961C1C
ConservativeGC, xrefs: 00007FF78B961A68
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF78B96223D

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
API String ID: 0-799405152
Opcode ID: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
Instruction ID: e1a06a983cb1a635efca4cd0438481451f9607975c27b3335f2ac71f27e2681e
Opcode Fuzzy Hash: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
Instruction Fuzzy Hash: 19423071A18A9681EB20AB59F851EAAA3A4FF55BC8FD11132D98C07F34DF3CD206C715

Function 00007FF78B962750 Relevance: 109.2, Strings: 87, Instructions: 472COMMON

Download Yara Rule

Strings

System.GC.HeapHardLimitPOH, xrefs: 00007FF78B9630DF
BGCFLki, xrefs: 00007FF78B962E67
System.GC.HeapHardLimitPercent, xrefs: 00007FF78B962C9F
GCNumaAware, xrefs: 00007FF78B9628D1
GCLOHThreshold, xrefs: 00007FF78B9629A4
System.GC.CpuGroup, xrefs: 00007FF78B9628F9
System.GC.Concurrent, xrefs: 00007FF78B962782
GCHeapHardLimitSOHPercent, xrefs: 00007FF78B96310D
GCNoAffinitize, xrefs: 00007FF78B96285B
System.GC.NoAffinitize, xrefs: 00007FF78B962854
BGCFLEnableTBH, xrefs: 00007FF78B963001
GCEnabledInstructionSets, xrefs: 00007FF78B963190
BGCFLEnableSmooth, xrefs: 00007FF78B962FD8
GCHighMemPercent, xrefs: 00007FF78B962BA6
GCSpinCountUnit, xrefs: 00007FF78B963210
System.GC.HeapHardLimit, xrefs: 00007FF78B962C71
System.GC.MaxHeapCount, xrefs: 00007FF78B962A4D
GCSegmentSize, xrefs: 00007FF78B962AA4
BGCMemGoal, xrefs: 00007FF78B962D9A
GCEnableSpecialRegions, xrefs: 00007FF78B962D48
GCLowSkipRatio, xrefs: 00007FF78B962C48
GCHeapHardLimitSOH, xrefs: 00007FF78B963083
GCLatencyLevel, xrefs: 00007FF78B962AF6
System.GC.HeapHardLimitLOH, xrefs: 00007FF78B9630AA
HeapVerify, xrefs: 00007FF78B962953
BGCG2RatioStep, xrefs: 00007FF78B963053
GCTotalPhysicalMemory, xrefs: 00007FF78B962CCD
GCHeapHardLimit, xrefs: 00007FF78B962C78
GCCpuGroup, xrefs: 00007FF78B962900
gcForceCompact, xrefs: 00007FF78B9627D7
GCDynamicAdaptationMode, xrefs: 00007FF78B963240
GCRetainVM, xrefs: 00007FF78B962806
BGCMLkp, xrefs: 00007FF78B962F34
GCHeapHardLimitPercent, xrefs: 00007FF78B962CA6
System.GC.ConserveMemory, xrefs: 00007FF78B9631B9
GCGen0MaxBudget, xrefs: 00007FF78B962BF6
BGCFLkp, xrefs: 00007FF78B962E3E
BGCFLSmoothFactor, xrefs: 00007FF78B962EEB
gcConcurrent, xrefs: 00007FF78B962789
GCBreakOnOOM, xrefs: 00007FF78B96282C
BGCFLGradualD, xrefs: 00007FF78B962F0B
GCLOHCompact, xrefs: 00007FF78B96297B
BGCMemGoalSlack, xrefs: 00007FF78B962DC3
GCLogEnabled, xrefs: 00007FF78B962881
GCLogFileSize, xrefs: 00007FF78B962B28
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF78B963162
BGCMLki, xrefs: 00007FF78B962F5D
GCLargePages, xrefs: 00007FF78B96292D
System.GC.LargePages, xrefs: 00007FF78B962926
BGCFLTuningEnabled, xrefs: 00007FF78B962D71
GCHeapHardLimitPOH, xrefs: 00007FF78B9630E6
GCgen0size, xrefs: 00007FF78B962A7B
GCWriteBarrier, xrefs: 00007FF78B9631E7
System.GC.HighMemoryPercent, xrefs: 00007FF78B962B9F
BGCFLEnableKi, xrefs: 00007FF78B962F86
GCHeapHardLimitLOHPercent, xrefs: 00007FF78B96313B
GCHeapHardLimitLOH, xrefs: 00007FF78B9630B1
gcConservative, xrefs: 00007FF78B9627AF
GCLatencyMode, xrefs: 00007FF78B962ACD
GCRegionSize, xrefs: 00007FF78B962D28
BGCSpin, xrefs: 00007FF78B9629F6
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF78B963134
BGCFLEnableKd, xrefs: 00007FF78B962FAF
gcServer, xrefs: 00007FF78B962762
GCRegionRange, xrefs: 00007FF78B962CF6
GCHeapCount, xrefs: 00007FF78B962A26
BGCFLkd, xrefs: 00007FF78B962E90
GCConfigLogEnabled, xrefs: 00007FF78B9628A9
BGCFLEnableFF, xrefs: 00007FF78B96302A
GCHeapHardLimitPOHPercent, xrefs: 00007FF78B963169
System.GC.Server, xrefs: 00007FF78B96275B
BGCFLSweepGoalLOH, xrefs: 00007FF78B962E15
GCProvModeStress, xrefs: 00007FF78B962BCD
System.GC.HeapHardLimitSOH, xrefs: 00007FF78B96307C
BGCFLff, xrefs: 00007FF78B962EB9
System.GC.HeapAffinitizeMask, xrefs: 00007FF78B962B71
BGCFLSweepGoal, xrefs: 00007FF78B962DEC
System.GC.HeapCount, xrefs: 00007FF78B962A1F
GCGen1MaxBudget, xrefs: 00007FF78B962C1F
GCMaxHeapCount, xrefs: 00007FF78B962A54
GCConserveMemory, xrefs: 00007FF78B9631C0
System.GC.DynamicAdaptationMode, xrefs: 00007FF78B963239
System.GC.RetainVM, xrefs: 00007FF78B9627FF
GCHeapAffinitizeMask, xrefs: 00007FF78B962B78
GCCompactRatio, xrefs: 00007FF78B962B48
BGCSpinCount, xrefs: 00007FF78B9629CD
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF78B963106

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: strcmp
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
API String ID: 1004003707-1294421646
Opcode ID: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
Instruction ID: a2183334465ff6e25c371fb36e6c6de88eb30cf9e2b2361af6154f63a1cc03ca
Opcode Fuzzy Hash: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
Instruction Fuzzy Hash: 4662D560D1DA8794FB00FB6DAC888B2A7A0BF55784BE84176C45D47273EE3CA159C372

Function 00007FF78B991200 Relevance: 21.8, APIs: 14, Instructions: 792COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF78B991580
DebugBreak.KERNEL32 ref: 00007FF78B991598
DebugBreak.KERNEL32 ref: 00007FF78B991647
DebugBreak.KERNEL32 ref: 00007FF78B991685
DebugBreak.KERNEL32 ref: 00007FF78B9916D5
DebugBreak.KERNEL32 ref: 00007FF78B991726
DebugBreak.KERNEL32 ref: 00007FF78B99178B
DebugBreak.KERNEL32 ref: 00007FF78B9917E1
DebugBreak.KERNEL32 ref: 00007FF78B991A18
DebugBreak.KERNEL32 ref: 00007FF78B991B09
DebugBreak.KERNEL32 ref: 00007FF78B991B8B
DebugBreak.KERNEL32 ref: 00007FF78B991BC4
DebugBreak.KERNEL32 ref: 00007FF78B991BF8
DebugBreak.KERNEL32 ref: 00007FF78B991CD7

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
Instruction ID: e905d3326e123a3604895842a1b1314922a23a7417ef12d12c08f4c401b1fb28
Opcode Fuzzy Hash: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
Instruction Fuzzy Hash: 23728322A096D2D2EA91AB29D0443BAE7A4FF45B94FE94135DE5D077F5EF3CE440C220

Function 00007FF78B961830 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF78B96186C
GetCurrentProcess.KERNEL32 ref: 00007FF78B961894
OpenProcessToken.ADVAPI32 ref: 00007FF78B9618A7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF78B9618CC
GetLastError.KERNEL32 ref: 00007FF78B9618D4
CloseHandle.KERNEL32 ref: 00007FF78B9618E1
GetLargePageMinimum.KERNEL32 ref: 00007FF78B9618F6
VirtualAlloc.KERNEL32 ref: 00007FF78B961927
GetCurrentProcess.KERNEL32 ref: 00007FF78B961933
VirtualAllocExNuma.KERNEL32 ref: 00007FF78B961953

Strings

SeLockMemoryPrivilege, xrefs: 00007FF78B961865

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
String ID: SeLockMemoryPrivilege
API String ID: 1752251271-475654710
Opcode ID: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
Instruction ID: cc528ab626a9dfcad1f967fca2eaf04168739605d3c6b25d9754d93bee5bbec0
Opcode Fuzzy Hash: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
Instruction Fuzzy Hash: A731D671A1C78286F720AB65F40876BA7A1FB49784FA01035DA4D07775DF3CD448C720

Function 00007FF78B96EFE0 Relevance: 13.4, APIs: 5, Strings: 2, Instructions: 1181threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF78B96F687
SwitchToThread.KERNEL32 ref: 00007FF78B96F7F0
SwitchToThread.KERNEL32 ref: 00007FF78B96F7F9
SwitchToThread.KERNEL32 ref: 00007FF78B96F823

Part of subcall function 00007FF78B961630: QueryPerformanceCounter.KERNEL32 ref: 00007FF78B961639

DebugBreak.KERNEL32 ref: 00007FF78B96F95E

Strings

Concurrent GC: Restarting EE, xrefs: 00007FF78B96F66A
GCHeap::Promote: Promote GC Root *%p = %p MT = %pT, xrefs: 00007FF78B96FB15

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: SwitchThread$BreakCounterDebugPerformanceQuery
String ID: GCHeap::Promote: Promote GC Root *%p = %p MT = %pT$Concurrent GC: Restarting EE
API String ID: 30421299-2108734148
Opcode ID: c6c184d1560f85792b456f3718bb725fbe81c68e010fd342303592cee2957b30
Instruction ID: d75bc57a5a1297c7acfa5387504c4b72a4f7f89f382818e0a49a92198b7a7f58
Opcode Fuzzy Hash: c6c184d1560f85792b456f3718bb725fbe81c68e010fd342303592cee2957b30
Instruction Fuzzy Hash: 31C29F62A09B86C5FA51AF2CD4547B8A7A0BF4AB94FF84236D94D537B1DF2CE441C320

Function 00007FF78B98F960 Relevance: 10.9, APIs: 7, Instructions: 416COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78B98D0E0: EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF78B98AE19,?,?,?,00007FF78B97CA43), ref: 00007FF78B98D139
Part of subcall function 00007FF78B98D0E0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF78B98AE19,?,?,?,00007FF78B97CA43), ref: 00007FF78B98D14F

DebugBreak.KERNEL32 ref: 00007FF78B98FE1E
DebugBreak.KERNEL32 ref: 00007FF78B98FE36
DebugBreak.KERNEL32 ref: 00007FF78B98FE4E
DebugBreak.KERNEL32 ref: 00007FF78B98FE6C
DebugBreak.KERNEL32 ref: 00007FF78B98FE8C
DebugBreak.KERNEL32 ref: 00007FF78B98FEA0
DebugBreak.KERNEL32 ref: 00007FF78B98FF51

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BreakDebug$CriticalSection$EnterLeave
String ID:
API String ID: 3888577265-0
Opcode ID: d86f80d7bffd3d43e5ca74b6d9e1eaf02e16cc952f2289a23396a127ac85969b
Instruction ID: ed393bfaf5c3321e53b9e4462f05f37d6ecf235b1df80224321f5fcabacc18f4
Opcode Fuzzy Hash: d86f80d7bffd3d43e5ca74b6d9e1eaf02e16cc952f2289a23396a127ac85969b
Instruction Fuzzy Hash: 071292A2A19BC6C1EA54AB19D454379A7A0FF84B84FF86935DA4D077B1DF3CE480C360

Function 00007FF78B98A7B0 Relevance: 10.9, APIs: 7, Instructions: 376COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF78B9892AB), ref: 00007FF78B98A909
EnterCriticalSection.KERNEL32 ref: 00007FF78B98AC36
LeaveCriticalSection.KERNEL32 ref: 00007FF78B98AC50
DebugBreak.KERNEL32 ref: 00007FF78B98ACFD
DebugBreak.KERNEL32 ref: 00007FF78B98AD1A
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF78B9892AB), ref: 00007FF78B98AD35
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF78B9892AB), ref: 00007FF78B98AD4E

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BreakDebug$CriticalSection$EnterLeave
String ID:
API String ID: 3888577265-0
Opcode ID: c44e6f749cf51194d18055909887b503eb6a2aff37391a8996bb50217290c366
Instruction ID: bff851c28faa6eb59b3656ef92505d3431f598380f233f034c53b3cca7ce6507
Opcode Fuzzy Hash: c44e6f749cf51194d18055909887b503eb6a2aff37391a8996bb50217290c366
Instruction Fuzzy Hash: 2C028EB2A09B8286EB54AB29E544778B7A1FB44B94FE84139CE4D437B1DF3CE451C321

Function 00007FF78B956A50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF78B9573A0), ref: 00007FF78B956B07
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF78B9573A0), ref: 00007FF78B956C51
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF78B9573A0), ref: 00007FF78B956D33
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF78B9573A0), ref: 00007FF78B956D49
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF78B9573A0), ref: 00007FF78B956DBE

Strings

[ KeepUnwinding ], xrefs: 00007FF78B956D5D

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: [ KeepUnwinding ]
API String ID: 2546344036-400895726
Opcode ID: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
Instruction ID: b61cbf9224f7b38d16b74b15df54f9e4133ed05507af6c7d74dd4482a803ff0f
Opcode Fuzzy Hash: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
Instruction Fuzzy Hash: E4B19472A49B81C1EB949F29D4C16A9B3A5FB44B48FA84136CE4D873B8CF39E455C330

Function 00007FF78B98D320 Relevance: 3.3, APIs: 2, Instructions: 326threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF78B98D465
SwitchToThread.KERNEL32 ref: 00007FF78B98D495

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 1ddd28703dbe1c3b98edb21a237e8e30d6246af74f562787a6415a40b8681a1b
Instruction ID: 9c2fb3b8f74ddb80d38b91399618d132d879292746843cd8aa672012a5f3b342
Opcode Fuzzy Hash: 1ddd28703dbe1c3b98edb21a237e8e30d6246af74f562787a6415a40b8681a1b
Instruction Fuzzy Hash: 07D191B2A086C5C5EB70AF19D440769B3A5FF85B94FA4413ADA5D47BA4DF3CE440C720

Function 00007FF78B97B6B0 Relevance: 3.3, APIs: 2, Instructions: 303COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF78B97B9D2
DebugBreak.KERNEL32 ref: 00007FF78B97B9E3

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 24780f21546bd015505d40b07dff922e5db3dc92a0b137180c1451863a2d226f
Instruction ID: 526fcd9075e9b0d6687140efffb6e2d4f2eac85d5192dcc2c4a072dfc956b67f
Opcode Fuzzy Hash: 24780f21546bd015505d40b07dff922e5db3dc92a0b137180c1451863a2d226f
Instruction Fuzzy Hash: 01E19C32A09A86C6EB10AF6DD458678A7E4FB44B94FE40236DA5D477B4DF3CE481C324

Function 00007FF78B994A40 Relevance: 3.2, APIs: 2, Instructions: 171COMMON

Download Yara Rule

APIs

FlushProcessWriteBuffers.KERNEL32 ref: 00007FF78B994A78
FlushProcessWriteBuffers.KERNEL32 ref: 00007FF78B994C8D

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BuffersFlushProcessWrite
String ID:
API String ID: 2982998374-0
Opcode ID: 79d0f43756a16d64338861bbba21ee80fd32cc7b8ee7bde5ac8cae3f237e486d
Instruction ID: 0c34a0ceac04164456b39203a5dd49ed33d2388ba1088ec7671ef8115af54001
Opcode Fuzzy Hash: 79d0f43756a16d64338861bbba21ee80fd32cc7b8ee7bde5ac8cae3f237e486d
Instruction Fuzzy Hash: 7F51D992A287C3C6EEB2AA7864503F99A98FF517D0FA98131CE6D577A1DE389540C310

Function 00007FF78B960470 Relevance: 3.2, APIs: 2, Instructions: 162COMMON

Download Yara Rule

APIs

GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF78B954896,?,?,?,?,?,?,00007FF78B951EA0), ref: 00007FF78B960531
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF78B954896,?,?,?,?,?,?,00007FF78B951EA0), ref: 00007FF78B960590

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: EnabledFeaturesState
String ID:
API String ID: 1557480591-0
Opcode ID: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
Instruction ID: 51347f7064ceef92b91c4328263be3631242bf007784078ade73460db36b6d3c
Opcode Fuzzy Hash: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
Instruction Fuzzy Hash: 4351D332F0829686FF68545D94D93398283BBEA358FA546B8C94E536F1CD7FD842C224

Function 00007FF78B958220 Relevance: 2.1, Strings: 1, Instructions: 834COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF78B9582EE

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction ID: 77c84f19db7ac4fc2b65fcb4a0dfd13ae7748f44e2b83809a1cfdc709ab7147d
Opcode Fuzzy Hash: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction Fuzzy Hash: 4862F3B2A15B86C7E7089F2CC49576D73A5FB94B88F628035CA1D837A9DF38D910C790

Function 00007FF78B97FDD0 Relevance: 1.9, APIs: 1, Instructions: 439COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78B960C50: CreateEventW.KERNEL32 ref: 00007FF78B960C91

Part of subcall function 00007FF78B961630: QueryPerformanceCounter.KERNEL32 ref: 00007FF78B961639

DebugBreak.KERNEL32 ref: 00007FF78B98058A

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BreakCounterCreateDebugEventPerformanceQuery
String ID:
API String ID: 4239280443-0
Opcode ID: 7fd523626d78e1805d7f233f5b92928f0ce7fa870f10a9a77f8adbba03bb496b
Instruction ID: 6d799c92bde596be44478012659cd64fe2e31537233cda1710aeef2c85e3d3de
Opcode Fuzzy Hash: 7fd523626d78e1805d7f233f5b92928f0ce7fa870f10a9a77f8adbba03bb496b
Instruction Fuzzy Hash: A7420E71D18B8289E711AB28F888678B3A4FF58744FF85239DA8C12775DF3CA191D721

Function 00007FF78BA17BA0 Relevance: 1.8, APIs: 1, Instructions: 347COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FF78BA17E0D

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: d5b68029aa416122ce9160fa44b138e07519b76c0a8e0ce365ee1a4a9db7f319
Instruction ID: ce74529c2a0992959d1597ab32bea13240e8d67959d6883b6e38e49a389aebc0
Opcode Fuzzy Hash: d5b68029aa416122ce9160fa44b138e07519b76c0a8e0ce365ee1a4a9db7f319
Instruction Fuzzy Hash: B6D1E172A0864686E754FF29C444B7EA7A1BB80B88FB55035DE0E476A1DF3CE881C761

Function 00007FF78B9835C0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

, xrefs: 00007FF78B983B1C

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
Instruction ID: ac8347f0d2790df9c814e13f1c537f34e47dad38b6a8d26add54b5761106fd22
Opcode Fuzzy Hash: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
Instruction Fuzzy Hash: 85428172A5CB86C6EA10AB1DE444679B7A1FB097A0FE44235EA6D477B1CF3CE450C321

Function 00007FF78B979A50 Relevance: 1.7, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}, xrefs: 00007FF78B97A256

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID: ========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}
API String ID: 0-2256439813
Opcode ID: 7cd4840d3d0a4d3bfe87a83f411545977ddd30e931889fd1db4b34f2a771d1f5
Instruction ID: 793b9ee32b3baf13558f21e8ecb18810ae6016812fdcc4c440b4d11e9ea1a457
Opcode Fuzzy Hash: 7cd4840d3d0a4d3bfe87a83f411545977ddd30e931889fd1db4b34f2a771d1f5
Instruction Fuzzy Hash: FB428C31A09B86CAEA15AB1CD848769B7A0FF05B84FE84136DA4D07371EF3DE065C365

Function 00007FF78B96E8A0 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

?, xrefs: 00007FF78B96E8EB

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: c36884137a1fbdc5629651c62ab30761a03d17dd0682946ebc7bc0764feb72a2
Instruction ID: 0fb3e5b3d88c73ab3582d56472b6e2027ed4d8cc60c8f5889df042bd886c1b19
Opcode Fuzzy Hash: c36884137a1fbdc5629651c62ab30761a03d17dd0682946ebc7bc0764feb72a2
Instruction Fuzzy Hash: 3312C232A08A86C6EF10EB1DE44477AB3A5FB5AB94FA44231DA6D437A4DF3CE441C710

Function 00007FF78B960030 Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF78B954879,?,?,?,?,?,?,00007FF78B951EA0), ref: 00007FF78B9600FC

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: b5b44fb1cfa246b99875fe13986ad365462ea6fd88d0f75c6747b66273541516
Instruction ID: 2d26b7597a5b1caca96a8a2e26d28b3abc2717b7623c6ffa6f632fdf3f833d48
Opcode Fuzzy Hash: b5b44fb1cfa246b99875fe13986ad365462ea6fd88d0f75c6747b66273541516
Instruction Fuzzy Hash: 5D217C71E09B8286E790AF2DE885669B3A0FB88744FE84139E54D43372DF7CE440C762

Function 00007FF78B9744D0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

, xrefs: 00007FF78B974713

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-3916222277
Opcode ID: 0f497518f3011c90386f56ae0dd19987edc3a4fef3325d72aee3a22fc2e24883
Instruction ID: 802f4edb9d02da8ecf42fec24d1d6b598dced6d1db7d74bbb89f975c314d631c
Opcode Fuzzy Hash: 0f497518f3011c90386f56ae0dd19987edc3a4fef3325d72aee3a22fc2e24883
Instruction Fuzzy Hash: 61D1C262A08A86C2EA10AF69E444679F3E1FB45BA4FA44331DA6D137F5DF3CE451C324

Function 00007FF78B9E9080 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF78B9E90F0

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
Instruction ID: 5c6df63a15e000cb2771e4ab4adfe60c80090d5144ddf0ce381b458d05f18381
Opcode Fuzzy Hash: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
Instruction Fuzzy Hash: 49011833F046A09DF761EBE5AC40ADD77B5BB48358FA0402ADE0DA6A58DF349896C700

Function 00007FF78B959430 Relevance: 1.0, Instructions: 971COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa54e4b404b83b64a3ef684d3fa7d9e7b579a293c5d3786dac23140140fd01d
Instruction ID: a389e0b9d1fde9ce53645f8b494b04e7e196f0c5b6980f6830fc156de6123eed
Opcode Fuzzy Hash: 3fa54e4b404b83b64a3ef684d3fa7d9e7b579a293c5d3786dac23140140fd01d
Instruction Fuzzy Hash: 508200B2A18785C7EB149B19E1803ADB7A1FB85780F648035DB4E83BA4DF3DE964C750

Function 00007FF78B984390 Relevance: 1.0, Instructions: 955COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb96dbae57526de73ba5978f8db0fe2cb6513efdd4c95ed84dcb0dc29f55fb53
Instruction ID: ad66b1299a19f0799c65b067593b7fa50e6d41cbcd8dda1da7971787fe9327e2
Opcode Fuzzy Hash: fb96dbae57526de73ba5978f8db0fe2cb6513efdd4c95ed84dcb0dc29f55fb53
Instruction Fuzzy Hash: B892BEA1B18B86C5EA11AF2DA858AB4E395BF45BC4FE88136D90E53371DF3CE445C321

Function 00007FF78B9892CE Relevance: .8, Instructions: 844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e24ba0ba6bef78217b93cc1824f39f4ffccc09ca148982d560d43c4ab6c4d9
Instruction ID: bdb09a7e6e4c33d1ec788f4cc225ee43671b5fc7535f1478b9737c9ffc43fee0
Opcode Fuzzy Hash: f1e24ba0ba6bef78217b93cc1824f39f4ffccc09ca148982d560d43c4ab6c4d9
Instruction Fuzzy Hash: 3B82ADA2A08A82C5EB50AF2DE4446B9A3A5FF45788FE85136D90E133B0DF3DE455C361

Function 00007FF78B9888D9 Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3399e1ef9d6b9ccce09df451620a2232e0225a6ba839f96d1aefac044876c6
Instruction ID: 28dcc53eedb22f2ebb433c05271cb3d2883aea4efd1fb01879642a529a609847
Opcode Fuzzy Hash: ae3399e1ef9d6b9ccce09df451620a2232e0225a6ba839f96d1aefac044876c6
Instruction Fuzzy Hash: 2282DDB2B08B81C6EB10AF69E484679B7A5FB44B98FA44135DE4D53BA5CF3CE441C720

Function 00007FF78B975200 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5feb339442a0b79f58c974cad3d97fda4eb93d98ba6868e8e29d5f65b0f64f
Instruction ID: 2c00fe98d7f39a6f6f56a8ccf0089a12c1710d2af1dceccffe444a7e8d3dbd00
Opcode Fuzzy Hash: bf5feb339442a0b79f58c974cad3d97fda4eb93d98ba6868e8e29d5f65b0f64f
Instruction Fuzzy Hash: 085240A2A15BD6C2EEA59F1CC044378A7E0FF55BA4FA85235CE6C033E4DF68E490C214

Function 00007FF78B9852E0 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
Instruction ID: 04263d919eb4d0c3f313632a8d1fd0935e1712b2811a6b86e6aa5bd888e13321
Opcode Fuzzy Hash: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
Instruction Fuzzy Hash: 6542C2B2B18B85C6EB10DF69E4401ADB7A1FB44B98FA40136DE4D57B68DE3CE449C710

Function 00007FF78B985C20 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
Instruction ID: 490b63cc56d467273da41e5130e4814e9f6a950cb471b3553077025f70cb808c
Opcode Fuzzy Hash: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
Instruction Fuzzy Hash: EB42E6B2F08785C6EB10DF69D4006BCB7A2FB05788BA44536DE1D6B7A8DE38E055C360

Function 00007FF78B98BEA0 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456757d216aacf14f41c1d1ac0cd8049a835610a21c3933073f91090c7e01898
Instruction ID: fadbd9bd3fe683e2ad9fa283cd82b00120f34cf8f781cd80a49a37693ceb9fa7
Opcode Fuzzy Hash: 456757d216aacf14f41c1d1ac0cd8049a835610a21c3933073f91090c7e01898
Instruction Fuzzy Hash: AC42A3A2B08A8A86EA50EF0DE444669B771FB41BD0FE95135DA4D877B8DF3CE059C310

Function 00007FF78B972D30 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
Instruction ID: 3c107bd543df7b3ca7db9caf846fa75d4adf7dedb849cb8dcb41a43bfe7f610f
Opcode Fuzzy Hash: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
Instruction Fuzzy Hash: 4822F322A19FC589D617AB3990513B9E3D4BF567C4FA8C332ED4F22671EF29A153C210

Function 00007FF78BA200E0 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10a91a420f83ef269157d36f9a2c016ddaa9393997882352c17c1d84d133b48
Instruction ID: 15430d76233b07ca6c2e5acc3346b9d7435f758feaf723efe9b9917faf596934
Opcode Fuzzy Hash: e10a91a420f83ef269157d36f9a2c016ddaa9393997882352c17c1d84d133b48
Instruction Fuzzy Hash: 0D02AF72B04A518AEB25DF29D880AAC7770FB98B98FA09122DF4D63B65DF34D5C1C740

Function 00007FF78B98B4F0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-0
Opcode ID: af019d92b74d7be67137a52f9c77fda3c993f8b49f31bc8590fea9e3453cb08d
Instruction ID: 16749b4ff84a942e0aa2c55ea9ad35579a30d188dc7ba861a575c8084bc25e7a
Opcode Fuzzy Hash: af019d92b74d7be67137a52f9c77fda3c993f8b49f31bc8590fea9e3453cb08d
Instruction Fuzzy Hash: AF02D3A2B14A89C6EA109B1DE4407B9B7A0FB45BA4FAC8235DA6D573F4DF3DE041C310

Function 00007FF78B970360 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941236c64fb7aeb56a54193ab7823506ec3791b8a94ce74fac18868a71896ef1
Instruction ID: e2b2ca7b3e5a71e0508dbb53d1a554cc41527634c87c64dccac787ff9f695c52
Opcode Fuzzy Hash: 941236c64fb7aeb56a54193ab7823506ec3791b8a94ce74fac18868a71896ef1
Instruction Fuzzy Hash: 90029F72A09A85C6EA14DF1DD4446B8B7A0BB45BA4FE44331DA6D477F1CE3CE441C324

Function 00007FF78B982370 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: c0ad0a1e25142008f3637e5da2c3db878e0901c6b4a0cb550b565114e147fb9e
Instruction ID: ea5c5ff196eb7ec065262685e85ae3f3168993bfa772423d7474d1824b17a779
Opcode Fuzzy Hash: c0ad0a1e25142008f3637e5da2c3db878e0901c6b4a0cb550b565114e147fb9e
Instruction Fuzzy Hash: 8002A0B1E0C68686FA15AB2DA848A39F7A1BF45781FF84636D44D13271EF3CB584C621

Function 00007FF78B9891B0 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323b4a52389b31af78a198108c136ecd75e8293e50210e2468e6e8b2983b1f89
Instruction ID: 476a206b339dec518dfe8b6bc5e1f0b1a190491621094fead9139dc16cef6293
Opcode Fuzzy Hash: 323b4a52389b31af78a198108c136ecd75e8293e50210e2468e6e8b2983b1f89
Instruction Fuzzy Hash: E7E104B2A08681C6EB11AB2DD448679BBA1FB45794FF84232DA1E577B0DF3CE441C320

Function 00007FF78B974CD9 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78bf327fc7d401db98ee101711161cfb4b90b568116cb42030e1b04918fb35b
Instruction ID: 62d0e94404ea8df9d52154d0944a0a19fb9d7cd9ad514ce32f9f6948f8dc6fdc
Opcode Fuzzy Hash: d78bf327fc7d401db98ee101711161cfb4b90b568116cb42030e1b04918fb35b
Instruction Fuzzy Hash: CED1D262B18B86C6EA10AF2DD4442B9B3A1FB55BA4FA49331CA6D077E5DF3CE041C354

Function 00007FF78B9899C3 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12337283fe58a1ae982f19855bdc68314bb18f96eaedbf97d3c33e1d47e9e1d
Instruction ID: 613814f3fe12cd074e7a5548d0f107fa8465dcee01850f619f41bfcf26f2512b
Opcode Fuzzy Hash: b12337283fe58a1ae982f19855bdc68314bb18f96eaedbf97d3c33e1d47e9e1d
Instruction Fuzzy Hash: AAD1D3A1A08A82C5EF10AB2DD4446B5A3A1FF44B94FE86236DD1E173B4DF3DE051C361

Function 00007FF78B9767F0 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
Instruction ID: fae00b1ab625b19a8c40dce0c239cbfa9bc7c3deb36850b3437fc1cbb5a52769
Opcode Fuzzy Hash: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
Instruction Fuzzy Hash: 7CE16BB2A08B86C5EB20AF19D444778A3E4FB44B98FE80636DA5C477A5DF3CE450C325

Function 00007FF78B987C79 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d7dac9d533b3180a345ae923d8f6c9575024258e8af4de554390141a09baf3
Instruction ID: d41fb193481143e08e361ffdab8ddb8a8644090e181fb41d1edb3e5e550bb60f
Opcode Fuzzy Hash: 20d7dac9d533b3180a345ae923d8f6c9575024258e8af4de554390141a09baf3
Instruction Fuzzy Hash: DAC1CFB2A08786C6EB11AB29D448A79BBA6FB457C4FE54136DA0E53771DF3CE441C320

Function 00007FF78B966A50 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
Instruction ID: 59bae2626af46b17a59d23f6cdcb365fa764ba4b692d9459befada4415b9ad9b
Opcode Fuzzy Hash: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
Instruction Fuzzy Hash: C8C14132A09AC6C2E650AF2DE8446B9B3E4FB4A748FE80135DA4E57275DF3CE451C321

Function 00007FF78B97A420 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
Instruction ID: d543ad1361db34b335882c6ae571b8213fa021cb7ae1c10b879f1ae755df0eaa
Opcode Fuzzy Hash: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
Instruction Fuzzy Hash: A1C1A032A08A86C1EA50EF1DE848578B3A5FB457A0FE84236D96D477B0DF3DE451C325

Function 00007FF78BA03480 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
Instruction ID: 35401ff98f043aeafdaca7393aed604acf39cf6d9f22c59e28260c3772f4d19c
Opcode Fuzzy Hash: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
Instruction Fuzzy Hash: 89A1B76794D251C5E755EB2BA410B7AE6E0FB84B94FA04031EE8D077A4DF7CE482CB11

Function 00007FF78B983F60 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
Instruction ID: 25cd1d795d76ed98d5b87ddb2df05674980c100634471db2ae8639ebd6f87715
Opcode Fuzzy Hash: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
Instruction Fuzzy Hash: CBC17171A18B87C2EA51AB0DE844578B3A5FF457A0BE84236D9AD477B4DF3CE050C321

Function 00007FF78B98F280 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8839e0e3ad3752fbee51db35c45455f694ce765d77fd982f1e164920b5e77ec
Instruction ID: e6e4dcfe8f8224ef028278897fcd858352eb98fe215602d5aa7e7072e667e934
Opcode Fuzzy Hash: e8839e0e3ad3752fbee51db35c45455f694ce765d77fd982f1e164920b5e77ec
Instruction Fuzzy Hash: F4B1B1A2718A95C2EB00EF19E058778B3A5FB44BA4FA85636DA6D477E4DF3CE041C310

Function 00007FF78B98E540 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
Instruction ID: cff324c11c345b9dd611f8e91c6c852d342945c4779d8485902405537b4a7048
Opcode Fuzzy Hash: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
Instruction Fuzzy Hash: 3591B051E29F8A89E917AB3D6455974D2967F627C1AF8C332D81F32670EF3CB082C121

Function 00007FF78B98B180 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a85621e283accacced8221b17d10a49faa8c26bd841f71e3662727ff5320864
Instruction ID: c3fa6b26f8593e5c5022ea1494559c3b92b6c4e78a6a002d89b228d2776484e1
Opcode Fuzzy Hash: 2a85621e283accacced8221b17d10a49faa8c26bd841f71e3662727ff5320864
Instruction Fuzzy Hash: D791A562B09A9AC6EE14AB1DD44567CB7A0FB41BA0FEC4132DA1E477B4DE3DE045C310

Function 00007FF78B98BBA0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e7110b9251933381237f45dafbe83c08329d0dfb3fdd3f62539a26e3327acb
Instruction ID: a9621fdbdcc5f7db242779d9a5d6e8f4e188a8b905c0ce0d6cac95185562e406
Opcode Fuzzy Hash: 79e7110b9251933381237f45dafbe83c08329d0dfb3fdd3f62539a26e3327acb
Instruction Fuzzy Hash: CB81C0A2B05A9A82EA00DB1DD444679B7A1FB45BA0FED4635DA2E473F4DE2DE441C320

Function 00007FF78B9B1910 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
Instruction ID: fdf735a046cb40bf5493021fce16726ba67dfe2cf8fef7ce4c32634d39ed2925
Opcode Fuzzy Hash: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
Instruction Fuzzy Hash: 5FA15076A18A62C6F720AF29E8546BEA7A1FB49784FE40131CD8D43674EF3CE544C760

Function 00007FF78B95A8B0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction ID: 75548c712475bf9c25ab34dba1781596f4e64a3680c3408b563147389990a674
Opcode Fuzzy Hash: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction Fuzzy Hash: BA81D2B3A14A85C7EB09DF2DC0907A873A5F788B94F958035CA0D87BA4DF38D641CB64

Function 00007FF78B9583C4 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction ID: 96009ec8aff96c7ff2db4ebd43d57ab51d04a5c8f104fafc24439e744a7578f5
Opcode Fuzzy Hash: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction Fuzzy Hash: 0C6104B7B11B8183D7089F2CC0D162D76A2FBD4B88BA68035CA1D837A9EF38D511C380

Function 00007FF78B97A850 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
Instruction ID: f3204521fd0d3bb3f406db5ce799da30c8dd8c6897097177d5ef4292165f4138
Opcode Fuzzy Hash: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
Instruction Fuzzy Hash: 26510822F1978E81ED0A977F5101679C5827F9A7D0EADCB31E90E327A1EF2DB091C614

Function 00007FF78BA2E240 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction ID: 7b7a775fcb5af3ead2d608c8397812eb65918d8a9d3e2401d87577b99888615f
Opcode Fuzzy Hash: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction Fuzzy Hash: 49512962A3C17142DB388B1CA412E3DE292FB95741F909335E6AE55EA1E72ED181DB10

Function 00007FF78B97FB40 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
Instruction ID: d9bc95387d16b61bff9a40e23aa817fa5bcfac68a9cb7a04a89d03413040978b
Opcode Fuzzy Hash: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
Instruction Fuzzy Hash: C261E322B25FC9C9D916DB799050768D295BF567C0FA88332ED4F33760EB3DA192C214

Function 00007FF78BA30200 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
Instruction ID: 7334f1269c6e57315544ac76ad11f91eba0419f675b4a9878785cb27ba168b8e
Opcode Fuzzy Hash: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
Instruction Fuzzy Hash: 88510A22A096C19AD724EF6AD845AB9F7A0FF58B84FA84035FE4C83765EF38D545C310

Function 00007FF78B973640 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
Instruction ID: b3a3890ea2946fdb45e7ab651a6fcfda466b8591d0348708c037c634d8c5d3aa
Opcode Fuzzy Hash: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
Instruction Fuzzy Hash: 2B611732A68FC185D656DB2C9445D78E2AABF817C4BE89331ED4F62260DF3DA092C314

Function 00007FF78BA0CC30 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8488435c80d20a63b5b51d94c773dc6c83ce4d876cdd784b59539f6ecbcefddf
Instruction ID: eb08da24bb6693d3ec2e678f64fd20b4456b68cdb25beef34ab9ecf8d0189e6a
Opcode Fuzzy Hash: 8488435c80d20a63b5b51d94c773dc6c83ce4d876cdd784b59539f6ecbcefddf
Instruction Fuzzy Hash: 8A514461B08502D6EE64BB3ED854679A650BF94FC0FF44031DA0E477B5EE2DE846C312

Function 00007FF78B98C800 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096d27cd634f33b2b39273a113a3bfa11cc36e2ee31c477455c3f03cc6ef90c3
Instruction ID: 9ac4981bf81a43828a65065fbb481cb1b341e58e0134f00a1bf3457e0cbfef4b
Opcode Fuzzy Hash: 096d27cd634f33b2b39273a113a3bfa11cc36e2ee31c477455c3f03cc6ef90c3
Instruction Fuzzy Hash: 7A61CEB2B18A9582DA00AF0DE4446A8B7B1FB45BE0FD95231DA6E877A4CF7CE444C350

Function 00007FF78B9680D0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28531a6797bb50e98dfc9a6ae1b5f79929bc6386de9e3fae4bdb5bd213b841f6
Instruction ID: 372bb9546edcb8233d482abc1f2a1375625fa30d70a85c4f617e1a16407fa964
Opcode Fuzzy Hash: 28531a6797bb50e98dfc9a6ae1b5f79929bc6386de9e3fae4bdb5bd213b841f6
Instruction Fuzzy Hash: 2641F461E28B8A81E905A77EA985634D1527F5E7D0EB9C733D81E662E2FF2C6085C210

Function 00007FF78B976610 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
Instruction ID: 3877992d5c705cd71827caeedab1a323b577491f6ecec9c69a2e9155211f146d
Opcode Fuzzy Hash: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
Instruction Fuzzy Hash: 21418C66B14B8A8AEA00DF0ED4445A8A3A1F748BC0FE95032DF1E97725DF3CE551C314

Function 00007FF78BA12AC0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
Instruction ID: 593e4c01b0bcbacd21a913a5437f7c6f24d13b3167a992800b9d569b70881f1e
Opcode Fuzzy Hash: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
Instruction Fuzzy Hash: B141AB32B04BA489E715CBB5E8406DD77B5FB98348F65812AEE8DA7A18DF34C592C700

Function 00007FF78BA34450 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f369d52a6617cb0b410c6854dde9fc91c82fa898c3b7573e9b41fa6fd70f80a6
Instruction ID: 11af5547b6f6c687abf1caa28267ea2963fed867ba26367fc5d11e2891b3866d
Opcode Fuzzy Hash: f369d52a6617cb0b410c6854dde9fc91c82fa898c3b7573e9b41fa6fd70f80a6
Instruction Fuzzy Hash: 1031A712F0815386EA54BA2E988197AD651BF88FC4FF48434ED1E877B6DE2CEC45C351

Function 00007FF78B981470 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
Instruction ID: 4b1a5087210ee25ed806f74fa38978a391180d85ec3918c4de54b8accb299c0a
Opcode Fuzzy Hash: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
Instruction Fuzzy Hash: 9A21DD63B3819282FBA4AB7DA2D567F5391FB89780FD46030DF0E03A66DD1DD581C614

Function 00007FF78BA37A90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221cf158b9a98e13d59b20ce11f85cd83d7d464265b0073024cff9ca69588a45
Instruction ID: d11862261cc6e2dc682d9c13d63217aa85fcbd916327e9a4ee2d5ec5cdcee0a5
Opcode Fuzzy Hash: 221cf158b9a98e13d59b20ce11f85cd83d7d464265b0073024cff9ca69588a45
Instruction Fuzzy Hash: F9110423B0528285E614BE2AE8815BEE711BF997D4FA88431DF0C4B7A5CE3CC481C360

Function 00007FF78B9DF9C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8062c5b0bfe5bc4dfaf79245516a6f0a8f2a6c954b61e061f0a9d370f9ed3bdd
Instruction ID: 59e08b585a97e55f3ece35870250ae2544f30fa97903c57bde5ccdcc464d4964
Opcode Fuzzy Hash: 8062c5b0bfe5bc4dfaf79245516a6f0a8f2a6c954b61e061f0a9d370f9ed3bdd
Instruction Fuzzy Hash: BFF03000E0D08686F90CBA7B585A2BFD1612F97780EF46834E91D5B7A7DC1C941383A4

Function 00007FF78B9DFAA0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13412aaf4960266ba0ca3712be346c71a13c8dc86ffbd22705df66a78fb92546
Instruction ID: 8b21acc53254e63959c1c373ad05e9cce7b5cfbc8e6e4a3cc14842706ea1f899
Opcode Fuzzy Hash: 13412aaf4960266ba0ca3712be346c71a13c8dc86ffbd22705df66a78fb92546
Instruction Fuzzy Hash: 2AE04800E4C18685E50CB6A6589A2FAD1512F56740FF45430AA1D57BB7DD1C9402C364

Function 00007FF78B9C9FC0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fe89d949a41ba888f42414d67c881266776e3cb583dd9942f77cc6f741983c
Instruction ID: 3a5f4a49dbe0c8a1d897291924a214266d741d70c6c1c8e53b5c7be1f9c3efa6
Opcode Fuzzy Hash: e8fe89d949a41ba888f42414d67c881266776e3cb583dd9942f77cc6f741983c
Instruction Fuzzy Hash: FFD0A700F5805A80EC047A274C594BAD1202F46FC0DF46030ED0EA7B76DD0CD403C354

Function 00007FF78B9B90A0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 136COMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78B9B9193
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78B9B91B0

Strings

roc, xrefs: 00007FF78B9B9265
islamic-umalqura, xrefs: 00007FF78B9B924B
buddhist, xrefs: 00007FF78B9B91C3
japanese, xrefs: 00007FF78B9B91A6
gregorian, xrefs: 00007FF78B9B9189
persian, xrefs: 00007FF78B9B9217
islamic, xrefs: 00007FF78B9B9231
calendar, xrefs: 00007FF78B9B9102
dangi, xrefs: 00007FF78B9B91FD
hebrew, xrefs: 00007FF78B9B91E0

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: _stricmp
String ID: buddhist$calendar$dangi$gregorian$hebrew$islamic$islamic-umalqura$japanese$persian$roc
API String ID: 2884411883-3649728362
Opcode ID: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
Instruction ID: 7b6b38ac88dc553fe7312e0033a00ac2210e42c7f065282de4b015fa3905a924
Opcode Fuzzy Hash: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
Instruction Fuzzy Hash: 53513B25A1C69391EA20AB1EE8147B5B390FF95B84FE16032DC4E46775EF7CE405D360

Function 00007FF78B95C1A0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF78B962967,?,?,?,?,00007FF78B95B845), ref: 00007FF78B95C1DE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF78B962967,?,?,?,?,00007FF78B95B845), ref: 00007FF78B95C206
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF78B962967,?,?,?,?,00007FF78B95B845), ref: 00007FF78B95C226
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF78B962967,?,?,?,?,00007FF78B95B845), ref: 00007FF78B95C246
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF78B962967,?,?,?,?,00007FF78B95B845), ref: 00007FF78B95C266
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF78B962967,?,?,?,?,00007FF78B95B845), ref: 00007FF78B95C28A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF78B962967,?,?,?,?,00007FF78B95B845), ref: 00007FF78B95C2AE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF78B962967,?,?,?,?,00007FF78B95B845), ref: 00007FF78B95C2D2

Strings

GCHeapHardLimit, xrefs: 00007FF78B95C1D7
GCHeapHardLimitPOH, xrefs: 00007FF78B95C25C
GCHeapHardLimitPOHPercent, xrefs: 00007FF78B95C2C8
GCHeapHardLimitPercent, xrefs: 00007FF78B95C1FC
GCHeapHardLimitSOHPercent, xrefs: 00007FF78B95C280
GCHeapHardLimitSOH, xrefs: 00007FF78B95C21C
GCHeapHardLimitLOHPercent, xrefs: 00007FF78B95C2A4
GCHeapHardLimitLOH, xrefs: 00007FF78B95C23C

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: strcmp
String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
API String ID: 1004003707-945519297
Opcode ID: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
Instruction ID: 9961d465a03f8c8028391a8834e08af75958142992e506a5e5b22cc8cf6328dd
Opcode Fuzzy Hash: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
Instruction Fuzzy Hash: 3B413B24A4D69280E950BB1DA9805B5D3A17F017F4FE84331D83D976F5EF2CE94AC361

Function 00007FF78B95B3B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF78B955007), ref: 00007FF78B95B3D3
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF78B955007), ref: 00007FF78B95B3E8
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF78B955007), ref: 00007FF78B95B3F5
InitializeContext.KERNEL32(?,?,?,?,?,00007FF78B955007), ref: 00007FF78B95B433
GetLastError.KERNEL32(?,?,?,?,?,00007FF78B955007), ref: 00007FF78B95B441
InitializeContext.KERNEL32(?,?,?,?,?,00007FF78B955007), ref: 00007FF78B95B495

Strings

InitializeContext2, xrefs: 00007FF78B95B3DE
kernel32.dll, xrefs: 00007FF78B95B3CC

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
String ID: InitializeContext2$kernel32.dll
API String ID: 4102459504-3117029998
Opcode ID: e77f088c307fc0a17c3d28dc70e9a10b3c65282c2b946d340e1bfc8863682b2c
Instruction ID: f3ac8b561b3c50993a9c6cd72b3707580f65442eb27d80c536507878bc3774a5
Opcode Fuzzy Hash: e77f088c307fc0a17c3d28dc70e9a10b3c65282c2b946d340e1bfc8863682b2c
Instruction Fuzzy Hash: F4314C61A09B9682EA10AF59E48067AE390FF48BA0FE80435DD5D82774DF7CE486C721

Function 00007FF78B954E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF78B95B731
GetProcAddress.KERNEL32 ref: 00007FF78B95B741
GetLastError.KERNEL32 ref: 00007FF78B95B794
SuspendThread.KERNEL32 ref: 00007FF78B95B7AD
GetThreadContext.KERNEL32 ref: 00007FF78B95B7C8
ResumeThread.KERNEL32 ref: 00007FF78B95B7F2

Strings

QueueUserAPC2, xrefs: 00007FF78B95B73A
kernel32, xrefs: 00007FF78B95B724

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
String ID: QueueUserAPC2$kernel32
API String ID: 3714266957-4022151419
Opcode ID: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
Instruction ID: da856c6cb2fe477855fdb2ffa55e45063bc47aa99b92d1414c046276d38f239f
Opcode Fuzzy Hash: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
Instruction Fuzzy Hash: C8316660A48E8281EA50AF1DE48477AA391BF45BA4FE40230D96D86BF5EF2CE445C721

Function 00007FF78B97BC40 Relevance: 9.2, APIs: 6, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6e69181591d6301f79addf1851dae84baba91a0e20fc1957c0ed45eea2809c
Instruction ID: 15a280c8f0b0ab537c29fce8afe44b178ede76a3408f0d008477c0b3e9e9ecb0
Opcode Fuzzy Hash: fe6e69181591d6301f79addf1851dae84baba91a0e20fc1957c0ed45eea2809c
Instruction Fuzzy Hash: 09719C61A09B82C2EA50BF2995A46B9E7E4BF04B94FF80435DA5D077B6DF3CE440C364

Function 00007FF78B990FE0 Relevance: 9.2, APIs: 6, Instructions: 151COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF78B991090
DebugBreak.KERNEL32 ref: 00007FF78B9910CD
DebugBreak.KERNEL32 ref: 00007FF78B9910E8
DebugBreak.KERNEL32 ref: 00007FF78B99111D
DebugBreak.KERNEL32 ref: 00007FF78B991138
DebugBreak.KERNEL32 ref: 00007FF78B9911A9

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
Instruction ID: 30ad2b917c63bd27f045a0966615c62e82f525a103eef266ce02a8d879028e04
Opcode Fuzzy Hash: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
Instruction Fuzzy Hash: 7951C822A096D2E5FA54BB69C0811BEF759FB45B94FE94136CA1D033B1EE3DE481C360

Function 00007FF78B991DE0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF78B991FB1,?,?,0000025447AC1670,00007FF78B9914E2), ref: 00007FF78B991E89
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF78B991FB1,?,?,0000025447AC1670,00007FF78B9914E2), ref: 00007FF78B991EA1
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF78B991FB1,?,?,0000025447AC1670,00007FF78B9914E2), ref: 00007FF78B991EB9
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF78B991FB1,?,?,0000025447AC1670,00007FF78B9914E2), ref: 00007FF78B991ED7
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF78B991FB1,?,?,0000025447AC1670,00007FF78B9914E2), ref: 00007FF78B991EFC
DebugBreak.KERNEL32 ref: 00007FF78B991F30

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
Instruction ID: ab2a3d3e91f1e8fbbd5391c1ba8d909341cb111b10863181108612fb56a4e9d5
Opcode Fuzzy Hash: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
Instruction Fuzzy Hash: 53419422A096D1D1E791BBB9908017EEB99BF45B94FA80075DE4D067B6DE3CD880C3B1

Function 00007FF78B955260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78B95B6A0: GetCurrentThreadId.KERNEL32 ref: 00007FF78B95B6A4

GetCurrentProcess.KERNEL32 ref: 00007FF78B9552A6
GetCurrentThread.KERNEL32 ref: 00007FF78B9552AE
DuplicateHandle.KERNEL32 ref: 00007FF78B9552D2

Part of subcall function 00007FF78B95CA20: VirtualQuery.KERNEL32 ref: 00007FF78B95CA52

RaiseFailFastException.KERNEL32 ref: 00007FF78B955300

Strings

, xrefs: 00007FF78B955314

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
String ID:
API String ID: 510365852-3916222277
Opcode ID: 9ced71184ac91c8616e97de7930c93111042d63eeb25a1540481694c845d8b19
Instruction ID: 22e5da2aa284e68f948d71280efc35488f4d604868d3dd908359ad73e19fdcda
Opcode Fuzzy Hash: 9ced71184ac91c8616e97de7930c93111042d63eeb25a1540481694c845d8b19
Instruction Fuzzy Hash: 43114F72A08BC1CAD760EF19A48129AB761FB447B4F644335E6BD4BAE6CF78D442C700

Function 00007FF78B986730 Relevance: 7.6, APIs: 6, Instructions: 135COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF78B9867DE
LeaveCriticalSection.KERNEL32 ref: 00007FF78B986824
EnterCriticalSection.KERNEL32 ref: 00007FF78B9868F6
LeaveCriticalSection.KERNEL32 ref: 00007FF78B986917
EnterCriticalSection.KERNEL32 ref: 00007FF78B98695F
LeaveCriticalSection.KERNEL32 ref: 00007FF78B986980

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 30c2a865ca8bebd16377ec9e55b12350cbbdee7e357ec5e7fec82702041c0912
Instruction ID: 227ef51533548fb3a96c23a735510f8d3f0069ed56203bffed833019b1fb9668
Opcode Fuzzy Hash: 30c2a865ca8bebd16377ec9e55b12350cbbdee7e357ec5e7fec82702041c0912
Instruction Fuzzy Hash: DD613D61A1CB82C5EA50AB19E8887B5E3A4BF857D0FF80135D99C472B5EF3CE149C361

Function 00007FF78B981A50 Relevance: 7.6, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF78B981AEA
LeaveCriticalSection.KERNEL32 ref: 00007FF78B981B2F

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7f292bd782e5db76287a58f2738b6682abde35b80ac547e9518716b401c7d407
Instruction ID: e0ba7def3b55b109ebf8f4b5ea4159d3f0b1ea1bfcebd8d560b92735320f467d
Opcode Fuzzy Hash: 7f292bd782e5db76287a58f2738b6682abde35b80ac547e9518716b401c7d407
Instruction Fuzzy Hash: 53510C7591CB8681EA50AB19E8887B6F3A4BF59790FE80136C98D43675FF3CE058C721

Function 00007FF78B953540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32 ref: 00007FF78B9535E0
RaiseFailFastException.KERNEL32 ref: 00007FF78B9536E9
RaiseFailFastException.KERNEL32 ref: 00007FF78B953726

Strings

Process is terminating due to StackOverflowException., xrefs: 00007FF78B9535CA

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: Process is terminating due to StackOverflowException.
API String ID: 2546344036-2200901744
Opcode ID: 58b8172ba6b01771502ef75aede6fef8a2add92a778c92d7e4719fbc0e8cd755
Instruction ID: 5eb67eb8b8bc0012be1c08232cad8bee8a94c3561be42ab635f9d5eda418cdae
Opcode Fuzzy Hash: 58b8172ba6b01771502ef75aede6fef8a2add92a778c92d7e4719fbc0e8cd755
Instruction Fuzzy Hash: BA517225E8E682C1EE54AB1DD491278A3A0FB48B94FE85136DA1F877B0DF2DE455C320

Function 00007FF78B990570 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,00007FF78B96AF49), ref: 00007FF78B9905EB
SwitchToThread.KERNEL32(?,?,?,00007FF78B96AF49), ref: 00007FF78B990692
SwitchToThread.KERNEL32(?,?,?,00007FF78B96AF49), ref: 00007FF78B9906A8

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
Instruction ID: 9bfe3dba1bd5050fd6ed30f229c1f154a7d736a782bcf3dd33816af22920c835
Opcode Fuzzy Hash: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
Instruction Fuzzy Hash: D3418632B09685C6EBA05E3AD04063DB294FB40B94FB89279D66E467B9DF3CE440C761

Function 00007FF78B990E70 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,00000000,?,00007FF78B96E7B5,?,?,00000001,00007FF78B97CA48), ref: 00007FF78B990F49
DebugBreak.KERNEL32(?,00000000,?,00007FF78B96E7B5,?,?,00000001,00007FF78B97CA48), ref: 00007FF78B990F66
DebugBreak.KERNEL32(?,00000000,?,00007FF78B96E7B5,?,?,00000001,00007FF78B97CA48), ref: 00007FF78B990F81
DebugBreak.KERNEL32(?,00000000,?,00007FF78B96E7B5,?,?,00000001,00007FF78B97CA48), ref: 00007FF78B990F9A

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
Instruction ID: 2572a1e9fffdc3d507e5062a0b08a93555cdea29f50d8799783919e1313f5508
Opcode Fuzzy Hash: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
Instruction Fuzzy Hash: 7841E422A092C2C1EA916B68914077DFAA8FF04B54FB900B4DE9D073B1DE7CE481C360

Function 00007FF78B97F280 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,00000000,?,00007FF78B97B16E,?,?,-8000000000000000,00007FF78B98E9AE,?,?,?,00007FF78B9688C3), ref: 00007FF78B97F339
DebugBreak.KERNEL32(?,?,00000000,?,00007FF78B97B16E,?,?,-8000000000000000,00007FF78B98E9AE,?,?,?,00007FF78B9688C3), ref: 00007FF78B97F356
DebugBreak.KERNEL32(?,?,00000000,?,00007FF78B97B16E,?,?,-8000000000000000,00007FF78B98E9AE,?,?,?,00007FF78B9688C3), ref: 00007FF78B97F376
DebugBreak.KERNEL32(?,?,00000000,?,00007FF78B97B16E,?,?,-8000000000000000,00007FF78B98E9AE,?,?,?,00007FF78B9688C3), ref: 00007FF78B97F399

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: fadf0de926549372bb38a711b3a869a02a71d20e7acaacbe5fadbf81d570d035
Instruction ID: 9c8c103881e59edcaf6a149ea16bf0bc687163f26ca796eb47ba9c375784094e
Opcode Fuzzy Hash: fadf0de926549372bb38a711b3a869a02a71d20e7acaacbe5fadbf81d570d035
Instruction Fuzzy Hash: 22315E22609BC6C3EA64AF59A0803B9E6E4FF45BD4FA80035DA4D166A5DE3CE440C364

Function 00007FF78B95B520 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78B9553F1), ref: 00007FF78B95B554
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78B9553F1), ref: 00007FF78B95B55E
CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78B9553F1), ref: 00007FF78B95B57D
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78B9553F1), ref: 00007FF78B95B591

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: ErrorLastMultipleWait$HandlesObjects
String ID:
API String ID: 2817213684-0
Opcode ID: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
Instruction ID: 09e30f97c5783f8c2a95f16addb4ad7a22dfca20a6a7467b20e0dfd53b0a0c6d
Opcode Fuzzy Hash: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
Instruction Fuzzy Hash: 04113031A1CA95C6D7285F2EF44052AF261FB89791FA44139FA8E87BA5CF3CD801CB50

Function 00007FF78B9BB27C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF78B9BB2A8
GetCurrentThreadId.KERNEL32 ref: 00007FF78B9BB2B6
GetCurrentProcessId.KERNEL32 ref: 00007FF78B9BB2C2
QueryPerformanceCounter.KERNEL32 ref: 00007FF78B9BB2D2

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
Instruction ID: c7b16950dd522dc46d4d002c827ee93e32b74d61fbc5250cb560743d2f81b7ee
Opcode Fuzzy Hash: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
Instruction Fuzzy Hash: A4115A32B14F028AEB00DF64E8486B973A4FB19758F840E31EA6D427A4DF3CD195C350

Function 00007FF78B9BC658 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF78B9BB963), ref: 00007FF78B9BC6A8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF78B9BB963), ref: 00007FF78B9BC6E9

Strings

csm, xrefs: 00007FF78B9BC6D6

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
Instruction ID: 148245d179c10b7ed8fa53c935d66fc0dbd30d095388bb211ebacb5664698f3a
Opcode Fuzzy Hash: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
Instruction Fuzzy Hash: 76116032618B81C2EB209F19F40466ABBE0FB88B84F684634DE8D07764DF3CC555CB00

Function 00007FF78B95D050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF78B95C313,?,?,?,00007FF78B962967,?,?,?,?,00007FF78B95B845), ref: 00007FF78B95D08B
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF78B95C313,?,?,?,00007FF78B962967,?,?,?,?,00007FF78B95B845), ref: 00007FF78B95D0C8

Strings

HeapVerify, xrefs: 00007FF78B95D05F

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: _stricmpstrtoull
String ID: HeapVerify
API String ID: 4031153986-2674988305
Opcode ID: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
Instruction ID: 42ca6f446cf0a79b79484e6446ed2a9a9a79b82770f4f6da3eb067e70d84badb
Opcode Fuzzy Hash: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
Instruction Fuzzy Hash: C0015231A19A81D9E710BF26E98047DF3A4FB597C0FA49135DA5D43B69CF3CD442D620

Function 00007FF78B983260 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF78B96D6BF,01FFF001,00000000,00000000,00007FF78B97BD4F), ref: 00007FF78B9832ED
LeaveCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF78B96D6BF,01FFF001,00000000,00000000,00007FF78B97BD4F), ref: 00007FF78B98333E
EnterCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF78B96D6BF,01FFF001,00000000,00000000,00007FF78B97BD4F), ref: 00007FF78B983374
LeaveCriticalSection.KERNEL32(?,?,?,?,00000003,00007FF78B96D6BF,01FFF001,00000000,00000000,00007FF78B97BD4F), ref: 00007FF78B98338F

Memory Dump Source

Source File: 00000000.00000002.1697284093.00007FF78B951000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78B950000, based on PE: true

Associated: 00000000.00000002.1697267552.00007FF78B950000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697356399.00007FF78BA39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697390858.00007FF78BA6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BAD7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697443316.00007FF78BADC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697528084.00007FF78BADF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff78b950000_rPROFORMAINVOICE-PO_ATS_1036.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: e743cea26d5aa4e05b231aa46b4469101279d7ee653fa58b53f11e4b04d877f5
Instruction ID: 091b810a0f58bf1507e31f6404f1e16f9d27fa3e7b20d1b226bd5e7be8985ec2
Opcode Fuzzy Hash: e743cea26d5aa4e05b231aa46b4469101279d7ee653fa58b53f11e4b04d877f5
Instruction Fuzzy Hash: 74419D71A4C682C1EA10AB29E448775F350FB49BD4FE80232E95D47AB5DF3CE155C361

Analysis Process: MSBuild.exePID: 3756, Parent PID: 6180COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	2

Executed Functions

Function 00FF7110 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FF719E
GetCurrentThread.KERNEL32 ref: 00FF71DB
GetCurrentProcess.KERNEL32 ref: 00FF7218
GetCurrentThreadId.KERNEL32 ref: 00FF7271

Memory Dump Source

Source File: 00000002.00000002.3246803385.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2fa3978cde1d6635190e006d657b81bc50f4ad84c9a99f3560624ec53a61ec45
Instruction ID: 495c745060da26cd25c5dfd7620a2d18f39f27b67aae0564e9fcf1319b028e50
Opcode Fuzzy Hash: 2fa3978cde1d6635190e006d657b81bc50f4ad84c9a99f3560624ec53a61ec45
Instruction Fuzzy Hash: C75154B09017098FDB04DFA9D948BAEFBF1AF88314F208469E458A7360DB74A945CF65

Function 00FF7120 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FF719E
GetCurrentThread.KERNEL32 ref: 00FF71DB
GetCurrentProcess.KERNEL32 ref: 00FF7218
GetCurrentThreadId.KERNEL32 ref: 00FF7271

Memory Dump Source

Source File: 00000002.00000002.3246803385.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f4bdc18f2d0cba6a520598f9328d425ecd3042f2a1a53d71de008cd1bb80f703
Instruction ID: a13d794920f17b1bc9ba0ae6531c77894dd5cad341f2da14f39ef468d89fdad5
Opcode Fuzzy Hash: f4bdc18f2d0cba6a520598f9328d425ecd3042f2a1a53d71de008cd1bb80f703
Instruction Fuzzy Hash: 745164B09017098FDB04DFA9D548BAEFBF1AF88314F208469E418A7360DB74A944CF65

Function 00FF6CEC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FF732E,?,?,?,?,?), ref: 00FF73EF

Memory Dump Source

Source File: 00000002.00000002.3246803385.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fa29e6208173b22318ab252df7a2c936e473a896ab4be4ca68acec2b13bc07cc
Instruction ID: b3a50625c0121aab1ce9f40204883c9f920bd6e1f0d927b48d61685109a8973c
Opcode Fuzzy Hash: fa29e6208173b22318ab252df7a2c936e473a896ab4be4ca68acec2b13bc07cc
Instruction Fuzzy Hash: 3721D4B5904358AFDB10DF9AD984AEEFBF4EB48310F14801AE914A7310D374A950DFA4

Function 00FF7360 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FF732E,?,?,?,?,?), ref: 00FF73EF

Memory Dump Source

Source File: 00000002.00000002.3246803385.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 77271dc65b776f6d617f72f6178a3dbe1166d87ca88b53b88cb845486c23cabb
Instruction ID: 710a570950037588f7b4dd8f4a1540fba135cd0a409d3c640bebd949fdccdb2e
Opcode Fuzzy Hash: 77271dc65b776f6d617f72f6178a3dbe1166d87ca88b53b88cb845486c23cabb
Instruction Fuzzy Hash: 9921E5B5901258AFDB10CF9AD984ADEFFF8EB48310F14801AE954B7310D374A944DF65

Function 00FF2260 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00FF22E3

Memory Dump Source

Source File: 00000002.00000002.3246803385.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_MSBuild.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: aeb04a29d33d5b498ab21b15c5936a5206be89f7541a25cfdd625070b10b7839
Instruction ID: b9c1cd9fb8f1a868c75ee9f30a8b319d6c184efb5c2b2905cbdd1c424461adc8
Opcode Fuzzy Hash: aeb04a29d33d5b498ab21b15c5936a5206be89f7541a25cfdd625070b10b7839
Instruction Fuzzy Hash: 2C2135B1D002099FDB14CFA9C848BEEFBF5BF88320F10842AD458A7260C774A945CFA1

Function 00FF2268 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00FF22E3

Memory Dump Source

Source File: 00000002.00000002.3246803385.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ff0000_MSBuild.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 4ecf56b0feb0b24db10f5e630226d90cf299d15fb4c010e7c749ecb39cfdc037
Instruction ID: 8f92daa38b8172af73e385c05a6a20723938fd91a07265c924c94ab15e22d7f3
Opcode Fuzzy Hash: 4ecf56b0feb0b24db10f5e630226d90cf299d15fb4c010e7c749ecb39cfdc037
Instruction Fuzzy Hash: C62115B1D002199FDB14DF99C844BEEFBF5AF88320F108429D459A7260C774A944CFA5

Function 00E8D500 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3246543019.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e8d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c127739b12a7868d9e7639ae9b2c78a3f3673afeaded819f9e42712cb0300677
Instruction ID: 6e9da7c90d43f7a10ecace03f37eca2233ec963c4ac4b558889810c7dbd9bcf7
Opcode Fuzzy Hash: c127739b12a7868d9e7639ae9b2c78a3f3673afeaded819f9e42712cb0300677
Instruction Fuzzy Hash: D1210371548204DFDB05EF14D9C0B27BF65FB98318F20C56AE90D5A296C336D856CBA1

Function 00E9D0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3246603973.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e9d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3877ff12507d21717201ed82562113070356f6585860526f7decb43e6def1aa5
Instruction ID: 5459037c8525f886e24b4918ec4dbe7390a122c3a4cfa757cc29b702bb872b1d
Opcode Fuzzy Hash: 3877ff12507d21717201ed82562113070356f6585860526f7decb43e6def1aa5
Instruction Fuzzy Hash: FB210472508204EFDF05DF15DDC4B26BBA5FB98318F20C56DD9095B296C33AD846CA61

Function 00E8D4FB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3246543019.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e8d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 416fb0fdd68967de8768a3c568325239386299781106fa6a3eb3d7435af5df05
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: EC11AF76508244CFDB16DF10D9C4B16BF61FB94318F24C5AAD8094B256C336D85ACBA1

Function 00E9D0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3246603973.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e9d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: cb93a521afd92813a931ba5bdce490243dde3ee561124e2a0712932f0a35c2f8
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F011DD76508280DFDB06CF10D9C4B15BFB1FB84318F24C6AADC494B256C33AD84ACB61

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rPROFORMAINVOICE-PO_ATS_1036.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msbuild.exe_c0d52432dfe3ceb750b4c6e7cd4c95a2e207481_11e7f0f4_f83a3f6a-ba45-452e-b37a-b98497531510\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER24F5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER27E4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2833.tmp.xml

C:\Users\user\rPROFORMAINVOICE-PO_ATS_1036.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
rPROFORMAINVOICE-PO_ATS_1036.exe

Function 00007FF78B961460 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Function 00007FF78B97C9B6 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 393
COMMON

Function 00007FF78B961010 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103
COMMON

Function 00007FF78B972770 Relevance: 9.1, APIs: 6, Instructions: 132
threadCOMMON

Function 00007FF78B95B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Function 00007FF78B954740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108
COMMON

Function 00007FF78B9554E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
sleepCOMMON

Function 00007FF78B95BA80 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Function 00007FF78B960E30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Function 00007FF78B992320 Relevance: 5.1, APIs: 4, Instructions: 83
COMMON

Function 00007FF78B974020 Relevance: 5.1, APIs: 4, Instructions: 53
COMMON

Function 00007FF78B9616E0 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Function 00007FF78B96759B Relevance: 3.1, APIs: 2, Instructions: 106
COMMON

Function 00007FF78B9BB610 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre